Cloud computing and hipaa navigating and mitigating the inevitable data breach

Polsinelli PC. In California, Polsinelli LLP

Cloud Computing and HIPAA: Navigating and Mitigating the Inevitable Data Breach

Presented on May 15, 2015

Jean Marie R. Pechette, ShareholderKatie Kenney, Associate

real challenges. real answers. sm

2

Agenda

� Increased Adoption of Cloud Computing in Healthcare Technology

� Cybersecurity Threats/Legal Risks� Mitigation Strategies


The New Normal: Cloud, Apps, Big Data and the Internet of Things

� Healthcare industry has adopted cloud-based services software and data hosted in the cloud

� Mobile devices/apps (over 1 million apps in app stores and 1600 new ones are being uploaded on average per day).

� Accelerated adoption of telehealth/virtual health

� Ubiquitous connectivity to the internet

� Supercomputers (beyond Watson) and Big Data (The FTC has defined the term Big Data as “advancing technologies that are dramatically expanding the commercial collection, analysis, use, and storage of data”) (recent FTC Workshop to explore impact of big data on consumers, consumer protection concerns).

3


Cloud Computing-from Enabler to Backbone of Healthcare Reform

� The National Institute of Standards and Technology (NIST) definition of “evolving paradigm” of cloud computing:

“a model for enabling ubiquitous, convenient, on-demand network access to a shared pool ofconfigurable computing resources (e.g., networks,servers, storage, applications, and services) that can berapidly provisioned and released with minimalmanagement effort or service provider interaction. Thiscloud model is composed of five essentialcharacteristics, three service models, and fourdeployment models.”

4


Essential Characteristics

� On-demand self-service� Broad network access� Resource pooling� Rapid elasticity� Measured service

5


Healthcare Industry Most Vulnerable to Cybersecurity

� FBI(private industry notification)(PIN): “Cyber actors will likely increasecyber intrusions against health care systems—to include medical devices—due to mandatory transition from paper to electronic health records (EHR),lax cybersecurity standards, and a higher financial payout for medicalrecords in the black market”. Compared to the financial and retail sectors,health care industry is even more vulnerable to cyber intrusions.

� More than 8 Million Americans have had their PHI compromised in hacking-related HIPAA breaches, according to OCR data (not counting recentAnthem data breach affecting 80 million customers and employees).

� In the last 4 years, criminal data attacks on the healthcare industry haveskyrocketed 100 percent.

� Impacted life-critical systems may jeopardize patient safety

6


Breach is Inevitable

� Companies “that have been hacked and those that will be…converging into 1 category—companies that have been hacked and will be hacked again”. (FBI Director Robert Mueller III-2012)

� When a breach occurs, judged by reasonableness of efforts to prevent and mitigate incidents

7


Breach Notification Standards

� Under the Breach Rule, a covered entity must notifyan individual and OCR of a breach of unsecured PHI.– PHI is considered secure if it is rendered unusable,

unreadable or indecipherable to unauthorized personsthrough the use of a technology or methodology specifiedby HHS in guidance issued under the HITECH Act.

– Likewise, a BA must notify a CE of a breach of unsecuredPHI.

� The Breach Rule defines a breach generally as theacquisition, access, use or disclosure of PHI in amanner not permitted under the Privacy Rule whichcompromises the security or privacy of the PHI.

8


9


HIPAA Security Rule

� The Security Rule requires Covered Entities (and their Business Associates) to maintain reasonable and appropriate technical, physical and administrative safeguards to protect electronic PHI (“ePHI”) and to:

- ensure the confidentiality, integrity, and availabilityof all ePHI they create, receive, maintain or transmit;

- identify and protect against reasonably anticipated threats to the security or integrity of the information;

- protect against reasonably anticipated, impermissible uses or disclosures.

10


Mitigation Strategies

� Due Diligence � Operational � Contractual � Cyber-Insurance

11


Civil Penalties

Violation CategoryPenalty Range for Each

Violation

Maximum Penalty for all Violations of an

Identical Provision in a Calendar Year

Entity did not know (and, by exercising reasonable diligence, would not have known) that it violated the applicable provision.

$100 to $50,000 $1,500,000

Violation is due to reasonable cause and not to willful neglect. $1,000 to $50,000 $1,500,000

Violation is due to willful neglect and was corrected during the 30-day period beginning on the first date the entity knew, or, by exercising reasonable diligence, would have known that the violation occurred.

$10,000 to $50,000 $1,500,000

Violation is due to willful neglect and was not corrected during the 30-day period beginning on the first date the entity knew, or, by exercising reasonable diligence, would have known that the violation occurred.

At least $50,000 $1,500,000

12


Criminal Penalties

Violation Category Fine Possible Prison Term

Knowingly obtains or disclosesUp to $50,000

Up to 1 year

Knowingly obtains or discloses and involves false pretenses Up to $100,000 Up to 5 years

Knowingly obtains or discloses and involves the intent to sell, transfer, or use for commercial advantage, personal gain, or malicious harm

Up to $250,000 Up to 10 years

13


Trends and Take-Aways

� Cloud computing: evolved from enabler to backbone of healthcare delivery� It’s all about the data—from coordination of care/benefits, improving patient-

centered outcomes,reducing costs, advancing research and population health initiatives

� With interconnectivity/interoperability/Internet of things and the Cloud/Breach is inevitable

� Judged not by the breach but by reasonableness of measures to detect, prevent and mitigate breach and potential harm

� Facing overlapping/multiple enforcement actions from various regulatory agencies and class actions

� Mitigate with due diligence; comprehensive security compliance programs; transparency in data collection/use; ongoing risk assessments/risk management plans; privacy by design; compliance with “recommended” Frameworks; readiness against new cyber-security threats; cyber-security insurance

14


About Polsinelli

Polsinelli provides this material for informational purposes only. The material provided herein is general and is not intended to be legal advice. Nothing herein should be relied upon or used without consulting a lawyer to consider your specific circumstances, possible changes to applicable laws, rules and regulations and other legal issues. Receipt of this material does not establish an attorney-client relationship.

Polsinelli is very proud of the results we obtain for our clients, but you should know that past results do not guarantee futureresults; that every case is different and must be judged on its own merits; and that the choice of a lawyer is an important decision and should not be based solely upon advertisements. © 2015 Polsinelli PC. In California, Polsinelli LLP.

Polsinelli is a registered mark of Polsinelli PC

Polsinelli is an Am Law 100 firm with more than 750 attorneys in 18 offices, serving corporations, institutions, entrepreneurs and individuals nationally. Ranked in the top five percent of law firms for client service and top five percent of firms for innovating new and valuable services*, the firm has risen more than 100 spots in Am Law’s annual firm ranking over the past six years. Polsinelli attorneys provide practical legal counsel infused with business insight, and focus on healthcare, financial services, real estate, life sciences and technology, and business litigation. Polsinelli attorneys have depth of experience in 100 service areas and 70 industries. The firm can be found online at www.polsinelli.com. Polsinelli PC. In California, Polsinelli LLP.

*BTI Client Service A-Team 2015 and BTI Brand Elite 2015

Cloud computing and hipaa navigating and mitigating the inevitable data breach

Law

Transcript of Cloud computing and hipaa navigating and mitigating the inevitable data breach