safeguarding patient privacy in a digital age (brian kalis)
TRANSCRIPT
2
Health cyber security “is the Wild
West…What’s in the news is just the tip
of the iceberg.”
Kevin Johnson
CEO, Secure Ideas
Source: “Hacker calls health security ‘Wild West’” - http://www.healthcareitnews.com/news/hacker-calls-health-security-wild-west
4
SituationWhat is happening with health cyber security?
• Over the last five years, the number of data breaches has increased dramatically with an increase in frequency and number of impacted individuals.
• From 2010 to 2014, the number of health care data breaches impacting more than 500 individuals increased over 40%.
Copyright © 2015 Accenture All rights reserved.
2010 2015
Anthem78.8M
Cyber Attack
UCLA4.5MCyber Attack
CareFirst BCBS1.1MCyber Attack
AvMed Inc.1.2MTheft
BCBS TN1.0MTheft
GRM Services1.7MTheft
IBM1.9M
Unknown
Nemours Foundation
1.1MLoss
SAIC4.9MLoss
Advocate Health4.0MTheft
MT HHS1.1M
Cyber Attack
Community Health4.5MTheft
Xerox2.0M
UnauthorizedAccess
Premera11.1MCyber Attack
Health Care Data Breaches Impacting >1 Million Individuals Over the Last 5 Years
Sources: Accenture analysis based on data from the HHS Office for Civil Rights breach portal. Data accurate as of July 2015.
5
• Trends vary for how different health industry stakeholders are impacted by the increasing risk and crime related to health data security.
Copyright © 2015 Accenture All rights reserved.
SituationHow are different health organizations affected by data breaches?
Health PlansHealthcare Providers
Business Associates
Total Breaches
141 838 273
Individuals Impacted
~98 Million(w/o Anthem –
19.3M)~18 Million ~22 Million
Average Breach Size
~696,000(w/o Anthem –
138,000)~22,000 ~82,000
Health Care Data Breaches, January 2010 – July 2015Health Care Data Breaches – Key Points
• Anthem Breach Outlier: Accounted for ~80% of total individuals impacted by Health Plan breaches since 2010
• Health Plan Breaches: Occurred less frequently and impacted the most individuals on average (even excluding Anthem outlier)
• Healthcare Provider Breaches: Occurred most frequently and impacted the least individuals on average
• Business Associate Breaches: Impacted the largest total number of individuals (excluding Anthem outlier)
Sources: Accenture analysis based on data from the HHS Office for Civil Rights breach portal. Data accurate as of July 2015. Healthcare Clearing Houses and a small number of breaches without a designated covered entity type were excluded
from this analysis based on low reporting rate.
6
SituationWhy are health data breaches such a large risk?
• The monetary value of stolen health care data far surpasses other forms of personal information, making it a prime target for security threats.
Copyright © 2015 Accenture All rights reserved.
Medicare Number Black Market Value
$470
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
Credit Card Number Black Market Value(Few quarters or dollars)
$
Sources: “The black market for stolen health care data” -http://www.npr.org/blogs/alltechconsidered/2015/02/13/385901377/the-black-market-for-stolen-health-care-data
7
SituationHow do health data breaches impact victims?
• Individuals victimized by medical information and medical identity theft suffer a variety of problems related to the crime.
Copyright © 2015 Accenture All rights reserved.
TIMEVictims resolving crimes related to medical identity theft spend more than 200 hours on:
• Verifying that the correct personal health information remains in the record and false information is removed
• Ensuring that the criminal can no longer use the victim’s medical information fraudulently
• Dealing with medical invoices and claims
WELLBEING
Fraudulent use of personal medical and financial information can be difficult to detect and remedy. Medical identity theft can cause dangerous errors such as:
• Misdiagnosis
• Delayed medical treatment
• Interference with provision of the correct medical care
Additionally, 45% of victims say the crimes affected their reputation and were embarrassing due to disclosure of sensitive information.
$FINANCES
Medical identity theft victims are not usually protected from health cyber crimes and pay an average of $13,500 in out-of-pocket expenses for:
Incorrect medical bills paid unwittingly
Reimbursement to insurers for healthcare services obtained fraudulently
Legal costs to unravel the cyber crime and remedy negative implications
Sources: Ponemon Fifth Annual Study on Medical Identity Theft - http://medidfraud.org/2014-fifth-annual-study-on-medical-identity-theft/
8
SituationWhat is the projected financial impact to patients?
• Over the next five years, patients will suffer ~$56 billion in out-of-pocket costs due to medical identity theft resulting from healthcare provider data breaches.
Copyright © 2015 Accenture All rights reserved.
3.47
4.13
4.93
5.87
7.00
0.87 1.031.23
1.471.75
0.56 0.67 0.80 0.951.14
0
1
2
3
4
5
6
7
8
1 2 3 4 5
Mill
ion
s
Projected Patients Impacted and Victimized by Medical Identity Theft due to Healthcare Provider Breaches,
2015-2019Patients Impacted Patients Victimized Patients Paying OOP
2015 2016 2017 2018 2019
Patient OOP Costs:$56 Billion
Accenture projects that 25% of patients impacted by healthcare provider data breaches between
2015 and 2019—more than 6 million people—will subsequently become
victims of medical identity theft. Sixteen percent of impacted
patients—more than 4 million people— will be victimized and pay out-of-pocket costs totaling almost $56 billion over the next 5 years.
Source: “The $300 Billion Attack: The Revenue Risk and Human Impact of Healthcare Provider Cyber Security Inaction.” Accenture. July 2015. Projections are original Accenture analysis utilizing data from the Ponemon Fifth Annual Study on
Medical Identity Theft (http://medidfraud.org/2014-fifth-annual-study-on-medical-identity-theft/), the Ponemon Fourth Annual Benchmark Study on Patient Privacy and Data Security (http://www.ponemon.org/blog/fourth-annual-benchmark-study-on-
patient-privacy-and-data-security), and the HHS Office for Civil Rights breach database.
