Cyberliability Risk Management Program- SCAN Group

1. Cyberliability Risk Management Program- SCAN Group Presented for OCRIMS June 11, 2013 Deborah Schlesinger, HIPAA Privacy & Security Officer, Director of Corporate Risk Management

2. SCAN Group • Medicare Advantage Plan (2) • 150,000 beneficiaries • Located in California & Arizona • Contracts with • Centers for Medicare & Medicaid Services (CMS) • CA Department of Health Care Services (DHCS) • Independence at Home- grant programs • SCAN Foundation • Assessment Centers

3. Applicable Law/Regulations • HIPAA • CA Civil Code Section 1798.82 • CMIA H & S Code Section 130203 • PCI DSS Payment Credit Card Industry Data Security Standards

4. Trends & Impacts on Risk • Consumerization • BYOD • Mobility • Remote workers • Cloud • Hosted Applications • Social media • Twitter, Facebook, Linked-In • Cyber threats • Increasingly sophisticated virus’ & worms • “Hacktivism”

5. Exposures/Threats • Internal • Employee violation of security/privacy policies- failure to encrypt, etc. • Sabotage • Committing ID theft or fraud • Social engineering • Physical Building Access • External- • Business associates • Hackers • Catastrophic Event/Disasters • Email threats (SPAM, Viruses, Bots, Malware, Phishing) • Offsite Storage & Transport of Back up Media

6. Exposures/Threats • Network • DDoS- Denial of Service Attacks • Hijack attempts of data in transit

7. Loss Control • IT Security Technology • Encryption • Devices & Email • Firewalls block 17% of all incoming email • Remote Wipe for lost/stolen devices • Data leakage software- tells you where confidential data resides • File sharing sites restricted- No Drop Box, etc. • Force secure file transfer protocols (FTP) • Limit access to internet sites- Gmail, non work, etc. • Shredding done on site

8. Loss Control (continued) • IT Auditing Program • Combination of internal and external audits, focused audits • Network firewalls, penetration testing, system credentials • Business Associate Pre-contractual Evaluation of IT Security & Privacy Compliance- Tool/Insurance Requirements • Privacy & Security Rule Compliance monitoring • HIPAA Training- CBT & IT Security Awareness Offerings • Disaster Plan- SunGard • Cyber liability Insurance

9. Cyberliability Insurance • First purchased after passage of HITECH 2009 • Costs of Data Breaches- • Notice to Affected Individuals/x $214 per person which includes the cost of: • Credit/reputation monitoring • Defense costs • Forensics • Regulatory fine/civil penalties • Crisis Management • Data asset loss • Cyber extortion

10. What Cyberliability will not cover • Diminished employee productivity • Public perception/ unmitigated reputation loss • Loss of customer base • Diminished goodwill • Devalued intellectual property • Cost of Business distraction • Loss or required reinstatement of accreditation

11. Data Breach Management • Policy and Procedure • Software application- work flow • On line form • Conduct Risk Assessments • Mitigate • Forensics possible • Breach Response Team

12. Incident Response • Contracts with Incident Response Providers • All Clear ID • Kroll • Template Letters

13. Costs Associated with Data Breaches • Notification of Affected Individuals • Forensic Analysis to determine cause • Crisis Management -public relations costs • Remediation of security vulnerabilities • Credit protection and/or reputation monitoring • Defense costs • Regulatory fines/civil penalties • Abnormal Customer turnover/ Acquisition costs

14. Tips for Success • Get to know your IT department • Learn as much as you can about the technology • Conduct your Risk Analysis and know where your PHI or PII resides • Reinforce key security training items