protecting patient information
DESCRIPTION
Everyone is accountable and expected to protect health information. The circle is large and encompasses many different organizations. Patient data is protected for a reason. Let’s look at some brief reminders:TRANSCRIPT
Privacy Breaches:
How Protected is Your Patient’s
Sensitive Health and Personal Data?
Amry Junaideen, Principal, Deloitte & Touche LLP
Rena Mears, Partner, Deloitte & Touche LLP
Russ Rudish, Principal, Deloitte Consulting LLP
December 16, 2008
The Health Sciences series presents:
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Agenda
• Increased collaboration in the marketplace
• The challenge of protecting information
• Breach causes and effects
• Preventing a breach
• Finding the right solution
• Conclusion
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Health care and information sharing
Health Systems, Long Term Care,
Ambulatory Care, Hospitals/ Facilities
Regulators protect public
welfare and ensure that healthcare
services and products are safe
and effective
Enable Deliver
Services
Financial
CareDeliver
Payment
Patients, Private,
Government
$
$
$
PatientsProviders
Payers
PatientsProvidersSuppliers
Regulators
Pharmaceutical,
Bio-tech, Medical
devices
Collaboration is vital for improving health care quality and meeting consumers’
needs. However, it involves a significant amount of information sharing. The
protection of information is a critical ingredient for success
1
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Challenge of protecting information
Payer
Provider
Patient
Bank
Order placed
-lab, imaging,
pharmacy
Provider/
Physician
Generates a
Bill/claim
Provider/
Physician
Receive
payment
Bill
received
Bill
Received
Patient
Wants to be
Checked in
Concerned
About
symptoms
Make
payment
4. Data Sharing / In-
transit
Providers transmit PHI
to either payer or third
parties for processing.
Data Storage /
Destruction
Providers store PHI and
update the patient’s
medical records.
2. Data Storage
Providers store PHI and
update the patient’s
medical records.
6. Clinical Trials Data
Tracking & Results
Expert opinion sharing,
and adverse event
reporting cross-border:
PII and IP consideration.
5. Data Archival /
Destruction
Archive and destroy
PHI per the retention
policy.
Provide eligibility,
Referral, Co-pay
And coverage
Receive
Referral/
Eligibility
Paperwork
3. Data Usage
Providers use PHI to
Provide services to the
patient .
Phone
Co
llecti
on
Personal visit
Bill pay
Bill if “self-pay”
Clinical info/
Medical
Charges,
Coded in HIS
Claim bill
1.Insurance
2.Patient Info
3. Other forms
Perform
services
1. Data Acquisition /
Collection
Patient Health
Information (PHI) is
collected at this stage.
Front-office
staff checks
the patient in
Appointment
scheduling
Bill for extra
services
Bill
Received if
Services are
Not covered
SuppliersDrug manufacturers
Equipment suppliers
Appointment
Dependency
Evaluation of
Patient Insurance
Plan
Bill pay
The protection of information within an organization and among multiple
organizations is not a simple matter for a myriad of reasons
2
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Data risk levels
• Personally Identifiable Information
(PII) – Leakage of generally
accessible PII and IT data occur most
commonly
• Sensitive – Data such as intellectual
property and/or PII with a higher
contextual value
• Fraud – Internal or external use of PII
for fraudulent gain
• ID Theft – The assuming of one’s
identity to obtain credit for purchases. Specific subset of PII or combination
Although ID Theft has the most severe
impact, other forms of enterprise data
leakage are far more likely and require
management attention. The majority of data
losses – internal or external – are accidental
Generally AccessibleAuthorized Disclosure
UnauthorizedDisclosure
Fraud
ID Theft
PII or other sensitive data
Subset of PII Singleor Combined
Specific Subset
Level of Enterprise RiskPotential for Harm to the Consumer
HIGH SEVEREMODERATELOW
Data
Sensitive data, such as PII or Intellectual Property.
3
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Poll question #1
Do you share electronic medical records with
business partners that requires asset protection
measures – such as encryption?
• Yes
• No
• Don’t know
• Not applicable
Copyright © 2008 Deloitte Development LLC. All rights reserved.
