protecting patient information

Privacy Breaches:

How Protected is Your Patient’s

Sensitive Health and Personal Data?

Amry Junaideen, Principal, Deloitte & Touche LLP

Rena Mears, Partner, Deloitte & Touche LLP

Russ Rudish, Principal, Deloitte Consulting LLP

December 16, 2008

The Health Sciences series presents:

Copyright © 2008 Deloitte Development LLC. All rights reserved.

Agenda

• Increased collaboration in the marketplace

• The challenge of protecting information

• Breach causes and effects

• Preventing a breach

• Finding the right solution

• Conclusion


Health care and information sharing

Health Systems, Long Term Care,

Ambulatory Care, Hospitals/ Facilities

Regulators protect public

welfare and ensure that healthcare

services and products are safe

and effective

Enable Deliver

Services

Financial

CareDeliver

Payment

Patients, Private,

Government

$

$

$

PatientsProviders

Payers

PatientsProvidersSuppliers

Regulators

Pharmaceutical,

Bio-tech, Medical

devices

Collaboration is vital for improving health care quality and meeting consumers’

needs. However, it involves a significant amount of information sharing. The

protection of information is a critical ingredient for success

1

http://www.architectsforhealth.com/gallery/japan02-hopkins-partners.html


Challenge of protecting information

Payer

Provider

Patient

Bank

Order placed

-lab, imaging,

pharmacy

Provider/

Physician

Generates a

Bill/claim

Provider/

Physician

Receive

payment

Bill

received

Bill

Received

Patient

Wants to be

Checked in

Concerned

About

symptoms

Make

payment

4. Data Sharing / In-

transit

Providers transmit PHI

to either payer or third

parties for processing.

Data Storage /

Destruction

Providers store PHI and

update the patient’s

medical records.

2. Data Storage

Providers store PHI and

update the patient’s

medical records.

6. Clinical Trials Data

Tracking & Results

Expert opinion sharing,

and adverse event

reporting cross-border:

PII and IP consideration.

5. Data Archival /

Destruction

Archive and destroy

PHI per the retention

policy.

Provide eligibility,

Referral, Co-pay

And coverage

Receive

Referral/

Eligibility

Paperwork

3. Data Usage

Providers use PHI to

Provide services to the

patient .

Phone

Co

llecti

on

Personal visit

Bill pay

Bill if “self-pay”

Clinical info/

Medical

Charges,

Coded in HIS

Claim bill

1.Insurance

2.Patient Info

3. Other forms

Perform

services

1. Data Acquisition /

Collection

Patient Health

Information (PHI) is

collected at this stage.

Front-office

staff checks

the patient in

Appointment

scheduling

Bill for extra

services

Bill

Received if

Services are

Not covered

Mail

SuppliersDrug manufacturers

Equipment suppliers

Appointment

Dependency

Evaluation of

Patient Insurance

Plan

Bill pay

The protection of information within an organization and among multiple

organizations is not a simple matter for a myriad of reasons

2


Data risk levels

• Personally Identifiable Information

(PII) – Leakage of generally

accessible PII and IT data occur most

commonly

• Sensitive – Data such as intellectual

property and/or PII with a higher

contextual value

• Fraud – Internal or external use of PII

for fraudulent gain

• ID Theft – The assuming of one’s

identity to obtain credit for purchases. Specific subset of PII or combination

Although ID Theft has the most severe

impact, other forms of enterprise data

leakage are far more likely and require

management attention. The majority of data

losses – internal or external – are accidental

Generally AccessibleAuthorized Disclosure

UnauthorizedDisclosure

Fraud

ID Theft

PII or other sensitive data

Subset of PII Singleor Combined

Specific Subset

Level of Enterprise RiskPotential for Harm to the Consumer

HIGH SEVEREMODERATELOW

Data

Sensitive data, such as PII or Intellectual Property.

3


Poll question #1

Do you share electronic medical records with

business partners that requires asset protection

measures – such as encryption?

