2012 03 21 Mary Chaput Clearwater Compliance ISA ANSI Santa Fe Group the Financial Impact of Breached Protected Health Information PHI Webinar Presentation

7/31/2019 2012 03 21 Mary Chaput Clearwater Compliance ISA ANSI Santa Fe Group the Financial Impact of Breached Protected Health Information PHI Webinar Presentation

1/29

A BUSINESS CASE FORENHANCED PHI SECURITY

THE PHI PROJECT THE FINANCIAL

IMPACT OF BREACHED PROTECTED

HEALTH INFORMATION


2/29

THE PHI PROJECT

REQUIRED: Enhanced programs for safeguardingProtected Health Information (PHI)

WHO: Guardians of the trust forming thefoundation of the health care delivery system

SOLUTION:

Information and tools to develop acompelling business case for requestinginvestments and resources to ensure PHI privacyand security


3/29

100+ EXPERT PARTICIPANTS

70 ORGANIZATIONS

American National Standards Institute (ANSI) via its Identity Theft Standards Panel (IDSP)

The Santa Fe Group/Shared AssessmentsHealthcare Working Group

Internet Security Alliance (ISA)Health care industry leadersSecurity and privacy experts


4/29

APPROACH BASED ON

SUCCESS OF PRIOR PROJECTS


5/29

WHAT MAKES HEALTH CARE WORK?

Trust

Confidentiality

Availability Integrity


6/29

THE PROBLEM IS..BREACHES

Between 2005 & 2008: nearly 39.5 million electronic health records In the past two years: the privacy of 18 million Americans In the period September through November of 2011:

health records of 4.9 million military personnel, 4 million patients of a health care system, and

20,000 patients of an academic medical center

72 provider organizations in a November 2011 survey: 96% : at least one data breach in the past 24 months On average: 4 data breach incidents during past two years


7/29

WHATS HAPPENING?


8/29

THE RAMIFICATIONS

Improperly disclose PHI of millionsof individuals in a matter ofseconds,

Steal health information from avirtual location, and

Breach PHI in a manner thatmakes it impossible to restore.

For the first time in history, it is possible to:


9/29

WHY STEAL PHI?

Physician ID numbers areused to fraudulently billfor services

Patient ID information islent to friends or relativesin need of services

Patient ID numbers aresold on the black market

Medicare fraud estimate? $60B/year

Majority of clinicalfraud? Obtainprescription narcotics forillegitimate use

~5% of clinical fraud: Free healthcare

Patient ID Information: $50/recordSocial Security number: $1

Average Payout for defrauding ahealth care organization: $20,000

Regular ID theft? $2,000


10/29

TOP ELEMENTS THREATENING PHI SECURITY

Human

Malicious Insider Non-Malicious Insider Outsider State-Sponsored Cyber

Crime

Evolving Stakeholders BAs and Subcontractors Cloud Providers Virtual Physicians Office

Methods

Lost / Stolen MediaIntrusion Dissemination of Data Mobile Devices Wireless Devices


11/29

SAFEGUARDS AND CONTROLS ARE

WELL KNOWN


12/29

SO WHATS HAPPENING?PHI PROJECT SURVEY FINDINGS


13/29

THE LAWS ARE COMPLEXPHI PROJECT SURVEY FINDINGS


14/29

COMPLIANCE IS NOT EASYPHI PROJECT SURVEY FINDINGS


15/29

STUMBLING BLOCKS TO A STRONG

SECURITY POSTUREPHI PROJECT SURVEY FINDINGS


16/29

WHY A MODEL?

Published average cost of a databreach exist, but relevant to all?

This model provides an opportunity to:Be specific to an organizationCalculate what a breach might

actually cost, and

Build a compelling business case forstrengthening a compliance program


17/29

PHI PROJECT REPORT

Table of Contents

1. The Progression of the Health Care Ecosystem2. The Evolution of Laws, Rules, and Regulations3. PHI Data Breach Landscape4. Threats and Vulnerabilities5. Safeguards and Controls6. Survey Findings: Current Practices and Attitudes7. PHIve The 5-Step Method of Data Breach Costing8. Calculating the Cost of a PHI Breach Using PHIve9. Finale10. Appendices


18/29

THE PHIVE MODEL: BUILDING A BUSINESS CASE

FOR ENHANCED SECURITY


19/29

STEP 1: CONDUCT A RISK ASSESSMENT

TABLE4:DETERMININGTHELIKELIHOODOFADMINISTRATIVE,PHYSICALORTECHNICALDATABREACHES

PotentialRisk

Event

FunctionalAreas

orResponsibilities

tobeConsidered

VulnerabilitiestobeConsidered Safeguards/ControlstobeRated

PhysicalPenetration

PhysicalDestruction

Sabotage Theft Unauthorized

Deletion

Vandalism EmployeeError Information

Disclosure(e.g.,

shouldersurfing,

elevatorchat,

wrongrecipient)

