6/11/2015
Copyright Notice Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content. For reprint permission and information, please direct your inquiry to
[email protected]
© Clearwater Compliance LLC | All Rights Reserved
1
Legal Disclaimer Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
© Clearwater Compliance LLC | All Rights Reserved
2
1
6/11/2015
Welcome to today’s Live Event… we will begin shortly…
How to Calculate the Cost of a Data Breach and Get the Budget for Your HIPAA Compliance Program © 2010-11 Clearwater Clearwater Compliance Compliance LLC | AllLLC Rights | AllReserved Rights Reserved
Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance… 3
How to Calculate the Cost of a Data Breach and Get the Budget for Your HIPAA Compliance Program June 4, 2015
Michelle Caswell, JD Senior Director, Legal and Compliance
[email protected] Clearwater Compliance, LLC © 2010-11 Clearwater Clearwater Compliance Compliance LLC | AllLLC Rights | AllReserved Rights Reserved
4
2
6/11/2015
Michelle Caswell, JD Senior Director, Legal & Compliance More than 14 years healthcare experience Extensive experience in HIPAA Privacy, Security and Breach Notification Rules Experienced Principal Healthcare Privacy/Security Consultant, conducting compliance audits and risk assessments; drafting policies and procedures; training staff and assisting with remediation efforts Former HIPAA Investigator for the U.S. Department of Health and Human Services, Office for Civil Rights Licensed attorney in Georgia and Tennessee Frequent national speaker on healthcare compliance and security
Michelle Caswell, JD
[email protected]
© Clearwater Compliance LLC | All Rights Reserved
About HIPAA‐HITECH Compliance 1. We are not attorneys! 2. HIPAA and HITECH is dynamic! 3. Lots of different interpretations!
© Clearwater Compliance LLC | All Rights Reserved
6
3
6/11/2015
https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf © Clearwater Compliance LLC | All Rights Reserved
7
https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf © Clearwater Compliance LLC | All Rights Reserved
8
4
6/11/2015
Finding the Funding: Developing a Business Case for Strengthening Your Security Program
9
© 2010-11 Clearwater Clearwater Compliance Compliance LLC | AllLLC Rights | AllReserved Rights Reserved
Industry/Expert Collaboration Table of Contents 1.
The Progression of the Health Care Ecosystem
2.
The Evolution of Laws, Rules, and Regulations
3.
PHI Data Breach Landscape
4.
Threats and Vulnerabilities
5.
Safeguards and Controls
6.
Survey Findings: Current Practices and Attitudes
7.
Data Breach Costing Framework
8.
Calculating the Cost of a PHI Breach
9.
Finale
10. Appendices
© Clearwater Compliance LLC | All Rights Reserved
5
6/11/2015
Start with the End in Mind # of records breached Average cost/record * Cost of a Breach
10,000 $ 204.00 $ 2,040,000
Probabilized # of years between breaches* Average annual cost of a probable breach
2 $ 1,020,000
BUT WHAT IF…..
# of years between breaches 5 Average annual cost of a breach would be………. $ 408,000 Annual investment with breakeven ROI © Clearwater Compliance LLC | All Rights Reserved
$ 612,000 * Cost of a Data Breach-Ponemon 2012
11
Steps for Building a Business Case…. • Determine the greatest risks to the compromise of PHI and the controls or safeguards that would mitigate those risks • Calculate the costs of implementing those controls or safeguards • Quantify the impact of a breach • Succinctly present the ROI
© Clearwater Compliance LLC | All Rights Reserved
12
6
6/11/2015
Where to start…. 1. Where are your greatest exposures? 2. What can be accomplished with current resources? 3. What initiatives will require additional resources? 4. Which initiatives will be most effective? 5. What will it cost? 6. What’s the return on investment?
