Mitigating the Risk of Health Care Data Breaches: A Practical Guide for the Industry
In our evolving digital environment, every industry is at risk for data breaches. The health care industry is not immune to data intrusions as more physicians and hospitals adopt electronic health record systems. As the electronic storage and transmission of health care data becomes a standard operating practice, potential health care data breaches are a growing concern for the government, health care providers and health plans, their business associates and practicing health care lawyers.
To help you mitigate the risks of health care data breaches, the Knowledge Group has assembled a panel of thought leaders to walk you through the nuts and bolts of investigating and responding to health care data breaches. Our speakers will provide best practices based on case studies and offer effective strategies to mitigate risks of heath care data intrusions while complying with health care data laws.
Kimberly J. Kannensohn , Partner,
- An overview of the breach reporting requirements under HIPAA/HITECH
- Changes to breach reporting requirements since HITECH was rolled out in 2009 and the HITECH Final Rule released in January 2013.
- HITECH Final Rule’s impact on Business Associates and their duties to report breaches.
- Subcontractors’ breach reporting duties under HIPAA/HITECH
Michael Bruemmer, Vice President, Experian Data Breach Resolution,
- Per recent industry studies, more than 1/3 of healthcare organizations do not have a Data Breach Response Plan. Why is the gap not closing faster and what impact will the new Final Rule have?
- Ponemon reports that over 50% of all recent healthcare breaches involved business associates. Where will that trend go in 2013?
- More than ¾ of all breaches have a root cause in employee negligence. What are 2-3 best ways to address this issue?
Robb S. Harvey , Partner,
- Recent survey shows that data security is the most cited area of concern by General Counsel (survey by FTI Consulting and Corporate Board Member);
- Attacks can include hacking, phishing, installation of malevolent malware, and ‘old school’ theft of laptops and hard drives;
- Multiple sources of and reasons for attacks—recent articles about Chinese military, Anonymous, teenagers, criminal rings;
- Increasing concern about vulnerability of medical devices and hospital equipment to computer viruses;
- What’s next? Operational security engineers feel under siege; increasing governmental scrutiny and possible regulation; more securities and shareholder derivative lawsuits;
- What to do? Plan and prepare. Encrypt; evaluate current security protection methods; evaluate breach detection; consider creating additional firewalls or removing some equipment from intrusion threats; implement policies; revise business associate and other agreements; train employees; price and acquire cyber-theft insurance.
Tony Brooks, CISA, CRISC, Partner,
Based on HHS/OCR investigations and our HIPAA/HITECH compliance audits, here are key shortcomings among healthcare organizations:
- Do not have adequate policies and procedures in place to address HIPAA/HITECH and other IT security issues
- Have either not completed the security risk analysis required by HIPAA or Meaningful Use, or not done the type of in-depth analysis required
- Have not implemented sufficient risk management measures
- Have not performed or kept updated a complete inventory of ePHI-containing computer systems and devices
- Have not completed security training for its workforce members
- Have not implemented appropriate access rights management procedures and annual access rights reviews
- Have not implemented portable device and media controls, including encryption (e.g., mobile device management software)
- Have not implemented secure email and texting systems
- Have not implemented appropriate safeguarding and disposal of ePHI-containing computers and medical devices that have reached end-of-life
- Have not done appropriate due diligence of the security controls at third-party providers, including cloud computing vendors and data centers
- Have not implemented and rehearsed a data breach response plan
- Have not implemented and rehearsed an IT disaster recovery plan
Carmel M. Cosgrave, Chair, Health Care Practice Group,
Preparing for the worst: understanding OCR’s current Audit process.
Who Should Attend:
– In-house Counsel in the life sciences and healthcare industries
– Compliance, Privacy and Data Security Officers
– Biotech/Pharma Industry Lawyers
– Life Sciences and Health Care Practice Consultants/Advisors
– General Counsel
– Senior Management
– Professionals coming from Biotech and Pharmaceutical Firms
– Consultants & Clients in the Biotech and Pharmaceutical Industries
Ms. Kannensohn leads the HIPAA and Health IT Work Group at McGuireWoods and devotes a substantial portion of her practice to advising clients regarding HIPAA, the HITECH Act and state privacy law matters. She has assisted numerous health care providers and business associates in implementing HIPAA compliance programs, conducting risk assessments, investigating and responding to potential data breaches, and complying with federal and state breach notification requirements. Ms. Kannensohn has significant expertise in helping clients to solve unique issues arising under HIPAA, particularly in the context of remote health management and other mHealth products and services.
Ms. Kannensohn leads the HIPAA and Health IT Work Group at McGuireWoods and devotes a substantial portion of her practice …
Michael Bruemmer is Vice President, Experian® Data Breach Resolution at Experian Consumer Services, the leading provider of online consumer credit reports, credit scores, credit monitoring, other credit-related information, and protection products.
With more than 25 years in the industry, Michael brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services.
