6/11/2015

Copyright Notice Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content. For reprint permission and information, please direct your inquiry to [email protected]

© Clearwater Compliance LLC | All Rights Reserved

1

Legal Disclaimer Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.

© Clearwater Compliance LLC | All Rights Reserved

2

1

6/11/2015

Welcome to  today’s Live  Event… we will  begin shortly… 

How to Calculate the Cost of a  Data Breach and Get the  Budget for Your HIPAA  Compliance Program © 2010-11 Clearwater Clearwater Compliance Compliance LLC | AllLLC Rights | AllReserved Rights Reserved

Please feel free  to use “Chat” or  “Q&A” to tell us  any ‘burning’  questions you  may have in  advance… 3

How to Calculate the Cost of a Data  Breach and Get the Budget for Your  HIPAA Compliance Program June 4, 2015

Michelle Caswell, JD Senior Director, Legal and Compliance [email protected] Clearwater Compliance, LLC © 2010-11 Clearwater Clearwater Compliance Compliance LLC | AllLLC Rights | AllReserved Rights Reserved

4

2

6/11/2015

Michelle Caswell, JD Senior Director, Legal & Compliance  More than 14 years healthcare experience  Extensive experience in HIPAA Privacy, Security and Breach  Notification Rules  Experienced Principal Healthcare Privacy/Security  Consultant, conducting compliance audits and risk  assessments; drafting policies and procedures; training  staff and assisting with remediation efforts  Former HIPAA Investigator for the U.S. Department of  Health and Human Services, Office for Civil Rights  Licensed attorney in Georgia and Tennessee  Frequent national speaker on healthcare compliance and  security

Michelle Caswell, JD [email protected]

© Clearwater Compliance LLC | All Rights Reserved

About HIPAA‐HITECH Compliance 1. We are not attorneys! 2. HIPAA and HITECH is dynamic! 3. Lots of different interpretations!

© Clearwater Compliance LLC | All Rights Reserved

6

3

6/11/2015

https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf © Clearwater Compliance LLC | All Rights Reserved

7

https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf © Clearwater Compliance LLC | All Rights Reserved

8

4

6/11/2015

Finding the Funding:  Developing a Business Case  for Strengthening  Your Security Program

9

© 2010-11 Clearwater Clearwater Compliance Compliance LLC | AllLLC Rights | AllReserved Rights Reserved

Industry/Expert Collaboration Table of Contents 1.

The Progression of the Health Care Ecosystem

2.

The Evolution of Laws, Rules, and Regulations

3.

PHI Data Breach Landscape

4.

Threats and Vulnerabilities

5.

Safeguards and Controls

6.

Survey Findings: Current Practices and Attitudes

7.

Data Breach Costing Framework

8.

Calculating the Cost of a PHI Breach

9.

Finale

10. Appendices

© Clearwater Compliance LLC | All Rights Reserved

5

6/11/2015

Start with the End in Mind # of records breached Average cost/record * Cost of a Breach

          10,000 $        204.00 $  2,040,000

Probabilized # of years between breaches* Average annual cost of a probable breach

2 $  1,020,000

BUT WHAT IF…..

# of years between breaches 5 Average annual cost of a breach would be………. $  408,000 Annual investment with breakeven ROI © Clearwater Compliance LLC | All Rights Reserved

$  612,000 * Cost of a Data Breach-Ponemon 2012

11

Steps for Building a Business Case…. • Determine the greatest risks to the compromise of PHI  and the controls or safeguards that would mitigate those  risks • Calculate the costs of implementing those controls or  safeguards  • Quantify the impact of a breach  • Succinctly present the ROI 

© Clearwater Compliance LLC | All Rights Reserved

12

6

6/11/2015

Where to start…. 1. Where are your greatest exposures?  2. What can be accomplished with current  resources? 3. What initiatives will require additional resources? 4. Which initiatives will be most effective? 5. What will it cost? 6. What’s the return on investment?