The sophistication of “attackers”
Organized rings of thieves have developed sophisticated methods for
compromising value chain security and stealing sensitive data
• High-tech crime with the
emergence of professional, international gangs
• Criminals target the booming
e-commerce and financial networks
• Stealing information from
employers, banks and government agencies (HR , payroll, bank, and SSA data)
• Hacking• Fake W-2 Forms and Returns
Dumpster Diving Hacking “Phishing”
• Simple techniques that
involved theft of information• Required thief to manually
collect personal information
• Unorganized crime
• Mail Theft
• Sifting through garbage for confidential information
• Social Engineering
• Improved techniques for
gathering personal information
• Wide use of electronic
databases and internet growth lead to a loosely
organized hacking community
• Data Theft/ Hacking/
Keystroke loggers• Pharming & Phishing• Theft of W-2 Information
• Counterfeit Tax Returns
Te
ch
niq
ues
Sc
he
mes
Ins
tan
ces
pe
r y
ea
r
~300-400 ~80,000 ~9,900,000
80’s 90’s 2000’s
4
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Recent data breach trends
Numerous data breaches have been reported leading to a heightened awareness of
this topic at the senior levels within an organization
Data breaches are common across sectors; medical and health care facilities
contributed to 14.9% of the 449 security breaches in 2008**
*From a survey conducted by HIMSS Analytics and Kroll Fraud Solutions** Data until 8/22/2008 from Identity Theft Resource Centre
5
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Increased regulatory mandates
Organizations must consider increased regulatory mandates that provide specific
requirements for data protection in the US and abroad
20111996
2008
200920071998
Health
Sciences
Industry
HIPPA
Standard
& Poor’s
On ERM
Massachusetts
Law
Identity
Theft
Red Flags
Regulations
California
Breach
Notification
Law
HIPAACalifornia Breach Notification Law, S&P
on Enterprise Risk Management (ERM)
Identity Theft Red
Flags,
Massachusetts
LawRegulations
present
increasing
requirements
on the
protection of
sensitive
information
International
Regulations
California
legislation
AB 1298
ICD 10 billEuropean Commission’s
Directive on Data Protection
User
expectations
for data
protection are
high
6
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Breach causes and effects
How do these breaches occur?
• Data is not treated as a strategic
asset
• Reactive rather than
programmatic approach
• Governance, process and
technologies are not aligned
• Data is not inventoried and
mapped
• Failure to adopt adequate
process and technology controls
• Training is inadequate or non-
existent
• Data assets are not inventoried
or classified
• Use and sharing of data is not
understood
• Data risk is incorrectly
identified or evaluated
• Policies, processes and
technologies are not aligned
• Controls do not adequately
protect data assets
• Organization and stakeholders
unable to respond to threat
EffectsCauses
7
Copyright © 2008 Deloitte Development LLC. All rights reserved.
What are the risks
A breach impacts many aspects of the business including putting assets at risk, increasing number of breaches, rising costs, and decline in shareholder value
Ris
ks
Legal RiskRegulatory
RiskBrand Risk
Financial
Risk
Operational
Risk
IT
Risk
• Litigation or
lawsuits from
patients, due
to loss of
patient
sensitive
information
• Failure to
meet 3rd
party
requirements
• Failure to
comply with the complex and
relatively new
regulations
• Failure to
conduct compliance audits
• Heightened
media scrutiny surrounding
leakage of customer
sensitive information
• Meeting new demands of the
consumer driven health
care market
• Excessive
post breach related costs
• Loss of
patient information
can impact patient relationships/
retention
• Ineffective capital
management
• Excessive
internal resource consumption
due to time spent dealing
with breaches
• Post M&A Integration
• Virus attacks/
hacking and loss of data “in-flight”
• Wrongful access to
sensitive information
• Theft during physical
transportation
Imp
ac
t
8
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Cost of a breach
The total average cost of a data breach grew to $197 per record compromised. The average total cost per reporting was more than $6.3 million per breach and ranged from $225,000 to almost $35 million
*19.9% of privacy professionals were from Health Sciences
*12% of security professionals were from Health Sciences
Deloitte’s 2007 Privacy and Data Protection Survey included
827 participants in North America*
• Over 85% of respondents reported at least one breach
and over 63% reported multiple breaches requiring
notification
• Resource allocation associated with notification activities
alone appeared to be a significant hidden cost
9
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Poll question #2
In the past year, how many privacy and data breach
incidents at your organization are you aware have
occurred?