Michael maintains a practical and cooperative approach to partnering with some of the largest and most complex organizations to address their data breach preparation and resolution needs. By applying his experience as a General Manager in the Manufacturing Industry as well as in Global Operations he has a keen insight into the complexities and regulatory standards many organizations face when it comes to data privacy and security.
Michael Bruemmer is Vice President, Experian® Data Breach Resolution at Experian Consumer Services, the leading provider of online consumer credit …
Robb Harvey is a partner in Waller’s Nashville, Tennessee office. His practice centers on complex intellectual property, media, commercial and franchise litigation involving substantial damages claims in federal and state courts across the country. With extensive experience in matters involving computer fraud, privacy, defamation and trade secrets, Robb frequently works alongside Waller’s healthcare regulatory attorneys in matters involving data breaches affecting hospitals, health systems and other healthcare providers. Robb is recognized in Chambers USA and Best Lawyers. He earned his undergraduate and law degrees from Vanderbilt University.
Robb Harvey is a partner in Waller’s Nashville, Tennessee office. His practice centers on complex intellectual property, media, commercial and …
Tony Brooks, CISA, CRISC, is the director of information technology assurance and risk services for HORNE LLP. His practice focuses on the critical technology issues faced by today’s organization executives, including information technology regulatory compliance, information privacy and security, records management, fraud prevention, disaster recovery and business continuity. Tony has more than 25 years of information technology experience including product management, regulatory compliance and information technology management. He is a Certified Information Systems Auditor and has obtained the Certified in Risk and Information Systems Control certification.
Tony Brooks, CISA, CRISC, is the director of information technology assurance and risk services for HORNE LLP. His practice focuses …
Carmel M. Cosgrave is chair of SmithAmundsen’s Health Care Practice Group. She represents health care systems, long term care operators, assisted living facilities, and medical device manufacturers in litigation and other matter including issues surrounding HIPAA, HITECH and electronic medical records. She also represents physicians, nurses, dentists and other medical professionals before the Illinois Department of Professional Regulation. Carmel is a founding member of SmithAmundsen and a member of the firm’s Executive Committee.
Carmel M. Cosgrave is chair of SmithAmundsen’s Health Care Practice Group. She represents health care systems, long term care operators, …
Print and review course materials
Method of Presentation:
On-demand Webcast (CLE)
NASBA Field of Study:
NY Category of CLE Credit:
Unlock All The Knowledge and Credit You Need
Leading Provider of Online Continuing Education
It's As Easy as 1, 2, 3
Get Your 1-Year All Access Pass For Only $199
McGuireWoods has more than 900 lawyers in 19 offices around the world. We cross borders, practices and industries in the U.S, UK, Belgium and elsewhere around the world, collaborating with colleagues and managing resources in the Nordic countries, Russia and Eurasia, Eastern Europe, China, Africa, the Middle East, India, Spain, Portugal and South America. We have unique cooperative arrangements with Paris law firm, KGA, and in Israel with Shenhav Konforti Shavit & Co (SKS). Our international practice is further enhanced by our participation in the global legal networks, Lex Mundi and LNI Oasis.
For more than 175 years, McGuireWoods has built its reputation on the bedrock of providing clients with the highest quality legal service and sound strategic guidance. Clients include public and private companies, private individuals, and government and nonprofit organizations around the world.
Experian® is a leader in the data breach resolution industry and one of the first companies to develop services that address this critical issue. Experian has a long-standing history of providing swift and effective data breach resolution for thousands of organizations, having serviced millions of affected consumers. Experian Data Breach Resolution services enable organizations to plan for and successfully respond to data breaches. Learn more athttps://www.experian.com/databreach.
In the evolving healthcare reform environment, Waller helps its clients focus on their primary mission: providing high quality patient care. Providers rely on Waller’s experienced attorneys for advice and counsel on physician/hospital alignment; M&A and joint ventures; Medicare payment issues; Stark and anti-kickback compliance; electronic health records and privacy rules; and legislative and regulatory developments. Waller assists hospitals; surgery centers; imaging centers; physician practice management companies; home health and hospice providers; skilled nursing and senior living facilities; dialysis providers and rehabilitation facilities throughout the country.
About Horne LLP
HORNE’s dedicated CPAs and health care accounting team provides services specific to the intensive demands of health care providers, including health care assurance and risk management, health care accounting, health care tax services, health care compliance, health care reimbursement and health care valuation. HORNE provides customized health care accounting and comprehensive advisory services for hospitals, health systems, physicians, and a multitude of other health care entities and providers including dental practices and medical device companies. HORNE also provides services tailored to assist health care attorneys in providing more robust services to their own clients. HORNE has served clients in the health care industry for more than 50 years.
About SmithAmundsen LLC
SmithAmundsen LLC is a firm comprised of 140 attorneys practicing from offices in Chicago, St. Charles, Rockford and Woodstock, IL; Milwaukee, WI; and St. Louis, MO. The firm represents business entities and individuals engaged in commercial endeavors. Major practice concentrations include commercial litigation, labor and employment, banking and financial services, construction, insurance services, commercial transportation, health care and medical devices, and products liability/manufacturing. For more information, visit: www.salawus.com.