MINIMIZING THE ORGANIZATIONAL COST OF A PRIVACY BREACH

MINIMIZING THE ORGANIZATIONAL COST OF A PRIVACY BREACH 14TH ANNUAL SCHA CFO FORUM 31 JULY 2015 Jeanne M. Born, RN, JD [email protected] BIG DA...
Author: Cecil Sharp
2 downloads 0 Views 864KB Size
MINIMIZING THE ORGANIZATIONAL COST OF A PRIVACY BREACH

14TH ANNUAL SCHA CFO FORUM 31 JULY 2015 Jeanne M. Born, RN, JD

[email protected]

BIG DATA BREACHES

‣ UCLA Health – 4.5 Million records – cyber hack ‣ Community Health Systems - 4.5 Million records – Cyber attack exploiting a software bug, Heartbleed

‣ Advocate Health and Hospitals Corp. – 4 Million records – theft of four computers from one physician office

‣ Nemours – 1.6 Million records – lost a storage cabinet containing unencrypted backup tapes during remodeling

‣ The Office for Civil Rights website shows over 1300 breaches involving greater than 500 healthcare records since 9/2009.

‣ https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

2

‣ ‣

What is the cost of a data breach? Globally, the average cost of a data breach across all industries increased from $145 per record breached in 2014 to $154 in 2015: Contributing causes for the increase:

‣ ‣ ‣ ‣ ‣

Increased frequency of cyber attack and increased cost to remediate the attack; Greater impact of loss in business as a result of the data breach; &

Increased costs of detection and escalation.

The U.S. leads the world in the cost of data breaches: $217 / breached record. ($74 = direct costs (investment in technologies/legal fees); $143 = indirect costs (loss of business) Healthcare has the highest cost per breached record: $363.

All data from: Ponemon Institute: 2015 Cost of Data Breach Study: Global Analysis

SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

3

‣ ‣ ‣ ‣ ‣

What is the cost of a data breach? Criminal or malicious attacks are the primary cause of data breaches in the U.S. Criminal or malicious attacks are the most costly. The more records that are breached, the higher the cost.

The greater the loss of existing patients/clients the greater the cost of the breach. Costs:

‣ ‣ ‣ ‣

Detection and escalation costs are at an all-time high; Notification costs have increased slightly;

Post data breach costs have increased; and Lost business costs have increased.

All data from: Ponemon Institute: 2015 Cost of Data Breach Study: United States SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

4

Does this sound familiar?

‣ An employed physician closes down his laptop computer at the end of the day, packs it in his briefcase and goes to his car.

‣ He has to stop to get gas and decides to grab a soft drink to enjoy on the way home.

‣ When he gets back to his car, a window is broken and this briefcase is gone . . . Including the laptop.

‣ The laptop had protected health information of over 2000 patient’s on its hard drive.

‣ And . . . . Alas, the laptop was not encrypted. SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

5

What happens next?

‣ General Rule: ‣ A Covered Entity (“CE”) that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses or discloses unsecured protected health information shall, in the case of a breach, notify the individual whose unsecured protected health information has been or is reasonably believed by the CE to have been accessed, acquired, or disclosed as a result of such breach.

SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

6

What is a breach?

‣ “Breach’’ means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Standards which compromises the security or privacy of such information . . .

SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

7

Breach: Exceptions ‣





Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a CE or Business Associate (“BA”) if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under Privacy Standards; Any inadvertent disclosure by a person who is authorized to access PHI at a CE or BA to another person authorized to access PHI at same CE or BA or OHCA in which the CE participates, and the PHI received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Standards; and A disclosure of PHI where a CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

8

Whether a Reportable Breach Occurred: Low Probability Standard ‣ Depends upon a risk assessment of four factors: ‣ ‣

‣ ‣



The nature and extent of the PHI involved, including the types of identifiers and the likelihood of reidentification; The unauthorized person who used the PHI or to whom the disclosure was made; Whether the PHI was actually acquired or viewed; and The extent to which the risk to the PHI has been mitigated.

If after the consideration of each of the foregoing factors the CE has determined that there is a low probability that the privacy or security of the PHI has been compromised, then no breach notification is required. SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

9

Unsecured PHI:

‣ Unsecured Protected Health Information (“Unsecured PHI”): PHI that is not secured by a technology standard that renders PHI unusable, unreadable, or indecipherable to unauthorized persons and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute.

‣ Guidance published April 17, 2009.

SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

10

Breach Notification not required if the PHI is not “Unsecured PHI” ‣ The technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals are:



Electronic PHI that has been encrypted

‣ ‣ ‣

Data in motion – FIPS 140-2 (Includes NIST Special Publications 800-52, 800-77 or 800-113)

Media on which PHI is stored or recorded has been destroyed:

‣ ‣ ‣ ‣

Data at rest – NIST Special Publication 800-111

Paper, film or hard copy: shredded or destroyed such that it cannot be reconstructed Electronic media: cleared or purged consistent with NIST Special Publication 800-88

FIPS: www.itl.nist.gov/fipspubs/index.htm NIST: www.nist.gov/ SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

11

Breaches Treated as Discovered



A breach is discovered on the first day the breach is known or by exercising reasonable diligence, would have been known by the CE;



‣ ‣ ‣



Practice Tip: NOTIFY YOUR INSURANCE CARRIER!

What if the laptop was stolen from a BA? A breach is discovered by a BA on the first day the breach is known or by exercising reasonable diligence, would have been known by the BA; A BA or Subcontractor is required to report the breach to the CE in accordance with the terms of the BA; A CE will be deemed to have discovered a breach on the first day the breach was discovered by a BA only if the BA is acting as an agent of the CE.

SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

12

Breach Treated as Discovered

‣ ‣ ‣ ‣



Whether a BA is an agent of the CE is determined by the application of the federal common law of agency: Although there are multiple factors, DHHS found these four (4) to be most important in a “facts and circumstances” test: (1) The time, place, and purpose of a BA agent's conduct; (2) whether a BA agent engaged in a course of conduct subject to a CE's control (manner and means by which the product is accomplished); (3) whether a BA agent's conduct is commonly done by a BA to accomplish the service performed on behalf of a CE; and

(4) whether or not the CE reasonably expected that a BA agent would engage in the conduct in question.

SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

13

‣ ‣

‣ ‣ ‣

Notification of Breach Notice must be made within 60 days of when the CE knows or should have reasonably known of the breach. Individuals: notice is provided in writing by first class mail or by e-mail if the individual provided a preference. If contact information is out of date (including 10 or more such individuals), post a toll free number on the CE’s website where individuals can learn if their unsecured PHI has been breached. Personal Representatives of deceased individuals are to be contacted. When contact information is insufficient or out of date:

‣ ‣

Fewer than 10: alternative form of written notice, telephone or other means 10 or greater: conspicuous posting for 90 days on CE’s webpage or in major broadcast media AND contact information SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

14

Notification of Breach ‣ ‣ ‣

If notification is urgent because of possible misuse, may telephone the individual(s) If 500 or more individuals are involved, notice must be provided to prominent media outlets. Notice must be provided to the Secretary of DHHS;

‣ ‣



If 500 or more individuals are involved, this notice must be given immediately If less that 500, the CE may keep and log and disclose to the Secretary annually.

The Secretary of DHHS will post the identities of the CEs involved in breaches where more than 500 individuals are involved.

SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

15

Notification to the Secretary Breach notification webpage: http://www.hhs.gov/ocr/privacy/hipaa/adm inistrative/breachnotificationrule/index.htm l Guidance for notifying Secretary of breaches: http://www.hhs.gov/ocr/privacy/hipaa/admin istrative/breachnotificationrule/brinstruction. html • Submit Notice of a Breach Affecting 500 or More Individuals • Submit Notice of a Breach Affecting Fewer than 500 Individuals • https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

16

Notification of Breach Content of notice to the individual:

Brief description of what happened (include date of breach and date of discovery)

A description of the types of Unsecured PHI involved in the breach

SC Hospital Association

The steps that individuals should take to protect themselves from potential harm

14th ANNUAL CFO FORUM

A brief description of what the CE is doing to investigate, mitigate losses and protect against further breaches

Contact information (toll-free telephone number, an e-mail address, web site, or postal address)

www.nexsenpruet.com

17

Notification of Breach Notice can be delayed if necessary if law enforcement determines that notice:

SC Hospital Association

• Would impede a criminal investigation • Cause damage to national security 14th ANNUAL CFO FORUM

www.nexsenpruet.com

18

Notification of Breach

‣ State law compliance: ‣

S.C. Code Ann. § 39-1-90

‣ Modify your Notification of Breach Policy to also cover your obligations under State law.

SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

19

What is included in the cost of a data breach?



