Deloitte D Brief How Protected Is Your Patients Sensitive Health And Personal Data1. The Health Sciences series presents:
Privacy Breaches:
How Protected is Your Patient’s
Sensitive Health and Personal Data?
Amry Junaideen, Principal, Deloitte & Touche LLP
Rena Mears, Partner, Deloitte & Touche LLP
Russ Rudish, Principal, Deloitte Consulting LLP
December 16, 2008
2. Agenda
• Increased collaboration in the marketplace
• The challenge of protecting information
• Breach causes and effects
• Preventing a breach
• Finding the right solution
• Conclusion
Copyright © 2008 Deloitte Development LLC. All rights reserved.
3. Health care and information sharing
Collaboration is vital for improving health care quality and meeting consumers’
needs. However, it involves a significant amount of information sharing. The
protection of information is a critical ingredient for success
Health Systems, Long Term Care,
Ambulatory Care, Hospitals/ Facilities
Suppliers Providers Patients
Enable Deliver
Services
$
Pharmaceutical, Financial
Bio-tech, Medical Deliver $ Care
devices Payment
$ Payers
Regulators protect public Regulators
welfare and ensure that healthcare
services and products are safe Patients, Private,
and effective Government
Copyright © 2008 Deloitte Development LLC. All rights reserved.
1
4. Challenge of protecting information
The protection of information within an organization and among multiple
organizations is not a simple matter for a myriad of reasons
6. Clinical Trials Data
1. Data Acquisition / Data Storage / 4. Data Sharing / In- 5. Data Archival /
2. Data Storage Tracking & Results
Collection Destruction transit Destruction
Providers store PHI and Expert opinion sharing,
Patient Health Providers store PHI and Providers transmit PHI Archive and destroy
update the patient’s and adverse event
Inf ormation (PHI) is update the patient’s to either payer or third PHI per the retention
medical records. reporting cross-border:
collected at this stage. medical records. parties f or processing. policy.
PII and IP consideration.
Drug manufacturers
Suppliers Equipment suppliers
Provide eligibility, Bill Evaluation of
Referral, Co-pay Received Patient Insurance
Payer And coverage Dependency Plan
Bill pay
Phone Mail Claim bill
Collection
Clinical info/ Provider/ Provider/
Appointment Front-office 1.Insurance Perform Order placed Medical Physician Physician
Provider scheduling staff checks 2.Patient Info services -lab, imaging, Charges, Generates a Receive
the patient in 3. Other forms pharmacy Coded in HIS Bill/claim payment
Personal visit
Appointment Bill if “self-pay” Bill for extra
services
Receive Bill
Concerned Patient Bill Received if
Patient About Wants to be
Referral/
Eligibility received Services are
symptoms Checked in Paperwork Not covered
3. Data Usage Bill pay
Providers use PHI to Make
Bank Provide services to the payment
patient .
Copyright © 2008 Deloitte Development LLC. All rights reserved.
2
5. Data risk levels
Although ID Theft has the most severe
impact, other forms of enterprise data Data
leakage are far more likely and require
management attention. The majority of data
losses – internal or external – are accidental
• Personally Identifiable Information PII or other
Generally Accessible
Authorized Disclosure
sensitive data
(PII) – Leakage of generally
accessible PII and IT data occur most
commonly
• Sensitive – Data such as intellectual Sensitive data, such as
PII or Intellectual
Unauthorized
Property. Disclosure
property and/or PII with a higher
contextual value
Subset of PII Single
• Fraud – Internal or external use of PII or Combined Fraud
for fraudulent gain Specific Subset ID Theft
• ID Theft – The assuming of one’s
identity to obtain credit for purchases. LOW MODERATE HIGH SEVERE
Specific subset of PII or combination Level of Enterprise Risk
Potential for Harm to the Consumer
Copyright © 2008 Deloitte Development LLC. All rights reserved.
3
6. Poll question #1
Do you share electronic medical records with
business partners that requires asset protection
measures – such as encryption?
• Yes
• No
• Don’t know
• Not applicable
Copyright © 2008 Deloitte Development LLC. All rights reserved.
7. The sophistication of “attackers”
Organized rings of thieves have developed sophisticated methods for
compromising value chain security and stealing sensitive data
80’s 90’s 2000’s
Dumpster Diving Hacking “Phishing”
• Simple techniques that • Improved techniques for • High-tech crime with the
involved theft of information gathering personal emergence of professional,
Techniques
• Required thief to manually information international gangs
collect personal information • Wide use of electronic • Criminals target the booming
• Unorganized crime databases and internet e-commerce and financial
growth lead to a loosely networks
organized hacking community
• Mail Theft • Stealing information from • Data Theft/ Hacking/
• Sifting through garbage for employers, banks and Keystroke loggers
Schemes
confidential information government agencies (HR , • Pharming & Phishing
• Social Engineering payroll, bank, and SSA data) • Theft of W-2 Information
• Hacking • Counterfeit Tax Returns
• Fake W-2 Forms and Returns
Instances
per year
~300-400 ~80,000 ~9,900,000
Copyright © 2008 Deloitte Development LLC. All rights reserved.