© Clearwater Compliance LLC | All Rights Reserved

13

HHS “Wall of Shame” Lack of encryption Inadequate physical safeguards Inadequate activity monitoring Inadequate workforce access Inadequate policies & procedures Inadequate training Inadequate sanctions Inadequate disposal

7.9%

© Clearwater Compliance LLC | All Rights Reserved

14

7

6/11/2015

Where to start…. 1. Where are your greatest exposures?  2. What can be accomplished with current  resources? 3. What initiatives will require additional resources? 4. Why are you recommending them? 5. What will it cost? 6. What’s the return on investment? 15

© Clearwater Compliance LLC | All Rights Reserved

Exposures Identified in  Assessments – “QUICK & EASY” Security Assessments • • • •

Document Current Strong Practices Complete a Procedure Gap Analysis Establish Security Incident Procedures Revitalize Security Awareness Reminders

Privacy Assessments • • • • © Clearwater Compliance LLC | All Rights Reserved

Document Current Strong Practices Apply Appropriate Sanctions Implement Complaint Process Audit Disposal Practices 16

8

6/11/2015

Where to start…. 1. Where are your greatest exposures?  2. What can be accomplished with current  resources? 3. What initiatives will require additional resources? 4. Which initiatives will be most effective? 5. What will it cost? 6. What’s the return on investment? 17

© Clearwater Compliance LLC | All Rights Reserved

Exposures Identified in  Assessments – “BIG ROCKS” Security Assessments • • • •

Complete a  Risk Analysis Initiate Activity Monitoring Implement Encryption Implement a Contingency/DR Plan

Privacy Assessments • Establish Minimum Necessary Workforce  Access • Business Associates Management Program • State Pre‐emption Analysis • Establish a Breach Risk Assessment Process © Clearwater Compliance LLC | All Rights Reserved

18

9

6/11/2015

Where to start…. 1. Where are your greatest exposures?  2. What can be accomplished with current  resources? 3. What initiatives will require additional resources? 4. Which initiatives will be most effective? 5. What will it cost? 6. What’s the return on investment? 19

© Clearwater Compliance LLC | All Rights Reserved

Industry/Expert Collaboration Table of Contents 1.

The Progression of the Health Care Ecosystem

2.

The Evolution of Laws, Rules, and Regulations

3.

PHI Data Breach Landscape

4.

Threats and Vulnerabilities

5.

Safeguards and Controls

6.

Survey Findings: Current Practices and Attitudes

7.

Data Breach Costing Framework

8.

Calculating the Cost of a PHI Breach

9.

Finale

10. Appendices

© Clearwater Compliance LLC | All Rights Reserved

10

6/11/2015

Time to get to work….

21

© Clearwater Compliance LLC | All Rights Reserved

© Clearwater Compliance LLC | All Rights Reserved

PHI PROJECT

22

11

6/11/2015

Relevance Considerations • Type of Business (CE or BA) • Availability of Competitive Alternatives • Acceptability of Competitive Alternatives

Impact Considerations • • • •

Size of the Breach Sensitivity of Data Age of Affected Individuals Income of Affected Individuals

PHI PROJECT

© Clearwater Compliance LLC | All Rights Reserved

23

Sensitivity to Privacy Matters % Age Groups Reporting High General Privacy Sensitivity

% Income Level Reporting High Health Privacy Sensitivity

© Clearwater Compliance LLC | All Rights Reserved

% Age Groups Reporting High Health Privacy Sensitivity

% Age Level Reporting High Financial Privacy Sensitivity

http://www.laresinstitute.com/wp-content/uploads/2011/09/Demographics-Study.pdf

24

12

6/11/2015

The Model

© Clearwater Compliance LLC | All Rights Reserved

25

Cost to Reputation… Loss of Patients/Customers Current and New

Ponemon Institute LLC. "Second Annual Benchmark Study on Patient Privacy & Data Security." http://www2.idexpertscorp.com/assets/uploads/PDFs/2011_Ponemon_ID_ Experts_Study.pdf. © Clearwater Compliance LLC | All Rights Reserved

26

13

6/11/2015

http://www.symantec.com/content/en/us/about/media/pdfs/b-ponemon-2011-cost-of-data-breach-us.enus.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2012Mar_worldwide__CODB_US © Clearwater Compliance LLC | All Rights Reserved

27

Loss of only 10% considered a  positive sign!