Discovery and immediate response:



Investigation and forensics:

‣ ‣ ‣ ‣ ‣ ‣

CCE - Certified Computer Examiner (CISOs) CHFI - Computer Hacking Forensic Investigator (Obtain, maintain & present forensic evidence) CFCE - Certified Forensic Computer Examiner (Law enforcement focus) CFE – Certified Forensic Examiner (investigation & incident response; collects & analyzes data) CFA - Certified Forensic Analyst (same, but more senior) CPI - Professional Certified Investigator (investigations, coverage of case mgmt & presentation)

SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

20

What is included in the cost of a data breach? (cont’d) ‣ ‣ ‣ ‣



Identify subjects of the breach; Organize the incident response team;

Arrange for and implement communication and PR response; Prepare notices (individuals and regulators) and accounting documentation; & Arrange for and implement call center communication.

See Ponemon Institute: 2015 Cost of Data Breach Study: Impact of BCM, p. 13

SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

21

What is included in the cost of a data breach?

‣ Tasks after a breach has occurred: ‣ ‣ ‣ ‣ ‣ ‣ ‣

Legal services - compliance; Legal services – defense; Consulting and auditing services; Provision of mitigation services to individual subjects of the breach; Identity protection services to individual subject of the breach; Business loss due to the breach;

Costs to reduce additional business loss.

See Ponemon Institute: 2015 Cost of Data Breach Study: Impact of BCM, p. 13 SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

22

Minimizing the Cost of a Data Breach

‣ Have the appropriate administrative, physical and technical safeguards required by law in place to protect against internal and external threats/ a/k/a prevent a breach.

‣ Security Rule:

A CE may use security measures that allow it to reasonably and appropriately implement the standards and implementation specification as specified in the security standards.

‣ Security rule: ‣ ‣ ‣ ‣

Implementation is scalable to the CE’s:

Size, complexity, and capabilities of it’s facility; Technical infrastructure, hardware, and software security capabilities; Costs of security measures; and Probability and criticality of potential risks to E-PHI. SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

23

Minimizing the Cost of a Data Breach

‣ Security Rule:

Contains a number of specification standards

that are either:

‣ ‣

Required: Implement the specification.

Addressable:





1. Implement the implementation specification if reasonable and appropriate; or

2. If implementing the implementation specification is not reasonable and appropriate:

‣ ‣



Document why it would not be reasonable and appropriate to implement the implementation specification; and Implement an equivalent alternative measure if reasonable and appropriate.

See Summary Outline of the HIPAA Security Standards (handout). SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

24



Minimizing the Cost of a Data Breach Conduct the Risk Analysis and implement a Risk Management strategy required under the Security Rule and periodically update it (at set periodic intervals/when a successful security incident occurs);



‣ ‣ ‣ ‣ ‣

Identify and document facility assets including hardware, software, applications and EPHI that are necessary for the business operations/ the provision of critical services; Assess internal and external threats to the identified assets; Assess the vulnerabilities of the assets to the identified threats in light of the administrative, physical and technical safeguards in place and document/prioritize the criticality of the effect if the threat were to actually occur;

Recommend and prioritize the steps to eliminate/minimize the likelihood that a threat would materialize and actions to take to minimize the identified vulnerabilities; Determine /assess the potential costs (business interruption; financial; reputational; regulatory; legal) if the identified threats actually occur and balance the benefits related to the cost of implementing the recommendation(s); Determine the feasibility of implementing and implement the recommendation(s) in light of the addressable and required implementation specifications of the Security Rule.

SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

25

Minimizing the Cost of a Data Breach

‣ Distinction between a breach and a security incident. ‣ Security Incident: The attempted or successful unauthorized access, use disclosure, modification, or destruction of information or interference with system operations in an information system.

‣ Not all Security Incidents amount to a breach of Unsecured PHI.

‣ Having a Security Incident response process is a required specification under the Security Rule.

SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

26

Minimizing the Cost of a Data Breach: Security Incident Response Process

‣ ‣ ‣

‣ ‣ ‣

Identification of the Security Incident; A determination whether the Security Incident amounts to a breach of unsecured protected health information and the applicability the HIPAA Breach Notification Policy; Assignment of severity/classification/prioritization of the Security Incident; Communications to all stakeholders that may be affected by the Security Incident; Mitigation of the damages resulting from the Security Incident; Resolution of the incident;

SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

27



Minimizing the Cost of a Data Breach: Security Incident Response Process Follow-up including:

‣ ‣

Recommendations for Security policy revision(s); Recommendations for revisions in the administrative, physical and/or technical safeguards employed by the Facility;

‣ Reporting to the management team; ‣ Implementation of the approved recommendations; ‣ Testing; and ‣ Documentation of the Security Incident Response Process and Resolution.

SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

28

Minimizing the Cost of a Data Breach: Data Breach Response Process



11 Factors affecting the per compromised record cost of a data breach:

‣ ‣ ‣ ‣ ‣ ‣ ‣ ‣ ‣ ‣

Use of an incident response team;

Extensive use of encryption; Employee training; Appointment of a Chief Information Systems Official; Board-level involvement/commitment; Insurance protection;

Consultant engagement; Notification of impacted individual/Secretary of USDHHS; Lost or stolen devices; Third party involvement; and

All data from: Ponemon Institute: 2015 Cost of Data Breach Study: Impact of BCM, p. 5 SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

29



Minimizing the Cost of a Data Breach: Data Breach Response Process Business Continuity Management (“BCM”):

‣ ‣ ‣

Enterprise risk management; Disaster recovery; &

Crisis management.

‣ Impact of employing a Business Continuity Management Program on the cost of a breach:

‣ ‣ ‣ ‣

Reduces the cost per compromised record by 9%; Reduces the mean time to identify the breach by 27%;

Reduces the mean time to contain the breach by 41%; Reduces the likelihood of a data breach over the next 2 years by 28%.

All data from: Ponemon Institute: 2015 Cost of Data Breach Study: Impact of BCM SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

30



Minimizing the Cost of a Data Breach: Data Breach Response Process “The cost of data breach is linearly related to the mean time it takes to identify and the mean time to contain the data breach incident.”

‣ “The cost of data breach is more expensive if BCM is not part of it business response planning and execution.”

‣ “The likelihood of having a future data breach is higher for companies that do not involve BCM as part of it incident response planning.”

All data from: Ponemon Institute: 2015 Cost of Data Breach Study: Impact of BCM, pp.1&2

SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

31

Minimizing the Cost of a Data Breach: Data Breach Response Process

‣ “BCM minimizes disruption to business operations when a data breach occurs.”

‣ “BCM involvement improves the resilience of IT operations.” ‣ “BCM can protect a company’s reputation following a data breach.”

All data from: Ponemon Institute: 2015 Cost of Data Breach Study: Impact of BCM, p. 2 SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

32

Business Continuity Management

‣ Prepares for and addresses issues in disaster recovery when a facility is operating in emergency mode – can occur when there has been a cyber attack that involves a breach;

‣ Requires that the BCM team: ‣

‣ ‣

Identifies, documents and understands the organization and its mission and objectives in line with its activities, services and functions, products, supply chains, relationships/needs with interested third parties and the impact potential of an incident disruptive to the business; Links the business continuity plan to the organization’s mission and objectives, including its risk management strategy; In a manner that meets its regulatory and other legal requirements;

ISO 22301 – Societal security - Business continuity management systems - Requirements 2012

SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

33

Minimizing Costs Due to a Data Breach: Cyber Insurance

‣ Cyber liability protection products are varied; ‣ Should be tailored to cover exposure gaps in your traditional general liability policies, E&O policies & D&O policies.

‣ Suggested areas of consideration: ‣

Exposures covered (ex: fraudulent use or misuse of payment systems; unauthorized use or misuse of electronic data; losses due to computer viruses; risks associated with internet commerce and security or the security of websites; etc.);

SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

34

Minimizing Costs Due to a Data Breach: Cyber Insurance

‣ ‣



Coverage: Look to see if the policy covers: a. First party losses: Facility losses associated with, for example, physical damage or damage to software or data by viruses or hackers; unlawful computer transfers of assets including, but not limited to money, real property or securities; business interruption or denial of website service as a result of service outage or electronic vandalism; loss control/mitigation costs.

b. Third party losses: Losses of third parties due to the following: loss of data exchange via e-mail or internet; theft or destruction of third party data; denial of service; unauthorized access; slander or libel; privacy rights violations/breaches of unsecured protected health information; misappropriation of intellectual property; unfair competition.

‣ c. Both a & b or a combination of both a & b. SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

35

Minimizing Costs Due to a Data Breach: Cyber Insurance

‣ Additional Operational/Remediation Requirements of Cyberrisk Policies:

‣ ‣

‣ ‣ ‣

These policies will likely require you to conduct periodic auditing and monitoring of your operations. Policies may require you to have such auditing/monitoring performed by an independent technical service provider.

It may require you to conduct a risk analysis in addition to or other than the HIPAA security risk analysis. There may be other requirements, such as hiring crisis management consulting services when a breach occurs. The policy will likely require you to use legal counsel from their panel.

SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

36

Minimizing Costs Due to a Data Breach: Cyber Insurance

‣ Conduct due diligence to be sure of the insurer’s financial stability and track record.