ImproperTrainingofStaff

UnavailabilityofData

Fraud

Reception Clinical

Treatment

Areas

DataRecordStorage

ITSupport DataDisposal Accounting BillingDept. AuditDept. Process

Excellence

Accreditation Quality

Outcomes

HumanResources

OperationsReporting

Facilities

PhysicalTheft IntentionalorUnintentionalFaxto

UnauthorizedUser

IntentionalorUnintentionalEmailtoUnauthorizedUser

UnsecuredEmail ImproperDisposalofWritten

Documents

UnauthorizedCreationorModificationofWritten

Documents

UnauthorizedUseofWrittenDocuments

UnauthorizedSharingofWrittenDocuments

MistakenIdentity UntrainedorImproperlyTrained

Workforcemember

FailuretoEstablishorUpdateClearanceLevelofWorkforce

member

NewHireBackgroundChecks Assignedsecurity

responsibility

Documentedandenforcedpoliciesandprocedures

Workforceaccessauthorizationclearance

processes

RegularWorkforcetraining Sanctionsfornon-compliance

ofpolicies&procedures

Log-inandpasswordmanagement

Incidentreporting SecureFacilityAccess WorkstationSecurityand

Privacy

BusinessAssociatesContracts&Audits

RegularMonitoringand/orAuditingofProcedures

TABLE5:DETERMININGTHELIKELIHOODOFELECTRONICDATABREACHES

PotentialRiskEvent Applicationstobe

Considered

VulnerabilitiestobeConsidered Safeguards/Controlsto

beRated

Computer-BasedAttack

ElectronicPenetration

DestructionofFiles

DestructionofSystems

SabotageTheftofePHIDataUnauthorizedCreationofePHI

UnauthorizedDeletionofePHI

UnauthorizedModificationof

ePHI

Vandalism

Admit,Discharge&Transfer(ADT)

MedicationAdministrationRecordSystem(MARS)

OrderEntry(CPOE)SystemsorApplications

Imaging(PACS)SystemsorApplication

AccountingSystemsorApplications

BillingandReceivablesSystemsorApplications

ElectronicRecordSystemsorApplications

Dictation&TranscriptionSystemsorApplications

SystemsorApplicationsusedforUtilizationReviews

SystemsorApplicationsUsedforAccreditation

SystemsorApplicationsUsedforOversight/Root

CauseAnalysis/GovernancePurposes

SystemsorApplicationsUsedforAuditing,

Credentialing,Litigation

LackofEncryption/DecryptionCapabilities

LackofReliableDataBack-upandRecovery

MultipleSystemAccessLAN,WANorExternalSystemPathways

NetworkPathwaysNoprotectionagainstDataInterception

NoprotectionagainstHackingNoprotectionagainstPortScanningandSniffing

NoprotectionagainstSocialEngineering

FlawsinTechnologyandSoftwareorProtocolDesigns

NoProtocolsforPeer-to-PeerFileSharing

MissingSecurityAgentsUnauthorizedRemote-ControlSoftware

NoControlsonMediaFilesUnnecessaryModemsinLaptops

UnauthorizedorUnsecuredSynchronizationSoftware

NoprotectionagainstWirelessConnectivity

NoprotectionagainstDownloadingFiles

AuthenticationofAuthorizedUsers

StrongAuthenticationConstruction

DocumentedProcessesandTraining

ReviewedandApprovedClearance

forAuthorizedUsers

AuditControlsforIdentifying

UnauthorizedUsers

AuditControlsforIdentifying

UnauthorizedActivity

EncryptionandDecryption

Capabilities

DataIntegrityControlsTransmissionSecurityLimitedtoaSingleSystem

LANS,WANorExternalSystemorisnotProtected

NoNetworkPathwayorUnprotected

Pathway

Assess the Risks,Vulnerabilities andApplicable Safeguardsand Controls for each

PHI home.


20/29

STEP 2: DETERMINE A SECURITY

READINESS SCORE

SECURITYREADINESSSCORESCALE

SecurityReadiness

Score

TheLikelihoodofaDataBreach

1 VirtuallyImpossible

2 Rare

3 PossiblebutNotLikely

4 PossibleandLikely

5 PossibleandHighlyLikely

DETERMINE THE LIKELIHOOD OF A DATA BREACH FOREACH PHI HOME AND ASSIGN A SECURITY

READINESS SCORE


21/29

DETERMINE THE COST RELEVANCE


22/29

EXAMPLES OF RELEVANCE & IMPACT

CONSIDERATIONS


23/29

STEP 3: ASSIGN A RELEVANCE FACTOR

Assign a Relevance Factor to the calculated cost of adata breach for each PHI home that has anunacceptable SECURITY READINESS SCORE

RELEVANCEFACTORHIERARCHY

RelevanceRelevance

Factor

RiskExposure/Analysis

BestPracce

HardlyRelevant 0.05

Pre-Breach

ALiKleRelevant 0.15SomewhatRelevant 0.50

Relevant 0.85

HighlyRelevant 0.95

Breach 1.00 Post-Breach


24/29

STEP 4: DETERMINE THE IMPACT

RELEVANCE * CONSEQUENCE = IMPACT (ADJUSTED COST)


25/29

STEP 5: CALCULATE THE TOTAL COST OF A

BREACH

ScoringtheTotalImpact

Insignificant Lessthan2%ofRevenue

Minor 2%ofRevenue

Moderate 4%ofrevenue

Major 6%ofRevenue

Severe Greaterthan6%ofRevenue


26/29

SAMPLE CASE STUDY

Unintentional, Business Associate, 845,000 records, Clinical fraudresulting in 1 death, financial fraud, NYC

EsJmatedTotalImpact

Grandtotalofbreachcosts $26,493,617

AnnualRevenueofEnty $241,836,404

%ofCosttoAnnualRevenue 11%

ImpactScore Severe


27/29

HOW MUCH TO INVEST?

How much would a data breach cost? Given current safeguards and controls,

how often can an organization expectto experience a data breach?

What investments can be made toreduce the frequency of a databreach?

What are the associated annual savingsof a delayed data breach?

Which enhancement program costs lessthan the annual savings but still deliverson the reduced frequency of a breach?


28/29

IN SUMMARY..


29/29

A N D T H E I R S P O N S O R S

THANK YOU TO ALL THE PHI PROTECTORS