© Clearwater Compliance LLC | All Rights Reserved
13
HHS “Wall of Shame” Lack of encryption Inadequate physical safeguards Inadequate activity monitoring Inadequate workforce access Inadequate policies & procedures Inadequate training Inadequate sanctions Inadequate disposal
7.9%
© Clearwater Compliance LLC | All Rights Reserved
14
7
6/11/2015
Where to start…. 1. Where are your greatest exposures? 2. What can be accomplished with current resources? 3. What initiatives will require additional resources? 4. Why are you recommending them? 5. What will it cost? 6. What’s the return on investment? 15
© Clearwater Compliance LLC | All Rights Reserved
Exposures Identified in Assessments – “QUICK & EASY” Security Assessments • • • •
Document Current Strong Practices Complete a Procedure Gap Analysis Establish Security Incident Procedures Revitalize Security Awareness Reminders
Privacy Assessments • • • • © Clearwater Compliance LLC | All Rights Reserved
Document Current Strong Practices Apply Appropriate Sanctions Implement Complaint Process Audit Disposal Practices 16
8
6/11/2015
Where to start…. 1. Where are your greatest exposures? 2. What can be accomplished with current resources? 3. What initiatives will require additional resources? 4. Which initiatives will be most effective? 5. What will it cost? 6. What’s the return on investment? 17
© Clearwater Compliance LLC | All Rights Reserved
Exposures Identified in Assessments – “BIG ROCKS” Security Assessments • • • •
Complete a Risk Analysis Initiate Activity Monitoring Implement Encryption Implement a Contingency/DR Plan
Privacy Assessments • Establish Minimum Necessary Workforce Access • Business Associates Management Program • State Pre‐emption Analysis • Establish a Breach Risk Assessment Process © Clearwater Compliance LLC | All Rights Reserved
18
9
6/11/2015
Where to start…. 1. Where are your greatest exposures? 2. What can be accomplished with current resources? 3. What initiatives will require additional resources? 4. Which initiatives will be most effective? 5. What will it cost? 6. What’s the return on investment? 19
© Clearwater Compliance LLC | All Rights Reserved
Industry/Expert Collaboration Table of Contents 1.
The Progression of the Health Care Ecosystem
2.
The Evolution of Laws, Rules, and Regulations
3.
PHI Data Breach Landscape
4.
Threats and Vulnerabilities
5.
Safeguards and Controls
6.
Survey Findings: Current Practices and Attitudes
7.
Data Breach Costing Framework
8.
Calculating the Cost of a PHI Breach
9.
Finale
10. Appendices
© Clearwater Compliance LLC | All Rights Reserved
10
6/11/2015
Time to get to work….
21
© Clearwater Compliance LLC | All Rights Reserved
© Clearwater Compliance LLC | All Rights Reserved
PHI PROJECT
22
11
6/11/2015
Relevance Considerations • Type of Business (CE or BA) • Availability of Competitive Alternatives • Acceptability of Competitive Alternatives
Impact Considerations • • • •
Size of the Breach Sensitivity of Data Age of Affected Individuals Income of Affected Individuals
PHI PROJECT
© Clearwater Compliance LLC | All Rights Reserved
23
Sensitivity to Privacy Matters % Age Groups Reporting High General Privacy Sensitivity
% Income Level Reporting High Health Privacy Sensitivity
© Clearwater Compliance LLC | All Rights Reserved
% Age Groups Reporting High Health Privacy Sensitivity
% Age Level Reporting High Financial Privacy Sensitivity
http://www.laresinstitute.com/wp-content/uploads/2011/09/Demographics-Study.pdf
24
12
6/11/2015
The Model
© Clearwater Compliance LLC | All Rights Reserved
25
Cost to Reputation… Loss of Patients/Customers Current and New
Ponemon Institute LLC. "Second Annual Benchmark Study on Patient Privacy & Data Security." http://www2.idexpertscorp.com/assets/uploads/PDFs/2011_Ponemon_ID_ Experts_Study.pdf. © Clearwater Compliance LLC | All Rights Reserved
26
13
6/11/2015
http://www.symantec.com/content/en/us/about/media/pdfs/b-ponemon-2011-cost-of-data-breach-us.enus.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2012Mar_worldwide__CODB_US © Clearwater Compliance LLC | All Rights Reserved
27
Loss of only 10% considered a positive sign!