‣ Once you purchase a product, we recommend ‣



Review the policy to be sure that the product indeed includes the terms you negotiated. As with any insurance product, it is a good idea to understand their claims handling processes.

SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

37

What if there is an OCR complaint?

‣ Can be costs related to addressing a USDHHS Office for Civil Rights (“OCR”) investigation.

‣ OCR typically sends a letter and asks for information related to the compliant.

‣ Depending upon the resolution to the investigation:



May be subject to a Resolution Agreement:

SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

38

‣ ‣ ‣ ‣

CMP for Stolen Mobile Device Massachusetts Eye and Ear Infirmary and its associated physician practice Self-reported the theft of an unencrypted laptop from an employed physician while on vacation No finding of financial or reputational harm to the patients Findings: Failure to . . .

‣ ‣

‣ ‣

Restrict access to ePHI from unauthorized users/portable devices and be able to track access Track movement of both Hospital/personal portable devices on and off premises

Implement encryption or appropriate alternatives to encryption

9/17/2012 – Agreement (3 years)

‣ ‣ ‣

$1.5 Million CMP A Corrective Action Plan (includes a framework for updating policies/procedures and compliance plans for mobile devices) http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/meei-agreementpdf.pdf SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

HITECH: Civil Money Penalty Tiers (a) $100/violation, the total not to exceed $25,000 for identical violations / calendar year; (b) $ 1,000/violation, the total not to exceed $100,000 for identical violations/calendar year; (c) $ 10,000/violation, the total not to exceed $250,000 for identical violations/calendar year; (d) $ 50,000/violation, the total not to exceed $1,500,000 for identical violations/calendar year.

SC Hospital Association

‣ ‣ ‣

14th ANNUAL CFO FORUM

A violation where the person did not know and by exercising due diligence would not have known, the penalty will be not less than (a) but not more than (d). A violation due to reasonable cause, but not willful neglect, the penalty will be not less than (b) but not more than (d). A violation due to willful neglect:

‣ ‣

If corrected, the penalty will be not less than (c) but not more than (d); If not corrected, the penalty will be not less than (d). www.nexsenpruet.com

40

HIPAA Criminal Penalties (a) A person who knowingly and in violation of HIPAA(1) uses or causes to be used a unique health identifier; (2) obtains IIHI relating to an individual; or (3) discloses IIHI to another person, shall be punished as provided in subsection (b) of this section.

‣ ‣ ‣

(b) Penalties A person described in subsection (a) of this section shall-(1) be fined not more than $50,000, imprisoned not more than 1 year, or both; (2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and (3) if the offense is committed with intent to sell, transfer, or use IIHI for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.

‣ ‣ ‣

SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

Civil Liability/Other Regulatory Liability

‣ Patient could have an action against the Facility for negligence or for breach of confidence.



McCormick v. England: Established the tort of “breach of confidence” for a physician who disclosed a patient’s information to a third party without the patient’s consent or legal compulsion.

‣ SCDHEC Licensing standards require that hospitals maintain the confidentiality of medical records. S.C. Code Regs. 61-16 § 1107.A.

SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

42

Take-Away Tips

‣ Understand the legal landscape ‣

Regulatory liabilities

‣ ‣



Security Rule Compliance; Breach Notification Rule Compliance;

Civil liabilities

‣ Understand your health system risks/vulnerabilities; ‣ Engage experienced legal counsel; ‣ Engage experienced IT experts; ‣ Invest appropriately in your IT infrastructure; ‣ Analyze and Manage Risks = Minimize Risks of a Breach. SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

43

Resources

‣ The Ponemon Studies can be downloaded at: ‣

http://www-03.ibm.com/security/data-breach/

‣ The Poneman Website: ‣

http://www.ponemon.org/library

‣ ISO 22301 – Societal security – Business continuity management systems – Requirements can be purchased at:



http://www.iso.org/iso/catalogue_detail?csnumber=50038

SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

44

QUESTIONS?

SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

45

NEXSEN PRUET, LLC 1230 Main Street, Suite 700 Post Office Drawer 2426 Columbia, SC 29201

With offices also in Greenville, SC Charleston, SC Myrtle Beach, SC Hilton Head Island, SC Charlotte, NC Greensboro, NC Raleigh, NC www.NexsenPruet.com SC Hospital Association

14th ANNUAL CFO FORUM

www.nexsenpruet.com

46

Jeanne M. Born, RN, JD Member

1230 Main Street, Suite 700, Columbia, SC 29201 803.540.2038 [email protected]

www.nexsenpruet.com