7/31/2019 2012 03 21 Mary Chaput Clearwater Compliance ISA ANSI Santa Fe Group the Financial Impact of Breached Protected Health Information PHI Webinar Presentation
1/29
A BUSINESS CASE FORENHANCED PHI SECURITY
THE PHI PROJECT THE FINANCIAL
IMPACT OF BREACHED PROTECTED
HEALTH INFORMATION
7/31/2019 2012 03 21 Mary Chaput Clearwater Compliance ISA ANSI Santa Fe Group the Financial Impact of Breached Protected Health Information PHI Webinar Presentation
2/29
THE PHI PROJECT
REQUIRED: Enhanced programs for safeguardingProtected Health Information (PHI)
WHO: Guardians of the trust forming thefoundation of the health care delivery system
SOLUTION:
Information and tools to develop acompelling business case for requestinginvestments and resources to ensure PHI privacyand security
7/31/2019 2012 03 21 Mary Chaput Clearwater Compliance ISA ANSI Santa Fe Group the Financial Impact of Breached Protected Health Information PHI Webinar Presentation
3/29
100+ EXPERT PARTICIPANTS
70 ORGANIZATIONS
American National Standards Institute (ANSI) via its Identity Theft Standards Panel (IDSP)
The Santa Fe Group/Shared AssessmentsHealthcare Working Group
Internet Security Alliance (ISA)Health care industry leadersSecurity and privacy experts
7/31/2019 2012 03 21 Mary Chaput Clearwater Compliance ISA ANSI Santa Fe Group the Financial Impact of Breached Protected Health Information PHI Webinar Presentation
4/29
APPROACH BASED ON
SUCCESS OF PRIOR PROJECTS
7/31/2019 2012 03 21 Mary Chaput Clearwater Compliance ISA ANSI Santa Fe Group the Financial Impact of Breached Protected Health Information PHI Webinar Presentation
5/29
WHAT MAKES HEALTH CARE WORK?
Trust
Confidentiality
Availability Integrity
7/31/2019 2012 03 21 Mary Chaput Clearwater Compliance ISA ANSI Santa Fe Group the Financial Impact of Breached Protected Health Information PHI Webinar Presentation
6/29
THE PROBLEM IS..BREACHES
Between 2005 & 2008: nearly 39.5 million electronic health records In the past two years: the privacy of 18 million Americans In the period September through November of 2011:
health records of 4.9 million military personnel, 4 million patients of a health care system, and
20,000 patients of an academic medical center
72 provider organizations in a November 2011 survey: 96% : at least one data breach in the past 24 months On average: 4 data breach incidents during past two years
7/31/2019 2012 03 21 Mary Chaput Clearwater Compliance ISA ANSI Santa Fe Group the Financial Impact of Breached Protected Health Information PHI Webinar Presentation
7/29
WHATS HAPPENING?
7/31/2019 2012 03 21 Mary Chaput Clearwater Compliance ISA ANSI Santa Fe Group the Financial Impact of Breached Protected Health Information PHI Webinar Presentation
8/29
THE RAMIFICATIONS
Improperly disclose PHI of millionsof individuals in a matter ofseconds,
Steal health information from avirtual location, and
Breach PHI in a manner thatmakes it impossible to restore.
For the first time in history, it is possible to:
7/31/2019 2012 03 21 Mary Chaput Clearwater Compliance ISA ANSI Santa Fe Group the Financial Impact of Breached Protected Health Information PHI Webinar Presentation
9/29
WHY STEAL PHI?