© Clearwater Compliance LLC | All Rights Reserved
28
14
6/11/2015
Viral Communications: the Potential Impact on Prospective Customers • One unhappy customer will tell nine others • 13% will tell at least 20 other people http://www.ezinearticles.com/?8-Critical-Steps-toEstablish-a-Customer-Service-Culture&id=37272
http://www.talent-technologies.com/new/wpcontent/uploads/2010/06/a-complaint-is-a-gift.pdf
13,782,579 http://www.youtube.com/watch?v=5YGc4zOqozo
29
© Clearwater Compliance LLC | All Rights Reserved
Cost to Reputation Loss of Staff Average Cost per Hire and Time to Fill
© Clearwater Compliance LLC | All Rights Reserved
30
15
6/11/2015
Relevance Considerations • • • • •
Size of Breach Complexity of Breach Strength of Safeguards Type of Company (public or private) Breached Party (CE or BA)
Impact Considerations • • • •
© Clearwater Compliance LLC | All Rights Reserved
Size of the Breach Type of Breach (intentional vs. non-intentional) Further Disclosure Type of Data (financial as well as health)
PHI PROJECT
31
The Model
© Clearwater Compliance LLC | All Rights Reserved
32
16
6/11/2015
Average # of breaches reported in survey in 2011 = 28,349 $428,330/28,349 breaches = $15.11/breach
“Detection and Escalation Costs are not really dependent on the number of records, but rather the complexity and severity of the breach” http://www.ponemon.org/local/upload/file/2011_US_CODB_FINAL_5.pdf
© Clearwater Compliance LLC | All Rights Reserved
33
Credit & Id Theft Monitoring
http://www.nextadvisor.com/identity_theft_protection_services/compare.php
© Clearwater Compliance LLC | All Rights Reserved
34
17
6/11/2015
Identity Theft Statistics Per Record Cost 2011 Ponemon Survey • 29% of the respondents whose organizations had suffered a data breach reported that their data breaches led to cases of identity theft.
Javelin Strategy & Research Report More than 12 Million identity fraud victims in 2012 • 1 in 4 Data Breach Letter Recipients Became Identity Fraud Victims
Second Annual Benchmark Study on Patient Privacy & Data Security http://www2.idexpertscorp.com/assets/uploads/PDFs/2011_Ponemon_ID_Exp erts_Study.pdf
2011 Identity Fraud Survey Report, https://www.javelinstrategy.com/news/1170/92/1
Javelin Strategy & Research Report https://www.javelinstrategy.com/news/1387/58/More-Than-12-Million-IdentityFraud-Victims-in-2012-According-to-Latest-Javelin-Strategy-ResearchReport/d,pressRoomDetail
From a Federal Trade Commission Study http://www.whitecanyon.com/identity-theft-statistics.php
© Clearwater Compliance LLC | All Rights Reserved
35
Mitigation vs. Remediation Mitigation Examples:
Remediation Examples:
Recovery of PHI Return of PHI
Revising policies & procedures Improving physical security
Attestation or confirmation that Training or retraining workforce PHI has been destroyed members Remote wipe of mobile devices Imposing sanctions, including firing or suspension Notification to individuals Implementing Encryption Providing credit or identity theft Eliminating access monitoring © Clearwater Compliance LLC | All Rights Reserved
36
18
6/11/2015
The Cost of Lost Productivity….
Ponemon Institute LLC. "Second Annual Benchmark Study on Patient Privacy & Data Security." http://www2.idexpertscorp.com/assets/uploads/PDFs /2011_Ponemon_ID_Experts_Study.pdf.
“Security 101: Cost of a Breach” http://www.secureworks.com/resources/ newsletter/2007-10 Breakdown of Individual Breach Costs
37
© Clearwater Compliance LLC | All Rights Reserved
Elements of Notification Costs Notification to Affected Individuals • Set Up of Contact Databases • Message Development • Legal Review • Printing • Postage • Assembly • Call Center Support PR and/or IR Campaign • Content Development • Legal Review • Advertising • Inquiry Response Time
© Clearwater Compliance LLC | All Rights Reserved
Over 500 records
Notification to Media • Identification of Local Media • Message Development • Legal Review • Inquiry Response Time Notification to HHs • Content Development • Legal Review • Inquiry Response Time
38
19
6/11/2015
Cyber Liability Insurance • Cyber insurance very focused on healthcare—significant competition between insurance companies • e.g. health care system 10,000 employees • $10MM limit • Deductible of $250,000 ‐ $500,000 • Premium $175,000/year ‐ $225,000 Coverage: • 3rd party liability: $10MM with sub-limits of $2MM for breach response and $250K for defense costs • Breach response coverage: notification, crisis management (PR & law firm guidance), ID theft monitoring, forensics, fix-its, fines and penalties: credit card fines & penalties, government regulatory settlements (not fines and penalties), consumer redress Betterley Risk Consultants © Clearwater Compliance LLC | All Rights Reserved
39
Changing Business Associates • Cost of Time on RFP and Due Diligence on New Vendor • Legal Costs negotiating BA Agreement • Cost of Transition – Duplicate Cost during Transition to New Vendor