© Clearwater Compliance LLC | All Rights Reserved

28

14

6/11/2015

Viral Communications:  the Potential Impact on Prospective Customers • One unhappy customer will tell nine others • 13% will tell at least 20 other people http://www.ezinearticles.com/?8-Critical-Steps-toEstablish-a-Customer-Service-Culture&id=37272

http://www.talent-technologies.com/new/wpcontent/uploads/2010/06/a-complaint-is-a-gift.pdf

13,782,579 http://www.youtube.com/watch?v=5YGc4zOqozo

29

© Clearwater Compliance LLC | All Rights Reserved

Cost to Reputation Loss of Staff Average Cost per Hire and Time to Fill

© Clearwater Compliance LLC | All Rights Reserved

30

15

6/11/2015

Relevance Considerations • • • • •

Size of Breach Complexity of Breach Strength of Safeguards Type of Company (public or private) Breached Party (CE or BA)

Impact Considerations • • • •

© Clearwater Compliance LLC | All Rights Reserved

Size of the Breach Type of Breach (intentional vs. non-intentional) Further Disclosure Type of Data (financial as well as health)

PHI PROJECT

31

The Model

© Clearwater Compliance LLC | All Rights Reserved

32

16

6/11/2015

Average # of breaches reported in survey in 2011 = 28,349 $428,330/28,349 breaches = $15.11/breach

“Detection and Escalation Costs are not really dependent on the number of records, but rather the complexity and severity of the breach” http://www.ponemon.org/local/upload/file/2011_US_CODB_FINAL_5.pdf

© Clearwater Compliance LLC | All Rights Reserved

33

Credit & Id Theft Monitoring

http://www.nextadvisor.com/identity_theft_protection_services/compare.php

© Clearwater Compliance LLC | All Rights Reserved

34

17

6/11/2015

Identity Theft Statistics Per Record Cost 2011 Ponemon Survey • 29% of the respondents whose organizations had suffered a data breach reported that their data breaches led to cases of identity theft.

Javelin Strategy & Research Report More than 12 Million identity fraud victims in 2012 • 1 in 4 Data Breach Letter Recipients Became Identity Fraud Victims

Second Annual Benchmark Study on Patient Privacy & Data Security http://www2.idexpertscorp.com/assets/uploads/PDFs/2011_Ponemon_ID_Exp erts_Study.pdf

2011 Identity Fraud Survey Report, https://www.javelinstrategy.com/news/1170/92/1

Javelin Strategy & Research Report https://www.javelinstrategy.com/news/1387/58/More-Than-12-Million-IdentityFraud-Victims-in-2012-According-to-Latest-Javelin-Strategy-ResearchReport/d,pressRoomDetail

From a Federal Trade Commission Study http://www.whitecanyon.com/identity-theft-statistics.php

© Clearwater Compliance LLC | All Rights Reserved

35

Mitigation vs. Remediation Mitigation Examples:

Remediation Examples:

Recovery of PHI Return of PHI

Revising policies & procedures Improving physical security

Attestation or confirmation that  Training or  retraining workforce  PHI has been destroyed members Remote wipe of mobile devices Imposing sanctions, including  firing or suspension Notification to individuals Implementing Encryption Providing credit or identity theft  Eliminating access monitoring © Clearwater Compliance LLC | All Rights Reserved

36

18

6/11/2015

The Cost of Lost Productivity….

Ponemon Institute LLC. "Second Annual Benchmark Study on Patient Privacy & Data Security." http://www2.idexpertscorp.com/assets/uploads/PDFs /2011_Ponemon_ID_Experts_Study.pdf.

“Security 101: Cost of a Breach” http://www.secureworks.com/resources/ newsletter/2007-10 Breakdown of Individual Breach Costs

37

© Clearwater Compliance LLC | All Rights Reserved

Elements of Notification Costs Notification to Affected Individuals • Set Up of Contact Databases • Message Development • Legal Review • Printing • Postage • Assembly • Call Center Support PR and/or IR Campaign • Content Development • Legal Review • Advertising • Inquiry Response Time

© Clearwater Compliance LLC | All Rights Reserved

Over 500 records

Notification to Media • Identification of Local Media • Message Development • Legal Review • Inquiry Response Time Notification to HHs • Content Development • Legal Review • Inquiry Response Time

38

19

6/11/2015

Cyber Liability Insurance • Cyber insurance very focused on healthcare—significant  competition between insurance companies • e.g.  health care system 10,000 employees • $10MM limit • Deductible of $250,000 ‐ $500,000 • Premium $175,000/year ‐ $225,000 Coverage: • 3rd party liability: $10MM with sub-limits of $2MM for breach response and $250K for defense costs • Breach response coverage: notification, crisis management (PR & law firm guidance), ID theft monitoring, forensics, fix-its, fines and penalties: credit card fines & penalties, government regulatory settlements (not fines and penalties), consumer redress Betterley Risk Consultants © Clearwater Compliance LLC | All Rights Reserved