• Yes

• No

• Don’t know

• Not applicable


The sophistication of “attackers”

Organized rings of thieves have developed sophisticated methods for

compromising value chain security and stealing sensitive data

• High-tech crime with the

emergence of professional, international gangs

• Criminals target the booming

e-commerce and financial networks

• Stealing information from

employers, banks and government agencies (HR , payroll, bank, and SSA data)

• Hacking• Fake W-2 Forms and Returns

Dumpster Diving Hacking “Phishing”

• Simple techniques that

involved theft of information• Required thief to manually

collect personal information

• Unorganized crime

• Mail Theft

• Sifting through garbage for confidential information

• Social Engineering

• Improved techniques for

gathering personal information

• Wide use of electronic

databases and internet growth lead to a loosely

organized hacking community

• Data Theft/ Hacking/

Keystroke loggers• Pharming & Phishing• Theft of W-2 Information

• Counterfeit Tax Returns

Te

ch

niq

ues

Sc

he

mes

Ins

tan

ces

pe

r y

ea

r

~300-400 ~80,000 ~9,900,000

80’s 90’s 2000’s

4


Recent data breach trends

Numerous data breaches have been reported leading to a heightened awareness of

this topic at the senior levels within an organization

Data breaches are common across sectors; medical and health care facilities

contributed to 14.9% of the 449 security breaches in 2008**

*From a survey conducted by HIMSS Analytics and Kroll Fraud Solutions** Data until 8/22/2008 from Identity Theft Resource Centre

5


Increased regulatory mandates

Organizations must consider increased regulatory mandates that provide specific

requirements for data protection in the US and abroad

20111996

2008

200920071998

Health

Sciences

Industry

HIPPA

Standard

& Poor’s

On ERM

Massachusetts

Law

Identity

Theft

Red Flags

Regulations

California

Breach

Notification

Law

HIPAACalifornia Breach Notification Law, S&P

on Enterprise Risk Management (ERM)

Identity Theft Red

Flags,

Massachusetts

LawRegulations

present

increasing

requirements

on the

protection of

sensitive

information

International

Regulations

California

legislation

AB 1298

ICD 10 billEuropean Commission’s

Directive on Data Protection

User

expectations

for data

protection are

high

6


Breach causes and effects

How do these breaches occur?

• Data is not treated as a strategic

asset

• Reactive rather than

programmatic approach

• Governance, process and

technologies are not aligned

• Data is not inventoried and

mapped

• Failure to adopt adequate

process and technology controls

• Training is inadequate or non-

existent

• Data assets are not inventoried

or classified

• Use and sharing of data is not

understood

• Data risk is incorrectly

identified or evaluated

• Policies, processes and

technologies are not aligned

• Controls do not adequately

protect data assets

• Organization and stakeholders

unable to respond to threat

EffectsCauses

7


What are the risks

A breach impacts many aspects of the business including putting assets at risk, increasing number of breaches, rising costs, and decline in shareholder value

Ris

ks

Legal RiskRegulatory

RiskBrand Risk

Financial

Risk

Operational

Risk

IT

Risk

• Litigation or

lawsuits from

patients, due

to loss of

patient

sensitive

information

• Failure to

meet 3rd

party

requirements

• Failure to

comply with the complex and

relatively new

regulations

• Failure to

conduct compliance audits

• Heightened

media scrutiny surrounding

leakage of customer

sensitive information

• Meeting new demands of the

consumer driven health

care market

• Excessive

post breach related costs

• Loss of

patient information

can impact patient relationships/

retention

• Ineffective capital

management

• Excessive

internal resource consumption

due to time spent dealing

with breaches

• Post M&A Integration

• Virus attacks/

hacking and loss of data “in-flight”

• Wrongful access to

sensitive information

• Theft during physical

transportation

Imp

ac

t

8


Cost of a breach

The total average cost of a data breach grew to $197 per record compromised. The average total cost per reporting was more than $6.3 million per breach and ranged from $225,000 to almost $35 million

*19.9% of privacy professionals were from Health Sciences

*12% of security professionals were from Health Sciences

Deloitte’s 2007 Privacy and Data Protection Survey included

827 participants in North America*

• Over 85% of respondents reported at least one breach

and over 63% reported multiple breaches requiring

notification

• Resource allocation associated with notification activities

alone appeared to be a significant hidden cost

9


Poll question #2

In the past year, how many privacy and data breach

incidents at your organization are you aware have

occurred?

