THE PHI PROJECT THE FINANCIAL IMPACT OF BREACHED PROTECTED HEALTH INFORMATION A BUSINESS CASE FOR ENHANCED PHI

I SECURITY

THE PHI PROJECT

REQUIRED: Enhanced programs for safeguarding Protected Health Information (PHI) WHO: Guardians of the trust forming the foundation of the health care delivery system SOLUTION: Information and tools to develop a compelling business case for requesting investments and resources to ensure PHI privacy and security

100+ EXPERT PARTICIPANTS 70 ORGANIZATIONS

American National Standards Institute (ANSI)
via its Identity Theft Standards Panel (IDSP)

The Santa Fe Group/Shared Assessments Healthcare Working Group Internet Security Alliance (ISA) Health care industry leaders Security and privacy experts

APPROACH BASED ON SUCCESS OF PRIOR PROJECTS

WHAT MAKES HEALTH CARE WORK?

Availability

Integrity

Trust
Confidentiality

THE PROBLEM IS..BREACHES

Between 2005 & 2008: nearly 39.5 million electronic health records In the past two years: the privacy of 18 million Americans In the period September through November of 2011: health records of 4.9 million military personnel, 4 million patients of a health care system, and 20,000 patients of an academic medical center 72 provider organizations in a November 2011 survey: 96% : at least one data breach in the past 24 months On average: 4 data breach incidents during past two years

WHATS HAPPENING?

THE RAMIFICATIONS
For the first time in history, it is possible to:
Improperly disclose PHI of millions of individuals in a matter of seconds, Steal health information from a virtual location, and Breach PHI in a manner that makes it impossible to restore.

WHY STEAL PHI?

Physician ID numbers are used to fraudulently bill for services Patient ID information is lent to friends or relatives in need of services Patient ID numbers are sold on the black market
Medicare fraud estimate? $60B/ year Majority of clinicalfraud? Obtain prescription narcotics for illegitimate use ~5% of clinical fraud: Free health care Patient ID Information: $50/record Social Security number: $1 Average Payout for defrauding a health care organization: $20,000 Regular ID theft? $2,000

TOP ELEMENTS THREATENING PHI SECURITY

Human Malicious Insider Non-Malicious Insider Outsider State-Sponsored Cyber Crime Evolving Stakeholders BAs and Subcontractors Cloud Providers Virtual Physicians Office Methods Lost / Stolen Media Intrusion Dissemination of Data Mobile Devices Wireless Devices

SAFEGUARDS AND CONTROLS ARE WELL KNOWN

SO WHATS HAPPENING?
PHI PROJECT SURVEY FINDINGS

THE LAWS ARE COMPLEX

PHI PROJECT SURVEY FINDINGS

COMPLIANCE IS NOT EASY

PHI PROJECT SURVEY FINDINGS

STUMBLING BLOCKS TO A STRONG SECURITY POSTURE

PHI PROJECT SURVEY FINDINGS

WHY A MODEL?
Published average cost of a data breach exist, but relevant to all? This model provides an opportunity to:
Be specific to an organization Calculate what a breach might actually cost, and Build a compelling business case for strengthening a compliance program

PHI PROJECT REPORT

Table of Contents

1. The Progression of the Health Care Ecosystem 2. The Evolution of Laws, Rules, and Regulations 3. PHI Data Breach Landscape 4. Threats and Vulnerabilities 5. Safeguards and Controls 6. Survey Findings: Current Practices and Attitudes 7. PHIve The 5-Step Method of Data Breach Costing 8. Calculating the Cost of a PHI Breach Using PHIve 9. Finale 10. Appendices

THE PHIVE MODEL: BUILDING A BUSINESS CASE FOR ENHANCED SECURITY

STEP 1: CONDUCT A RISK ASSESSMENT

TABLE 4: DETERMINING THE LIKELIHOOD OF ADMINISTRATIVE, PHYSICAL OR TECHNICAL DATA BREACHES Potential Risk Functional Areas Vulnerabilities to be Considered Safeguards/Controls to be Rated Event or Responsibilities to be Considered Physical Reception Physical Theft New Hire Background Checks Penetration Clinical Intentional or Unintentional Fax to Assigned security Physical Treatment Unauthorized User responsibility Destruction Areas Intentional or Unintentional Email Documented and enforced Sabotage Data Record to Unauthorized User policies and procedures Storage Theft Unsecured Email Workforce access IT Support authorization clearance Unauthorized Improper Disposal of Written processes Deletion Data Disposal Documents Regular Workforce training Vandalism Accounting Unauthorized Creation or Modification of Written Sanctions for non-compliance Employee Error Billing Dept. Documents of policies & procedures Information Audit Dept. Unauthorized Use of Written Log-in and password Disclosure (e.g., Process Documents management shoulder surfing, Excellence elevator chat, Unauthorized Sharing of Written Incident reporting Accreditation wrong recipient) Quality Documents Secure Facility Access Improper Mistaken Identity Workstation Security and Outcomes Training of Staff Human Untrained or Improperly Trained Privacy Unavailability of Workforce member Business Associates Contracts Resources Data Failure to Establish or Update & Audits Operations Fraud Clearance Level of Workforce Regular Monitoring and/or Reporting member Auditing of Procedures Facilities

Potential Risk Event

Assess the Risks, Vulnerabilities and Applicable Safeguards and Controls for each PHI home.