Physician ID numbers areused to fraudulently billfor services
Patient ID information islent to friends or relativesin need of services
Patient ID numbers aresold on the black market
Medicare fraud estimate? $60B/year
Majority of clinicalfraud? Obtainprescription narcotics forillegitimate use
~5% of clinical fraud: Free healthcare
Patient ID Information: $50/recordSocial Security number: $1
Average Payout for defrauding ahealth care organization: $20,000
Regular ID theft? $2,000
7/31/2019 2012 03 21 Mary Chaput Clearwater Compliance ISA ANSI Santa Fe Group the Financial Impact of Breached Protected Health Information PHI Webinar Presentation
10/29
TOP ELEMENTS THREATENING PHI SECURITY
Human
Malicious Insider Non-Malicious Insider Outsider State-Sponsored Cyber
Crime
Evolving Stakeholders BAs and Subcontractors Cloud Providers Virtual Physicians Office
Methods
Lost / Stolen MediaIntrusion Dissemination of Data Mobile Devices Wireless Devices
7/31/2019 2012 03 21 Mary Chaput Clearwater Compliance ISA ANSI Santa Fe Group the Financial Impact of Breached Protected Health Information PHI Webinar Presentation
11/29
SAFEGUARDS AND CONTROLS ARE
WELL KNOWN
7/31/2019 2012 03 21 Mary Chaput Clearwater Compliance ISA ANSI Santa Fe Group the Financial Impact of Breached Protected Health Information PHI Webinar Presentation
12/29
SO WHATS HAPPENING?PHI PROJECT SURVEY FINDINGS
7/31/2019 2012 03 21 Mary Chaput Clearwater Compliance ISA ANSI Santa Fe Group the Financial Impact of Breached Protected Health Information PHI Webinar Presentation
13/29
THE LAWS ARE COMPLEXPHI PROJECT SURVEY FINDINGS
7/31/2019 2012 03 21 Mary Chaput Clearwater Compliance ISA ANSI Santa Fe Group the Financial Impact of Breached Protected Health Information PHI Webinar Presentation
14/29
COMPLIANCE IS NOT EASYPHI PROJECT SURVEY FINDINGS
7/31/2019 2012 03 21 Mary Chaput Clearwater Compliance ISA ANSI Santa Fe Group the Financial Impact of Breached Protected Health Information PHI Webinar Presentation
15/29
STUMBLING BLOCKS TO A STRONG
SECURITY POSTUREPHI PROJECT SURVEY FINDINGS
7/31/2019 2012 03 21 Mary Chaput Clearwater Compliance ISA ANSI Santa Fe Group the Financial Impact of Breached Protected Health Information PHI Webinar Presentation
16/29
WHY A MODEL?
Published average cost of a databreach exist, but relevant to all?
This model provides an opportunity to:Be specific to an organizationCalculate what a breach might
actually cost, and
Build a compelling business case forstrengthening a compliance program
7/31/2019 2012 03 21 Mary Chaput Clearwater Compliance ISA ANSI Santa Fe Group the Financial Impact of Breached Protected Health Information PHI Webinar Presentation
17/29
PHI PROJECT REPORT
Table of Contents
1. The Progression of the Health Care Ecosystem2. The Evolution of Laws, Rules, and Regulations3. PHI Data Breach Landscape4. Threats and Vulnerabilities5. Safeguards and Controls6. Survey Findings: Current Practices and Attitudes7. PHIve The 5-Step Method of Data Breach Costing8. Calculating the Cost of a PHI Breach Using PHIve9. Finale10. Appendices
7/31/2019 2012 03 21 Mary Chaput Clearwater Compliance ISA ANSI Santa Fe Group the Financial Impact of Breached Protected Health Information PHI Webinar Presentation
18/29
THE PHIVE MODEL: BUILDING A BUSINESS CASE
FOR ENHANCED SECURITY
7/31/2019 2012 03 21 Mary Chaput Clearwater Compliance ISA ANSI Santa Fe Group the Financial Impact of Breached Protected Health Information PHI Webinar Presentation
19/29