9
SituationWhat is the projected financial impact to patients?
• Over the next five years, healthcare providers are at risk of losing over $300 billion in cumulative lifetime patient revenue due to data breaches.
Copyright © 2015 Accenture All rights reserved.
Provider Revenue Risk:$305 Billion
Almost half of patients say they would find a different provider if they were informed their medical records were stolen. Taking into account the estimated lifetime economic value of a patient, Accenture analysis shows that healthcare providers are at risk of losing $305 billion in cumulative lifetime patient revenue due to the projected data breaches occurring
over the next five years.
2015 2016 2017 2018 2019
$90
$80
$70
$60
$50
$40
$30
$20
$10
$0
Bill
ion
s
Lifetime Patient Revenue At Risk Related to Projected Healthcare Provider Data Breaches
Estimated cumulative lifetime patient revenue loss 2015 to 2019 ~$305 billion
Source: “The $300 Billion Attack: The Revenue Risk and Human Impact of Healthcare Provider Cyber Security Inaction.” Accenture. July 2015. Projections are original Accenture analysis utilizing data from the Ponemon Fifth Annual Study on
Medical Identity Theft (http://medidfraud.org/2014-fifth-annual-study-on-medical-identity-theft/), the Ponemon Fourth Annual Benchmark Study on Patient Privacy and Data Security (http://www.ponemon.org/blog/fourth-annual-benchmark-study-
on-patient-privacy-and-data-security), and the HHS Office for Civil Rights breach database.
10
ComplicationWhat are key challenges to improving health cyber security?
• The healthcare industry faces unique challenges and must address how stakeholders can catch up with other industries.
Copyright © 2015 Accenture All rights reserved.
Poor DiligenceLack of awareness of security breaches during and following attack
Partner WeaknessesVendor and partner security weaknesses impact all
Outdated SecurityHealthcare organizations tend to have fewer defenses and dated protection – e.g. on premise servers are less secure than cloud solutions
Inaccurate PerceptionsBelief that smaller organizations are immune from attack is misleading –everyone is at risk
Rich Data At RiskStolen health information is worth 10 times more than credit cards on the black market due to the personal identity data
Compliance Is Not EnoughImpacted organizations and the industry overall demonstrate slow response to rapidly increasing vulnerability
Sources: “Hacker calls health security ‘Wild West’” - http://www.healthcareitnews.com/news/hacker-calls-health-security-wild-west, “Why health hacks are worse than credit card hacks” - http://fortune.com/2015/02/05/why-health-hacks-are-worse-than-
credit-card-hacks/?xid=yahoo_fortune, “8 reactions to the Anthem hack from health IT leaders and cybersecurity experts” - http://www.beckershospitalreview.com/healthcare-information-technology/8-reactions-to-the-anthem-hack-from-health-it-leaders-
and-cybersecurity-experts.html
11
OpportunityHow can organizations approach addressing cyber security?
• Health organizations must move to active defense and prioritize improvements of their cyber security in order to thwart breach events and malicious attacks.
Copyright © 2015 Accenture All rights reserved.
Embrace the cloud and other emerging
technologies to boost IT agility and reach customers faster,
capitalize on efficiency and cost benefits and do so within risk tolerances
Become agile
Determine where the organization currently
stands and the level of resources required to support meaningful
transformation
Assess security capability, identify opportunities
Develop end-to-enddelivery and sourcing
Plan a delivery and operational strategy for
each of the security services they offer to
make a clear-eyed assessment of internal
competencies for designing, building and
deploying elements of a cyber-security program
Manage complexity and integrate the enterprise
Evolve the security program vision: establish an end-to-end enterprise
security program and integrate it with existing enterprise architecture
processes to reduce complexity levels and
produce outcomes valued by the business
Source: Accenture. “Intelligent Security: Defending the Digital Business.” August 2014.
Adapt to handle new threats to the enterprise
by developing threat-centered operations by
developing a deep understanding of
adversaries, their goals and techniques
Accelerate toward security intelligence
12
OpportunityAccenture Thought Leadership
Copyright © 2015 Accenture All rights reserved.
The Cyber Security Leap: From Laggard to Leader
Security Implications of the Accenture Technology
Vision 2014
The $300 Billion Attack: The Revenue Risk and Human
Impact of Healthcare ProviderCyber Security Inaction
Intelligent Security: Defending the Digital
Business
13
Glossary of Terms
• Lifetime patient revenue: Total economic value or total patient revenue over the lifetime of an individual patient.
• Cumulative lifetime patient revenue: Total lifetime patient revenue for a group of patients.
• Medical information theft: The crime of stealing patient personal information (including clinical and/or financial information).
• Medical identity theft: The crime of fraudulently using an individual’s name and personal identity to receive medical services, prescription drugs and/or goods, including attempts to commit fraudulent billing.
• Impacted patients: Patients who have their personal information stolen in a data breach (as reported to the U.S. Department of Health and Human Services Office for Civil Rights for breaches impacting 500 or more people).
• Victimized patients or medical identity theft victims: Patients who have their personal information stolen in a data breach and whose information is subsequently used in a fraudulent manner.
*Security breaches impacting more than 500 people must be reported by healthcare organizations to the U.S. Department of Health and Human Services Office for Civil Rights.
14
For more information:
Brian KalisAccenture Health & Public Services [email protected]
Janessa NickellAccenture [email protected]
Join the conversation:
@AccentureHealth@AccentureStrat