• Incremental Higher Annual Cost of New Vendor
© Clearwater Compliance LLC | All Rights Reserved
40
20
6/11/2015
Relevance Considerations • • • • • •
Size of Breach Type of Business (public vs. private) Strength of Compliance Program History of Previous Breaches Resident State of Affected Individuals Accreditation Requirements
Impact Considerations • • • • • • • •
Size of the Breach Type of Breach (intentional vs. non-intentional) Type of Breach (malicious vs. non-malicious) Type of Data (financial as well as health) Age of Affected Individuals Income of Affected Individuals Celebrity Status of Affected Individuals Resident State of Affected Individuals
© Clearwater Compliance LLC | All Rights Reserved
PHI PROJECT
41
Legal & Regulatory Repercussions
© Clearwater Compliance LLC | All Rights Reserved
42
21
6/11/2015
Final Omnibus Rule: New Civil Monetary Penalty System
43
© Clearwater Compliance LLC | All Rights Reserved
OCR Corrective Action Plans & Settlements
$26,046,500
© Clearwater Compliance LLC | All Rights Reserved
44
22
6/11/2015
Accretive Share Price & Story July 2011 - Accretive employee’s laptop computer, containing 20 million pieces of information on 23,000 patients, was stolen from the passenger compartment of the employee’s car
Any Risks Emerge… for whom?
4/13/2013 COO Replaced 4/2/2013 CEO Replaced
1/19/2012 MN SAG Suit © Clearwater Compliance LLC | All Rights Reserved
03/14/2014 De-Listed NYSE
8/26/2013 9/27/2013 01/2014 CFO $14M Class 170 Job Replaced Settlement Cuts
7/31/2012 $2.5M MN SAG Settlement
6/13/2013 Class Action Suit
12/31/2013 FTC Settle.
45
Class Action Lawsuits $1,000‐$2,500 • State of Texas – 3.5 MM state employees • Stanford Hospital & Clinic ‐ 20,000 patients • Sutter Health Hit With $1B Class‐Action Lawsuit • Patient files $20M lawsuit against Stanford Hospital • TRICARE Health Management Sued for $4.9B • AvMed Health sued over 'one of the largest medical breaches in history‘ • Emory Healthcare Faces Class‐Action Suit Over Data Breach
http://www.mainjustice.com/2013/09/05/settlement-reached-in-healthcare-data-breach-lawsuit/ © Clearwater Compliance LLC | All Rights Reserved
46
23
6/11/2015
In re Adobe Sys. Privacy Litig., 2014 U.S. Dist. LEXIS 124126 (N.D. Cal. Sept. 4, 2014)
•
• •
•
•
The U.S. District Court for the Northern District of California recently found that such potential future harm is sufficient to allow a putative class of plaintiffs to proceed in Federal Court. Plaintiffs were customers of Adobe licensed products or subscribers to Adobe’s “Creative Cloud” and provided Adobe with their personal information. Plaintiffs alleged that Adobe’s security practices were deeply flawed and did not conform to industry standards. In addition, Plaintiffs claimed that Adobe similarly failed to employ intrusion detection systems, properly segment its network, or implement user or network level system controls. Plaintiffs alleged that they have all suffered at least one of three types of cognizable injuries‐in‐fact: (1) increased risk of future harm; (2) cost to mitigate the risk of future harm; and/or (3) loss of the value of their Adobe products. The District Court found persuasive that the hackers deliberately targeted Adobe’s servers and (allegedly) used Adobe’s own systems to decrypt customer credit card numbers. Further, Plaintiffs alleged that some of the stolen data had already surfaced on the Internet (although not credit card information), and that other hackers have misused certain stolen data to discover vulnerabilities in Adobe’s products. http://www.law.com/sites/jdsupra/2014/10/17/california-district-court-finds-threat-of-future-harm-sufficient-to-confer-article-iii-standing-in-data-breachaction/?slreturn=20150212100816
47
© Clearwater Compliance LLC | All Rights Reserved
Relevance Considerations • Sufficiency of Current Resources • Level of Change in Procedures Required • Level of Oversight of Compliance Program
Impact Considerations • • • •
© Clearwater Compliance LLC | All Rights Reserved
Type of Breach (intentional vs. non-intentional) Type of Breach (malicious vs. non-malicious) # of Additional Resources Needed Level of Disruption of Organizational Changes
PHI PROJECT
48
24
6/11/2015
Incremental Operational Costs (not included in CAP or Mitigation Plan)
• Cost of Recruiting and Training new Hires • Incremental Cost of Salaries • Cost of Reorganization – Communication – Disruption in Goals/Initiative Momentum – Lost Productivity
49
© Clearwater Compliance LLC | All Rights Reserved
Relevance Considerations • Type of Data • Likelihood of Harm • Involvement in Research
Impact Considerations • Type of Breach (intentional vs. nonintentional) • Type of Breach (malicious vs. non-malicious) • Type of Research
© Clearwater Compliance LLC | All Rights Reserved
PHI PROJECT
50
25
6/11/2015
Clinical Repercussions
http://www.ponemon.org/blog/2013-survey-on-medical-identity-theft
© Clearwater Compliance LLC | All Rights Reserved
51
The Total….