STEP 1: CONDUCT A RISK ASSESSMENT
TABLE4:DETERMININGTHELIKELIHOODOFADMINISTRATIVE,PHYSICALORTECHNICALDATABREACHES
PotentialRisk
Event
FunctionalAreas
orResponsibilities
tobeConsidered
VulnerabilitiestobeConsidered Safeguards/ControlstobeRated
PhysicalPenetration
PhysicalDestruction
Sabotage Theft Unauthorized
Deletion
Vandalism EmployeeError Information
Disclosure(e.g.,
shouldersurfing,
elevatorchat,
wrongrecipient)
ImproperTrainingofStaff
UnavailabilityofData
Fraud
Reception Clinical
Treatment
Areas
DataRecordStorage
ITSupport DataDisposal Accounting BillingDept. AuditDept. Process
Excellence
Accreditation Quality
Outcomes
HumanResources
OperationsReporting
Facilities
PhysicalTheft IntentionalorUnintentionalFaxto
UnauthorizedUser
IntentionalorUnintentionalEmailtoUnauthorizedUser
UnsecuredEmail ImproperDisposalofWritten
Documents
UnauthorizedCreationorModificationofWritten
Documents
UnauthorizedUseofWrittenDocuments
UnauthorizedSharingofWrittenDocuments
MistakenIdentity UntrainedorImproperlyTrained
Workforcemember
FailuretoEstablishorUpdateClearanceLevelofWorkforce
member
NewHireBackgroundChecks Assignedsecurity
responsibility
Documentedandenforcedpoliciesandprocedures
Workforceaccessauthorizationclearance
processes
RegularWorkforcetraining Sanctionsfornon-compliance
ofpolicies&procedures
Log-inandpasswordmanagement
Incidentreporting SecureFacilityAccess WorkstationSecurityand
Privacy
BusinessAssociatesContracts&Audits
RegularMonitoringand/orAuditingofProcedures
TABLE5:DETERMININGTHELIKELIHOODOFELECTRONICDATABREACHES
PotentialRiskEvent Applicationstobe
Considered
VulnerabilitiestobeConsidered Safeguards/Controlsto
beRated
Computer-BasedAttack
ElectronicPenetration
DestructionofFiles
DestructionofSystems
SabotageTheftofePHIDataUnauthorizedCreationofePHI
UnauthorizedDeletionofePHI
UnauthorizedModificationof
ePHI
Vandalism
Admit,Discharge&Transfer(ADT)
MedicationAdministrationRecordSystem(MARS)
OrderEntry(CPOE)SystemsorApplications
Imaging(PACS)SystemsorApplication
AccountingSystemsorApplications
BillingandReceivablesSystemsorApplications
ElectronicRecordSystemsorApplications
Dictation&TranscriptionSystemsorApplications
SystemsorApplicationsusedforUtilizationReviews
SystemsorApplicationsUsedforAccreditation
SystemsorApplicationsUsedforOversight/Root
CauseAnalysis/GovernancePurposes
SystemsorApplicationsUsedforAuditing,
Credentialing,Litigation
LackofEncryption/DecryptionCapabilities
LackofReliableDataBack-upandRecovery
MultipleSystemAccessLAN,WANorExternalSystemPathways
NetworkPathwaysNoprotectionagainstDataInterception
NoprotectionagainstHackingNoprotectionagainstPortScanningandSniffing
NoprotectionagainstSocialEngineering
FlawsinTechnologyandSoftwareorProtocolDesigns
NoProtocolsforPeer-to-PeerFileSharing
MissingSecurityAgentsUnauthorizedRemote-ControlSoftware
NoControlsonMediaFilesUnnecessaryModemsinLaptops
UnauthorizedorUnsecuredSynchronizationSoftware
NoprotectionagainstWirelessConnectivity
NoprotectionagainstDownloadingFiles
AuthenticationofAuthorizedUsers
StrongAuthenticationConstruction
DocumentedProcessesandTraining
ReviewedandApprovedClearance
forAuthorizedUsers
AuditControlsforIdentifying
UnauthorizedUsers
AuditControlsforIdentifying
UnauthorizedActivity
EncryptionandDecryption
Capabilities
DataIntegrityControlsTransmissionSecurityLimitedtoaSingleSystem
LANS,WANorExternalSystemorisnotProtected
NoNetworkPathwayorUnprotected
Pathway
Assess the Risks,Vulnerabilities andApplicable Safeguardsand Controls for each
PHI home.