• Never
• 1-5
• 6-10
• 10-20
• More than 20
• Not applicable/Don’t know
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Data as an asset
Treating data as an asset helps prevent breaches and enables collaborative information sharing
Some day, on the corporate balance sheet, there will be an
entry which reads, “Information”; for in most cases, the
information is more valuable than the hardware which
processes it.
– Grace Murray Hopper, USN (Ret)
10
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Understand the data lifecycle
The intrinsic and contextual value of data and associated ownership risk vary throughout the data life cycle and throughout the value chain
Preservation
Storage
Sharing
Creation
Acquisition
Classification
Archival
Disposition
Destruction
Indefinite
Archive
Use
Governance
11
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Data types and data flow
Sta
rtE
nd
Sta
rtE
nd
Sta
rtE
nd
Sta
rtE
nd
Sta
rtE
nd
Health care
Industry
Marketing
Order
Management
Manufacture
Products
Develop
Products
Procure
Materials
Sensitive data such as customer information, financial data, and intellectual property moves horizontally across organizational boundaries, including vertical business processes (e.g., order fulfillment process). Organizations often do not have a good understanding of the movement, proliferation, and evolution of their data
12
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Compliance vs. risk-based approach
Risk-based strategies go beyond compliance mandates to provide a more holistic
approach towards managing and protecting data assets. A risk-based approach enables organizations to be adaptive to changing regulatory and business
environments
COMPLIANCE-BASED
STRATEGY
Detailed
Specific
Binary
RISK-BASED STRATEGY
Regulatory
Brand
Competitive
Compliance-based strategies are:
• Reactionary
• Comparatively inefficient
Advantages of the risk-based approach:
• Free organization from reactionary cycles
• Allocate scarce resources efficiently and according to specific threat levels
• Deliver value as quickly as possible
• Provides efficiency and focus to successfully address compliance requirements from a risk-based perspective
13
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Avoid the disconnect
A “disconnect” between corporate policies, actual operational practices, and
technology infrastructure reduces the ability to successfully implement changes into the business environment
Technology
Policies
Processes
Disconnect
Disconnect
DP
Strategy
Structured
framework
14
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Poll question #3
Which of the following have you most recently
implemented in your organization as it relates to your
privacy program? • Process for corporate governance to establish accountability and
manage enterprise privacy risk
• A framework to assess risk in business processes as they relate to PII
• Procedures to implement privacy policies within operational processes,
including designing and implementing measurable controls
• An enterprise-wide privacy & data protection training program
• Process to stay current and assess new legal regulations and legislative
developments
• None
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Protect data across its lifecycle
Organizations need an enterprise level solution which includes data governance strategies, organizational policies and procedures, and controls to identify, monitor, and protect data through its lifecycle
IDENTITY
INFRASTRUCTURE
GOVERNANCE
ASSET
Risk Based Approach
CREDENTIAL
• Management
commitment
• Policies, guidelines,
and procedures
• Training & Awareness
• Review and monitoring
• Asset type definition
• Asset inventory
• Risk assessment
• Asset classification
• Process reengineering
• Segmentation and
least privileges
• Contracts and
enforcements
• Physical security
• End-to-end security
• Defense in depth
• Enabling technology
CLASSIFICATION
Business Process
Identity
Management
Data
Facilities
Processes
RISK
ROLE
Enterprise Data Lifecycle
15
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Consider all environments
Organizations should take a practical and business focused view and addresses data breach risks across seven control environments
Communications
Database
Mobile
Media
Transaction
and ActivityMonitoring
Third
Party
Developer
Access toProduction
Archival and
Disposal
SensitiveData
1
2
3
4
5
6
7
Data in Use and Data in Motion via email, web traffic, IM, blogs, etc
Data at Rest in repositories (databases, email stores, file systems, etc)
Data in Use and Data at Rest on mobile computing devices such as laptops, PDA’s, etcData management infrastructure for
migrating data to storage or disposing
Limiting access to production data and controlling the movement of data from production to development and test
Data at Rest in repositories (databases, email stores, file systems, etc)
Data in Use and Data in Motion associated with privileged and other users accessing database containing sensitive data
16