39

Changing Business Associates • Cost of Time on RFP and Due Diligence on New Vendor • Legal Costs negotiating BA Agreement • Cost of Transition  – Duplicate Cost during Transition to New Vendor

• Incremental Higher Annual Cost of New Vendor

© Clearwater Compliance LLC | All Rights Reserved

40

20

6/11/2015

Relevance Considerations • • • • • •

Size of Breach Type of Business (public vs. private) Strength of Compliance Program History of Previous Breaches Resident State of Affected Individuals Accreditation Requirements

Impact Considerations • • • • • • • •

Size of the Breach Type of Breach (intentional vs. non-intentional) Type of Breach (malicious vs. non-malicious) Type of Data (financial as well as health) Age of Affected Individuals Income of Affected Individuals Celebrity Status of Affected Individuals Resident State of Affected Individuals

© Clearwater Compliance LLC | All Rights Reserved

PHI PROJECT

41

Legal & Regulatory Repercussions

© Clearwater Compliance LLC | All Rights Reserved

42

21

6/11/2015

Final Omnibus Rule: New Civil Monetary Penalty System

43

© Clearwater Compliance LLC | All Rights Reserved

OCR Corrective Action Plans & Settlements 

$26,046,500

© Clearwater Compliance LLC | All Rights Reserved

44

22

6/11/2015

Accretive Share Price & Story July 2011 - Accretive employee’s laptop computer, containing 20 million pieces of information on 23,000 patients, was stolen from the passenger compartment of the employee’s car

Any Risks Emerge… for whom?

4/13/2013 COO Replaced 4/2/2013 CEO Replaced

1/19/2012 MN SAG Suit © Clearwater Compliance LLC | All Rights Reserved

03/14/2014 De-Listed NYSE

8/26/2013 9/27/2013 01/2014 CFO $14M Class 170 Job Replaced Settlement Cuts

7/31/2012 $2.5M MN SAG Settlement

6/13/2013 Class Action Suit

12/31/2013 FTC Settle.

45

Class Action Lawsuits $1,000‐$2,500 • State of Texas – 3.5 MM state employees  • Stanford Hospital & Clinic  ‐ 20,000 patients • Sutter Health Hit With $1B Class‐Action  Lawsuit  • Patient files $20M lawsuit against Stanford  Hospital  • TRICARE Health Management Sued for $4.9B  • AvMed Health sued over 'one of the largest medical breaches in history‘ • Emory Healthcare Faces Class‐Action Suit Over Data Breach

http://www.mainjustice.com/2013/09/05/settlement-reached-in-healthcare-data-breach-lawsuit/ © Clearwater Compliance LLC | All Rights Reserved

46

23

6/11/2015

In re Adobe Sys. Privacy Litig., 2014 U.S. Dist. LEXIS 124126 (N.D. Cal. Sept. 4, 2014)

•

• •

•

•

The U.S. District Court for the Northern District of California recently found that such  potential future harm is sufficient to allow a putative class of plaintiffs to proceed in  Federal Court. Plaintiffs were customers of Adobe licensed products or subscribers to Adobe’s  “Creative Cloud” and provided Adobe with their personal information. Plaintiffs alleged that Adobe’s security practices were deeply flawed and did not  conform to industry standards. In addition, Plaintiffs claimed that Adobe similarly failed  to employ intrusion detection systems, properly segment its network, or implement  user or network level system controls. Plaintiffs alleged that they have all suffered at least one of three types of cognizable  injuries‐in‐fact: (1) increased risk of future harm; (2) cost to mitigate the risk of future  harm; and/or (3) loss of the value of their Adobe products. The District Court found persuasive that the hackers deliberately targeted Adobe’s  servers and (allegedly) used Adobe’s own systems to decrypt customer credit card  numbers. Further, Plaintiffs alleged that some of the stolen data had already surfaced  on the Internet (although not credit card information), and that other hackers have  misused certain stolen data to discover vulnerabilities in Adobe’s products. http://www.law.com/sites/jdsupra/2014/10/17/california-district-court-finds-threat-of-future-harm-sufficient-to-confer-article-iii-standing-in-data-breachaction/?slreturn=20150212100816

47

© Clearwater Compliance LLC | All Rights Reserved

Relevance Considerations • Sufficiency of Current Resources • Level of Change in Procedures Required • Level of Oversight of Compliance Program