• Never

• 1-5

• 6-10

• 10-20

• More than 20

• Not applicable/Don’t know


Data as an asset

Treating data as an asset helps prevent breaches and enables collaborative information sharing

Some day, on the corporate balance sheet, there will be an

entry which reads, “Information”; for in most cases, the

information is more valuable than the hardware which

processes it.

– Grace Murray Hopper, USN (Ret)

10


Understand the data lifecycle

The intrinsic and contextual value of data and associated ownership risk vary throughout the data life cycle and throughout the value chain

Preservation

Storage

Sharing

Creation

Acquisition

Classification

Archival

Disposition

Destruction

Indefinite

Archive

Use

Governance

11


Data types and data flow

Sta

rtE

nd

Sta

rtE

nd

Sta

rtE

nd

Sta

rtE

nd

Sta

rtE

nd

Health care

Industry

Marketing

Order

Management

Manufacture

Products

Develop

Products

Procure

Materials

Sensitive data such as customer information, financial data, and intellectual property moves horizontally across organizational boundaries, including vertical business processes (e.g., order fulfillment process). Organizations often do not have a good understanding of the movement, proliferation, and evolution of their data

12


Compliance vs. risk-based approach

Risk-based strategies go beyond compliance mandates to provide a more holistic

approach towards managing and protecting data assets. A risk-based approach enables organizations to be adaptive to changing regulatory and business

environments

COMPLIANCE-BASED

STRATEGY

Detailed

Specific

Binary

RISK-BASED STRATEGY

Regulatory

Brand

Competitive

Compliance-based strategies are:

• Reactionary

• Comparatively inefficient

Advantages of the risk-based approach:

• Free organization from reactionary cycles

• Allocate scarce resources efficiently and according to specific threat levels

• Deliver value as quickly as possible

• Provides efficiency and focus to successfully address compliance requirements from a risk-based perspective

13


Avoid the disconnect

A “disconnect” between corporate policies, actual operational practices, and

technology infrastructure reduces the ability to successfully implement changes into the business environment

Technology

Policies

Processes

Disconnect

Disconnect

DP

Strategy

Structured

framework

14


Poll question #3

Which of the following have you most recently

implemented in your organization as it relates to your

privacy program? • Process for corporate governance to establish accountability and

manage enterprise privacy risk

• A framework to assess risk in business processes as they relate to PII

• Procedures to implement privacy policies within operational processes,

including designing and implementing measurable controls

• An enterprise-wide privacy & data protection training program

• Process to stay current and assess new legal regulations and legislative

developments

• None


Protect data across its lifecycle

Organizations need an enterprise level solution which includes data governance strategies, organizational policies and procedures, and controls to identify, monitor, and protect data through its lifecycle

IDENTITY

INFRASTRUCTURE

GOVERNANCE

ASSET

Risk Based Approach

CREDENTIAL

• Management

commitment

• Policies, guidelines,

and procedures

• Training & Awareness

• Review and monitoring

• Asset type definition

• Asset inventory

• Risk assessment

• Asset classification

• Process reengineering

• Segmentation and

least privileges

• Contracts and

enforcements

• Physical security

• End-to-end security

• Defense in depth

• Enabling technology

CLASSIFICATION

Business Process

Identity

Management

Data

Facilities

Processes

RISK

ROLE

Enterprise Data Lifecycle

15


Consider all environments

Organizations should take a practical and business focused view and addresses data breach risks across seven control environments

Communications

Database

Mobile

Media

Transaction

and ActivityMonitoring

Third

Party

Developer

Access toProduction

Archival and

Disposal

SensitiveData

1

2

3

4

5

6

7

Data in Use and Data in Motion via email, web traffic, IM, blogs, etc

Data at Rest in repositories (databases, email stores, file systems, etc)

Data in Use and Data at Rest on mobile computing devices such as laptops, PDA’s, etcData management infrastructure for

migrating data to storage or disposing

Limiting access to production data and controlling the movement of data from production to development and test

Data at Rest in repositories (databases, email stores, file systems, etc)