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Create a business process flow and data flow
mapping
A company’s risk assessment should consider the data lifecycle for each of its business processes
FinanceThird PartyUniversitiesHospital
Infrastructure
Business Divisions
Customer System/
OperationalActivity
Third Party Vendor
Clinical / Bio
Medical
17
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Branch Offices
Remote Employees
WAN
WAN
WWW
VPN
OutsourcedDevelopment
Enterprisee-mail
Business Analytics
Customer Portal
Production Data
Data warehouse
Staging
File Server
DR
Back up disk
Back up tape
Disk storage
Customers
Partners
DLP DAMEncryption Data Redaction Archive
Set Policy
Deploy Controls
Enforce and Monitor Controls
Organizational risk view
18
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Determine solution set to meet critical risks
Implementing solutions involves more than technology, it requires a view of
policy management, process and procedure development, technology evaluation and planning, technology implementation, ongoing operational management,
leakage reporting and integration into incident response, training and awareness
Data Management and Protection Solution Types
Data Discovery
Discovery and
classification of data
from disparate sources
(email, file-shares, web)
Data Archiving
Services such as
retention, distribution,
and security of tapes
Database Activity
Monitoring
Monitoring of user and
administrator activity,
focused at databases
Data Destruction
Enforcement of data
security policies
addressing disposal of
information media
Data Redaction
Protection of sensitive
data via de-identifying,
sanitizing, masking, or
obfuscating
Endpoint Protection
Workstation, laptop and
other mobile device
protection such as data
monitoring, full disk
encryption, local media
encryption
Data Leak Prevention
Solutions to identify and
prevent accidental
disclosures of sensitive
data at the edge of the
network
Encryption
Tools to provide data
encryption across the
enterprise – including key
management and
recovery
19
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Poll question #4
Which of the following privacy and data protection
technologies have you already implemented? • Governance Solutions (Data inventory, data classification, Digital rights
management)
• Preventive Solutions (Data leak prevention, Identity and access
management, Segregation of duties, database security /scanning,
Encryption (data at rest), Encryption (data in motion))
• Monitoring Solutions (Content monitoring, audit logging and monitoring,
intrusion detection and prevention, fraud discovery and monitoring)
• More than one
• Miscellaneous/ None of the above
• Not applicable
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Conclusion
• Strategic collaboration with business partners, frequent reporting of data
breaches, and increased regulatory mandates have brought to the
forefront the need for privacy and data protection capabilities throughout
the entire value chain
• Security breaches can result in a number of business issues including
reputation and revenue loss, as well as legal exposure
• A data protection solution requires avoiding the “disconnect”
– Engaging the business to define the sensitive data to protect
– Updating risk management policies
– Tuning business processes
– Raising user awareness
– Integrating key technologies to provide policy enforcement throughout the
data life cycle and the seven control environments
20
Questions & Answers
Join us January 22nd at 2 PM EST
as our Health Sciences series
presents:
Eye of the Storm – Improving Financial Performance in the
Credit Crunch
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Thank you for joining
today’s webcast.
To request CPE credit,
click the link below.
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Contact information
• Amry Junaideen, Principal, Deloitte & Touche LLP
Ph: 203-708-4195
• Rena Mears, Partner, Deloitte & Touche LLP
Ph: 415-783-5662
• Russ Rudish, Principal, Deloitte Consulting LLP
Ph: 212-313-1820
Copyright © 2008 Deloitte Development LLC. All rights reserved.
This presentation contains general information only and is based on the
experiences and research of Deloitte practitioners. Deloitte is not, by means of this
presentation, rendering business, financial, investment, or other professional
advice or services. This presentation is not a substitute for such professional
advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that
may affect your business, you should consult a qualified professional advisor.
Deloitte, its affiliates, and related entities shall not be responsible for any loss
sustained by any person who relies on this presentation.
Copyright © 2008 Deloitte Development LLC. All rights reserved.
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a
detailed description of the legal structure of Deloitte Touche Tohmatsu and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its
subsidiaries.
Copyright © 2008 Deloitte Development LLC. All rights reserved.
A member firm ofDeloitte Touche Tohmatsu