Impact Considerations • • • •

© Clearwater Compliance LLC | All Rights Reserved

Type of Breach (intentional vs. non-intentional) Type of Breach (malicious vs. non-malicious) # of Additional Resources Needed Level of Disruption of Organizational Changes

PHI PROJECT

48

24

6/11/2015

Incremental Operational Costs (not included in CAP or Mitigation Plan)

• Cost of Recruiting and Training new Hires • Incremental Cost of Salaries • Cost of Reorganization – Communication – Disruption in Goals/Initiative  Momentum – Lost Productivity

49

© Clearwater Compliance LLC | All Rights Reserved

Relevance Considerations • Type of Data • Likelihood of Harm • Involvement in Research

Impact Considerations • Type of Breach (intentional vs. nonintentional) • Type of Breach (malicious vs. non-malicious) • Type of Research

© Clearwater Compliance LLC | All Rights Reserved

PHI PROJECT

50

25

6/11/2015

Clinical Repercussions

http://www.ponemon.org/blog/2013-survey-on-medical-identity-theft

© Clearwater Compliance LLC | All Rights Reserved

51

The Total….

© Clearwater Compliance LLC | All Rights Reserved

52

26

6/11/2015

Updated ROI…. # of records breached Average cost/record * Cost of a Breach

          10,000 $        436.00 $  4,360,000

Probabilized # of years between breaches* Average annual cost of a probable breach

2 $  2,180,000

BUT WHAT IF…..

# of years between breaches 5 Average annual cost of a breach would be………$     872,000 Annual investment with breakeven ROI

$  1,308,000

© Clearwater Compliance LLC | All Rights Reserved

* In this example

53

Ponemon Institute LLC. "Second Annual Benchmark Study on Patient Privacy & Data Security." © Clearwater Compliance LLC | All Rights Reserved

54

27

6/11/2015

PHI PROJECT

© Clearwater Compliance LLC | All Rights Reserved

55

Thank you to all the PHI Protectors

FREE DOWNLOAD webstore.ansi.org/phi © Clearwater Compliance LLC | All Rights Reserved

56

28

6/11/2015

Our Passion We’re excited about what we do because… …we’re helping organizations improve care by safeguarding the very personal and private healthcare information of millions of fellow Americans…

… And, keeping those same organizations off the Wall of Shame…! 57

© Clearwater Compliance LLC | All Rights Reserved

Clearwater HIPAA Compliance  BootCamp™ Events August 6, 13, 20| Virtual HIPAA Compliance Information Risk Management  BootCamp™

Other 2015 – Virtual, Web‐Based Events (3, 3‐hr  sessions):   • November 5‐12‐19 

Earn up to 9.6 CEUs from organizations like HCCA, AHIMA, AMBA, IAPP, ISC2 etc.. © Clearwater Compliance LLC | All Rights Reserved

58

29

6/11/2015

HIPAA Information Risk Management BootCamp™ Welcome, Introductions and Overview 1. How to Assess Your Increased Privacy, Security and Compliance Liability Risk 2. How to Establish Your Information Risk Management Program 3. How to Address Compliance Risk I – HIPAA Privacy and Security Regulations Networking Break 4. How to Address Compliance Risk II – HITECH Burden of Proof/Breach Notification  Regulations  5. How to Conduct a Bona Fide Risk Analysis Networking Luncheon & Refresh 6. How to Implement a Strong, Proactive Business Associate Risk Management  Program 7. The Case for Continuous Diagnostics and Monitoring Networking Break 8. Cyber Insurance & Risk Transfer 9. How to Mature your Information Risk Management Program Q&A, Final Remarks Attendee Reception (optional)

HOW TO…

59

© Clearwater Compliance LLC | All Rights Reserved

Expert Instructors

Mary Chaput, MBA, HCISPP, CIPP/US, CIPM CFO & Chief Compliance Officer Clearwater Compliance

Greg Bassett, MS, PMP, CISSP VP Service Delivery Clearwater Compliance © Clearwater Compliance LLC | All Rights Reserved

Bob Chaput, CISSP, HCISPP, CIPP/US CEO Clearwater Compliance

Michelle Caswell, JD Senior Director, Legal and Compliance Clearwater Compliance

David Finn, CISA, CISM, CRISC Health IT Officer Symantec Corporation

Matthew E. Hanis Vice President, Healthcare Lockton Companies

60

30

6/11/2015

© Clearwater Compliance LLC | All Rights Reserved

61

31