7/31/2019 2012 03 21 Mary Chaput Clearwater Compliance ISA ANSI Santa Fe Group the Financial Impact of Breached Protected Health Information PHI Webinar Presentation
20/29
STEP 2: DETERMINE A SECURITY
READINESS SCORE
SECURITYREADINESSSCORESCALE
SecurityReadiness
Score
TheLikelihoodofaDataBreach
1 VirtuallyImpossible
2 Rare
3 PossiblebutNotLikely
4 PossibleandLikely
5 PossibleandHighlyLikely
DETERMINE THE LIKELIHOOD OF A DATA BREACH FOREACH PHI HOME AND ASSIGN A SECURITY
READINESS SCORE
7/31/2019 2012 03 21 Mary Chaput Clearwater Compliance ISA ANSI Santa Fe Group the Financial Impact of Breached Protected Health Information PHI Webinar Presentation
21/29
DETERMINE THE COST RELEVANCE
7/31/2019 2012 03 21 Mary Chaput Clearwater Compliance ISA ANSI Santa Fe Group the Financial Impact of Breached Protected Health Information PHI Webinar Presentation
22/29
EXAMPLES OF RELEVANCE & IMPACT
CONSIDERATIONS
7/31/2019 2012 03 21 Mary Chaput Clearwater Compliance ISA ANSI Santa Fe Group the Financial Impact of Breached Protected Health Information PHI Webinar Presentation
23/29
STEP 3: ASSIGN A RELEVANCE FACTOR
Assign a Relevance Factor to the calculated cost of adata breach for each PHI home that has anunacceptable SECURITY READINESS SCORE
RELEVANCEFACTORHIERARCHY
RelevanceRelevance
Factor
RiskExposure/Analysis
BestPracce
HardlyRelevant 0.05
Pre-Breach
ALiKleRelevant 0.15SomewhatRelevant 0.50
Relevant 0.85
HighlyRelevant 0.95
Breach 1.00 Post-Breach
7/31/2019 2012 03 21 Mary Chaput Clearwater Compliance ISA ANSI Santa Fe Group the Financial Impact of Breached Protected Health Information PHI Webinar Presentation
24/29
STEP 4: DETERMINE THE IMPACT
RELEVANCE * CONSEQUENCE = IMPACT (ADJUSTED COST)
7/31/2019 2012 03 21 Mary Chaput Clearwater Compliance ISA ANSI Santa Fe Group the Financial Impact of Breached Protected Health Information PHI Webinar Presentation
25/29
STEP 5: CALCULATE THE TOTAL COST OF A
BREACH
ScoringtheTotalImpact
Insignificant Lessthan2%ofRevenue
Minor 2%ofRevenue
Moderate 4%ofrevenue
Major 6%ofRevenue
Severe Greaterthan6%ofRevenue
7/31/2019 2012 03 21 Mary Chaput Clearwater Compliance ISA ANSI Santa Fe Group the Financial Impact of Breached Protected Health Information PHI Webinar Presentation
26/29
SAMPLE CASE STUDY
Unintentional, Business Associate, 845,000 records, Clinical fraudresulting in 1 death, financial fraud, NYC
EsJmatedTotalImpact
Grandtotalofbreachcosts $26,493,617
AnnualRevenueofEnty $241,836,404
%ofCosttoAnnualRevenue 11%
ImpactScore Severe
7/31/2019 2012 03 21 Mary Chaput Clearwater Compliance ISA ANSI Santa Fe Group the Financial Impact of Breached Protected Health Information PHI Webinar Presentation
27/29
HOW MUCH TO INVEST?
How much would a data breach cost? Given current safeguards and controls,
how often can an organization expectto experience a data breach?
What investments can be made toreduce the frequency of a databreach?
What are the associated annual savingsof a delayed data breach?
Which enhancement program costs lessthan the annual savings but still deliverson the reduced frequency of a breach?
7/31/2019 2012 03 21 Mary Chaput Clearwater Compliance ISA ANSI Santa Fe Group the Financial Impact of Breached Protected Health Information PHI Webinar Presentation
28/29
IN SUMMARY..
7/31/2019 2012 03 21 Mary Chaput Clearwater Compliance ISA ANSI Santa Fe Group the Financial Impact of Breached Protected Health Information PHI Webinar Presentation
29/29
A N D T H E I R S P O N S O R S
THANK YOU TO ALL THE PHI PROTECTORS