Data in Use and Data in Motion associated with privileged and other users accessing database containing sensitive data

16


Create a business process flow and data flow

mapping

A company’s risk assessment should consider the data lifecycle for each of its business processes

FinanceThird PartyUniversitiesHospital

Infrastructure

Business Divisions

Customer System/

OperationalActivity

Third Party Vendor

Clinical / Bio

Medical

17


Branch Offices

Remote Employees

WAN

WAN

WWW

VPN

OutsourcedDevelopment

Enterprisee-mail

Business Analytics

Customer Portal

Production Data

Data warehouse

Staging

File Server

DR

Back up disk

Back up tape

Disk storage

Customers

Partners

DLP DAMEncryption Data Redaction Archive

Set Policy

Deploy Controls

Enforce and Monitor Controls

Organizational risk view

18


Determine solution set to meet critical risks

Implementing solutions involves more than technology, it requires a view of

policy management, process and procedure development, technology evaluation and planning, technology implementation, ongoing operational management,

leakage reporting and integration into incident response, training and awareness

Data Management and Protection Solution Types

Data Discovery

Discovery and

classification of data

from disparate sources

(email, file-shares, web)

Data Archiving

Services such as

retention, distribution,

and security of tapes

Database Activity

Monitoring

Monitoring of user and

administrator activity,

focused at databases

Data Destruction

Enforcement of data

security policies

addressing disposal of

information media

Data Redaction

Protection of sensitive

data via de-identifying,

sanitizing, masking, or

obfuscating

Endpoint Protection

Workstation, laptop and

other mobile device

protection such as data

monitoring, full disk

encryption, local media

encryption

Data Leak Prevention

Solutions to identify and

prevent accidental

disclosures of sensitive

data at the edge of the

network

Encryption

Tools to provide data

encryption across the

enterprise – including key

management and

recovery

19


Poll question #4

Which of the following privacy and data protection

technologies have you already implemented? • Governance Solutions (Data inventory, data classification, Digital rights

management)

• Preventive Solutions (Data leak prevention, Identity and access

management, Segregation of duties, database security /scanning,

Encryption (data at rest), Encryption (data in motion))

• Monitoring Solutions (Content monitoring, audit logging and monitoring,

intrusion detection and prevention, fraud discovery and monitoring)

• More than one

• Miscellaneous/ None of the above

• Not applicable


Conclusion

• Strategic collaboration with business partners, frequent reporting of data

breaches, and increased regulatory mandates have brought to the

forefront the need for privacy and data protection capabilities throughout

the entire value chain

• Security breaches can result in a number of business issues including

reputation and revenue loss, as well as legal exposure

• A data protection solution requires avoiding the “disconnect”

– Engaging the business to define the sensitive data to protect

– Updating risk management policies

– Tuning business processes

– Raising user awareness

– Integrating key technologies to provide policy enforcement throughout the

data life cycle and the seven control environments

20

Questions & Answers

Join us January 22nd at 2 PM EST

as our Health Sciences series

presents:

Eye of the Storm – Improving Financial Performance in the

Credit Crunch


Thank you for joining

today’s webcast.

To request CPE credit,

click the link below.


Contact information

• Amry Junaideen, Principal, Deloitte & Touche LLP

[email protected]

Ph: 203-708-4195

• Rena Mears, Partner, Deloitte & Touche LLP

[email protected]

Ph: 415-783-5662

• Russ Rudish, Principal, Deloitte Consulting LLP

[email protected]

Ph: 212-313-1820

mailto:[email protected]




This presentation contains general information only and is based on the

experiences and research of Deloitte practitioners. Deloitte is not, by means of this

presentation, rendering business, financial, investment, or other professional

advice or services. This presentation is not a substitute for such professional

advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that

may affect your business, you should consult a qualified professional advisor.

Deloitte, its affiliates, and related entities shall not be responsible for any loss

sustained by any person who relies on this presentation.


About Deloitte

Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a

detailed description of the legal structure of Deloitte Touche Tohmatsu and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its

subsidiaries.


A member firm ofDeloitte Touche Tohmatsu

protecting patient information

Education