how to mitigate risks, liabilities and costs of data ...second top source of data breaches,...
TRANSCRIPT
How to mitigate risks, liabilities and costs of data breach of health information by third parties
April 17, 2012 ID Experts Webinar www.idexpertscorp.com
2
Rick Kam
President and Co-Founder Privacy Counsel
Ellen M. Giblin
3
Key “Take Aways”
• Relevance of the “PHI Report” on valuing PHI • Top threats and risks to PHI • Risk mitigation using third party agreements • Evolving regulatory environment • Steps to mitigate risk
4
The “PHI Project”
• REQUIRED: Enhanced programs for safeguarding Protected Health Information (PHI)
• WHY: Increased number and frequency of data breaches • WHO: Guardians of the trust forming the foundation of the
health care delivery system • SOLUTION: Information and tools to develop a compelling
business case fore requesting investments and resources to ensure PHI privacy and security
5
What’s Happening?
The number of organizations handling PHI is expanding
The adoption of ePHI has increased the information flow risks
The rewards of medical ID theft have surged
6
The Ramifications
• Improperly disclose PHI of millions of individuals “in a matter of seconds,”
• Steal health information from a virtual location, and
• Breach PHI in a manner that makes it impossible to restore.
For the first time in history, it is possible to:
7
Why Steal PHI?
• Physician ID numbers are used to fraudulently bill for services
• Patient ID information is lent to friends or relatives in need of services
• Patient ID numbers are sold on the black market
Medicare fraud estimate? $60B/year
Majority of clinical fraud? Obtain prescription
narcotics for illegitimate use
~5% of clinical fraud: Free health care
Patient ID Information: $50/record Social
Security number: $1
Average Payout for defrauding a health care
organization: $20,000 Regular ID theft? $2,000
8
Top Elements Threatening PHI Security
Human • Malicious Insider • Non-Malicious Insider • Outsider • State-Sponsored Cyber Crime
Evolving Stakeholders • BAs and Subcontractors • Cloud Providers • Virtual Physician’s Office
Methods
• Lost / Stolen Media
Intrusion
• Dissemination of Data
• Mobile Devices
• Wireless Devices
9
The PHIve Method
Conduct Risk Assessment
Determine Security Readiness Score
Assess the Relevance of a Cost
Determine the Impact
Calculated the Total Cost of a Breach
10
Sample Case Study Unintentional, Business Associate, 845,000 records, Clinical fraud resulting
in 1 death, financial fraud, NYC
Estimated Total Impact Grand Total of Breach Costs $26,493,617
Annual Revenue of Entity $241,836,404
% of Cost to Annual Revenue 11%
Impact Score Severe
11
How Much to Invest?
• How much would a data breach cost? • Given current safeguards and controls, how
often can an organization expect to experience a data breach?
• What investments can be made to reduce the frequency of a data breach?
• What are the associated annual savings of a delayed data breach?
• Which enhancement program costs less than the annual savings but still delivers on the reduced frequency of a breach?
12
Vendor Risk Ecosystem Managing and Mitigating Vendors in the Risk Ecosystem
13
Evolving Regulatory and Enforcement Environment
• Healthcare organizations, or covered entities under HIPAA, are legally responsible for the protected health information (PHI) they hold. Because of the HITECH Act, that responsibility now carries downstream to their business associates — claims processing, administration, data analysis, billing, benefits management — and could potentially extend to subcontractors.
14
Evolving Regulatory and Enforcement Environment
• The Department of Health and Human Services Office for Civil Rights (OCR) recently has deepened its enforcement to include business associates (BA). And the recent Minnesota Attorney General’s action against Accretive Health is evidence that states are also stepping up their scrutiny of business associates using their authority under the HITECH Act.
15
Business Associates Integral to the Risk Management Ecosystem
• That’s not without cause. Business associates are the second top source of data breaches, according to a recent benchmark study on patient privacy and data security by the Ponemon Institute. In fact, Leon Rodriguez, director of the OCR, notes that 63 percent of the people affected by OCR-reported data breaches were the result of security lapses at a business associate.
16
Key Steps to Minimize Vendor Risk
• The OCR’s extended scrutiny is putting pressure on covered entities to more proactively and frequently measure business associates’ HITECH compliance. To keep them in check, covered entities would do well to ask some important questions of, or about, their business associates:
17
Step One: Assess the Criticality of Service
• How critical is the business associate to my organization? Is it operationally critical or tied to my brand? Is there a viable alternative? Using a metric of sorts to weigh the importance versus the risks of a business associate can be helpful. For instance, an electronic health records systems provider may be a higher risk because of the amount of sensitive data it processes, yet replacing the system may not be feasible.
18
Step Two: Contractual Safeguards
• Do I have an updated agreement in place with each business associate, one that evolves to meet changing privacy and security needs? Some reasons to update may include changes in types of services provided; change in policies and procedures based on annual review or simulations; or data breaches or environmental changes.
19
Step Three: Due Diligence
• What security standards does the BA comply with? Does the business associate conduct employee training, annual risk assessment and/or risk analysis according to HIPAA privacy, security and breach notification rules? Can it provide you a copy of their most recent assessment, risk mitigation plan, and progress report? Does it have a privacy and compliance official?
20
Step Three: Due Diligence
• Has the business associate had privacy or security incidents with other covered entities? Request to talk to other covered entities services to find out about the BA’s practices regarding the incident and how it was handled. This can be a predictor of future events and any impact on your organization.
21
Step Four: Operationalize the BA Contract
• Does the business associate have an incident detection and management process? How does the business associate detect incidents, and what will trigger it to notify the covered entity? How soon must that BA notify you in the event of an incident? Is it enough time to conduct an incident assessment and meet the breach response obligations according to federal and state(s) laws?
22
Step Four: Operationalize the BA Contract
• What are the contractual obligations or indemnity provisions if there is an incident? Covered entities are responsible for the breaches caused by their business associates, including notification costs. Given the increased enforcement and expensive notification and remediation procedures, however, business associates should assume some financial liability. More importantly, is the business associate able to bear the indemnity costs, either through their own resources, cyber insurance, or other form of security?
23
Step Four: Operationalize the BA Contract
• What are the legal and contractual requirements for offshore business associates and sub-contractors? These third-party providers are not subject to HIPAA privacy and security regulations. Covered entities or business associates contracting with foreign third parties should include any requirements for safeguarding PHI within the agreements, and not depend on foreign law.
24
Step Five: Minimize the Risk
• What about termination clauses? Do you have a clear set of guidelines under which you will terminate a business associate agreement? Can you monitor for these guidelines, and can the BA provide you necessary information for making this decision?
25
Step Six: Manage the Risk Ecosystem
• Covered entities bear an enormous burden for safeguarding the PHI in their care. The further that sensitive data goes downstream, the more difficult it can be to protect it. But with increasing enforcement on the federal and state levels, covered entities have the right and obligation to insist on evidence of compliance from their business associates, and as much as possible, their sub-contractors.
26
Rick Kam
President & Co-Founder Privacy Counsel
Ellen M. Giblin
Questions & Answers
800-298-7558
617-573-9400
ID Experts Ashcroft Law Firm