TABLE 5: DETERMINING THE LIKELIHOOD OF ELECTRONIC DATA BREACHES Applications to be Vulnerabilities to be Considered Safeguards/Controls to Considered be Rated Computer-Based Admit, Discharge & Lack of Encryption/Decryption Authentication of Attack Transfer (ADT) Capabilities Authorized Users Electronic Medication Administration Lack of Reliable Data Back-up Strong Authentication Penetration Record System (MARS) and Recovery Construction Destruction of Order Entry (CPOE) Multiple System Access Documented Files Systems or Applications Processes and Training LAN, WAN or External System Destruction of Imaging (PACS) Systems or Pathways Reviewed and Systems Application Approved Clearance Network Pathways for Authorized Users Sabotage Accounting Systems or No protection against Data Applications Audit Controls for Theft of ePHI Data Interception Identifying Billing and Receivables Unauthorized No protection against Hacking Unauthorized Users Systems or Applications Creation of ePHI No protection against Port Audit Controls for Electronic Record Systems Unauthorized Scanning and Sniffing Identifying or Applications Deletion of ePHI No protection against Social Unauthorized Activity Dictation & Transcription Unauthorized Engineering Encryption and Systems or Applications Modification of Flaws in Technology and Decryption ePHI Systems or Applications Software or Protocol Designs Capabilities used for Utilization Reviews No Protocols for Peer-to-Peer Vandalism Data Integrity Controls Systems or Applications File Sharing Transmission Security Used for Accreditation Missing Security Agents Limited to a Single Systems or Applications Unauthorized Remote-Control System Used for Oversight/Root Software Cause Analysis/Governance No Controls on Media Files LANS, WAN or Purposes External System or is Unnecessary Modems in not Protected Systems or Applications Laptops Used for Auditing, No Network Pathway Unauthorized or Unsecured Credentialing, Litigation or Unprotected Synchronization Software Pathway No protection against Wireless Connectivity No protection against Downloading Files

STEP 2: DETERMINE A SECURITY READINESS SCORE

SECURITY READINESS SCORE SCALE Security Readiness The Likelihood of a Data Breach Score 1 Virtually Impossible 2 Rare 3 Possible but Not Likely 4 Possible and Likely 5 Possible and Highly Likely

DETERMINE THE LIKELIHOOD OF A DATA BREACH FOR EACH PHI HOME AND ASSIGN A SECURITY READINESS SCORE

DETERMINE THE COST RELEVANCE

EXAMPLES OF RELEVANCE & IMPACT CONSIDERATIONS

STEP 3: ASSIGN A RELEVANCE FACTOR

RELEVANCE FACTOR HIERARCHY Relevance Hardly Relevant A LiKle Relevant Somewhat Relevant Relevant Highly Relevant Breach Relevance Factor 0.05 0.15 0.50 0.85 0.95 1.00 Post- Breach Risk Exposure/Analysis Best PracHce Pre-Breach

Assign a Relevance Factor to the calculated cost of a data breach for each PHI home that has an unacceptable SECURITY READINESS SCORE

STEP 4: DETERMINE THE IMPACT

RELEVANCE * CONSEQUENCE = IMPACT (ADJUSTED COST)

STEP 5: CALCULATE THE TOTAL COST OF A BREACH

Scoring the Total Impact Insignicant Less than 2% of Revenue Minor 2% of Revenue Moderate 4% of revenue Major 6% of Revenue Severe Greater than 6% of Revenue

SAMPLE CASE STUDY

Unintentional, Business Associate, 845,000 records, Clinical fraud resulting in 1 death, financial fraud, NYC

EsJmated Total Impact Grand total of breach costs Annual Revenue of EnHty % of Cost to Annual Revenue Impact Score $26,493,617 $241,836,404 11% Severe

HOW MUCH TO INVEST?

How much would a data breach cost? Given current safeguards and controls, how often can an organization expect to experience a data breach? What investments can be made to reduce the frequency of a data breach? What are the associated annual savings of a delayed data breach? Which enhancement program costs less than the annual savings but still delivers on the reduced frequency of a breach?

IN SUMMARY..

THANK YOU TO ALL THE PHI PROTECTORS

AND THEIR SPONSORS