© Clearwater Compliance LLC | All Rights Reserved
52
26
6/11/2015
Updated ROI…. # of records breached Average cost/record * Cost of a Breach
10,000 $ 436.00 $ 4,360,000
Probabilized # of years between breaches* Average annual cost of a probable breach
2 $ 2,180,000
BUT WHAT IF…..
# of years between breaches 5 Average annual cost of a breach would be………$ 872,000 Annual investment with breakeven ROI
$ 1,308,000
© Clearwater Compliance LLC | All Rights Reserved
* In this example
53
Ponemon Institute LLC. "Second Annual Benchmark Study on Patient Privacy & Data Security." © Clearwater Compliance LLC | All Rights Reserved
54
27
6/11/2015
PHI PROJECT
© Clearwater Compliance LLC | All Rights Reserved
55
Thank you to all the PHI Protectors
FREE DOWNLOAD webstore.ansi.org/phi © Clearwater Compliance LLC | All Rights Reserved
56
28
6/11/2015
Our Passion We’re excited about what we do because… …we’re helping organizations improve care by safeguarding the very personal and private healthcare information of millions of fellow Americans…
… And, keeping those same organizations off the Wall of Shame…! 57
© Clearwater Compliance LLC | All Rights Reserved
Clearwater HIPAA Compliance BootCamp™ Events August 6, 13, 20| Virtual HIPAA Compliance Information Risk Management BootCamp™
Other 2015 – Virtual, Web‐Based Events (3, 3‐hr sessions): • November 5‐12‐19
Earn up to 9.6 CEUs from organizations like HCCA, AHIMA, AMBA, IAPP, ISC2 etc.. © Clearwater Compliance LLC | All Rights Reserved
58
29
6/11/2015
HIPAA Information Risk Management BootCamp™ Welcome, Introductions and Overview 1. How to Assess Your Increased Privacy, Security and Compliance Liability Risk 2. How to Establish Your Information Risk Management Program 3. How to Address Compliance Risk I – HIPAA Privacy and Security Regulations Networking Break 4. How to Address Compliance Risk II – HITECH Burden of Proof/Breach Notification Regulations 5. How to Conduct a Bona Fide Risk Analysis Networking Luncheon & Refresh 6. How to Implement a Strong, Proactive Business Associate Risk Management Program 7. The Case for Continuous Diagnostics and Monitoring Networking Break 8. Cyber Insurance & Risk Transfer 9. How to Mature your Information Risk Management Program Q&A, Final Remarks Attendee Reception (optional)
HOW TO…
59
© Clearwater Compliance LLC | All Rights Reserved
Expert Instructors
Mary Chaput, MBA, HCISPP, CIPP/US, CIPM CFO & Chief Compliance Officer Clearwater Compliance
Greg Bassett, MS, PMP, CISSP VP Service Delivery Clearwater Compliance © Clearwater Compliance LLC | All Rights Reserved
Bob Chaput, CISSP, HCISPP, CIPP/US CEO Clearwater Compliance
Michelle Caswell, JD Senior Director, Legal and Compliance Clearwater Compliance
David Finn, CISA, CISM, CRISC Health IT Officer Symantec Corporation
Matthew E. Hanis Vice President, Healthcare Lockton Companies
60
30
6/11/2015
© Clearwater Compliance LLC | All Rights Reserved
61
31