4
8. Recent data breach trends
Numerous data breaches have been reported leading to a heightened awareness of
this topic at the senior levels within an organization
Data breaches are common across sectors; medical and health care facilities
contributed to 14.9% of the 449 security breaches in 2008**
*From a survey conducted by HIMSS Analytics and Kroll Fraud Solutions
** Data until 8/22/2008 from Identity Theft Resource Centre
Copyright © 2008 Deloitte Development LLC. All rights reserved.
5
9. Increased regulatory mandates
Organizations must consider increased regulatory mandates that provide specific
requirements for data protection in the US and abroad
California Breach Notification Law, S&P
HIPAA
European Commission’s on Enterprise Risk Management (ERM)
Directive on Data Protection 2008 ICD 10 bill
1996 1998 2007 2009 2011
California Identity Theft Red
HIPPA legislation Flags,
AB 1298 Massachusetts
Regulations Law
present California Massachusetts
Law User
increasing Breach
Notification expectations
requirements Law Health for data
on the
protection are
protection of Sciences
high
sensitive Identity Industry
information Theft Standard
Red Flags & Poor’s
Regulations On ERM
International
Regulations
Copyright © 2008 Deloitte Development LLC. All rights reserved.
6
10. Breach causes and effects
How do these breaches occur?
Causes Effects
• Data is not treated as a strategic • Data assets are not inventoried
asset or classified
• Reactive rather than • Use and sharing of data is not
programmatic approach understood
• Governance, process and • Data risk is incorrectly
technologies are not aligned identified or evaluated
• Data is not inventoried and • Policies, processes and
mapped technologies are not aligned
• Failure to adopt adequate • Controls do not adequately
process and technology controls protect data assets
• Training is inadequate or non- • Organization and stakeholders
existent unable to respond to threat
Copyright © 2008 Deloitte Development LLC. All rights reserved.
7
11. What are the risks
A breach impacts many aspects of the business including putting assets at risk,
increasing number of breaches, rising costs, and decline in shareholder value
Risks
Regulatory Financial Operational IT
Legal Risk Brand Risk
Risk Risk Risk Risk
• Litigation or • Failure to • Heightened • Excessive • Excessive • Virus attacks/
lawsuits from comply with media post breach internal hacking and
patients, due the complex scrutiny related costs resource loss of data
consumption “in-flight”
Impact
to loss of and surrounding • Loss of
patient relatively leakage of due to time
patient • Wrongful
sensitive new customer information spent dealing
access to
information regulations sensitive can impact with
sensitive
information breaches
• Failure to • Failure to patient information
conduct • Meeting new relationships/ • Post M&A
meet 3rd
retention • Theft during
party compliance demands of Integration
physical
audits the • Ineffective
requirements transportation
consumer capital
driven health management
care market
Copyright © 2008 Deloitte Development LLC. All rights reserved.
8
12. Cost of a breach
The total average cost of a data breach grew to $197 per record compromised.
The average total cost per reporting was more than $6.3 million per breach and
ranged from $225,000 to almost $35 million
Deloitte’s 2007 Privacy and Data Protection Survey included
827 participants in North America*
• Over 85% of respondents reported at least one breach
and over 63% reported multiple breaches requiring
notification
• Resource allocation associated with notification activities
alone appeared to be a significant hidden cost
*19.9% of privacy professionals were from Health Sciences
*12% of security professionals were from Health Sciences
Copyright © 2008 Deloitte Development LLC. All rights reserved.
9
13. Poll question #2
In the past year, how many privacy and data breach
incidents at your organization are you aware have
occurred?
• Never
• 1-5
• 6-10
• 10-20
• More than 20
• Not applicable/Don’t know
Copyright © 2008 Deloitte Development LLC. All rights reserved.
14. Data as an asset
Treating data as an asset helps prevent breaches and enables collaborative
information sharing
Some day, on the corporate balance sheet, there will be an
entry which reads, “Information”; for in most cases, the
information is more valuable than the hardware which
processes it.
– Grace Murray Hopper, USN (Ret)
Copyright © 2008 Deloitte Development LLC. All rights reserved.
10
15. Understand the data lifecycle
The intrinsic and contextual value of data and associated ownership risk vary
throughout the data life cycle and throughout the value chain
Creation
Preservation
Classification
Acquisition
Storage
Destruction Governance
Archival Use
Indefinite Disposition
Archive Sharing
Copyright © 2008 Deloitte Development LLC. All rights reserved.
11
16. Data types and data flow
Sensitive data such as customer information, financial data, and intellectual
property moves horizontally across organizational boundaries, including vertical
business processes (e.g., order fulfillment process). Organizations often do not
have a good understanding of the movement, proliferation, and evolution of their
data
Health care
Develop Procure Manufacture Order
Industry
Products Materials Products Management
Marketing
Start
Start
Start
Start
Start
End
End
End
End
End
Copyright © 2008 Deloitte Development LLC. All rights reserved.
12
17. Compliance vs. risk-based approach
Risk-based strategies go beyond compliance mandates to provide a more holistic
approach towards managing and protecting data assets. A risk-based approach
enables organizations to be adaptive to changing regulatory and business
environments
COMPLIANCE-BASED RISK-BASED STRATEGY
STRATEGY
Detailed Regulatory
Specific Brand
Binary Competitive
Compliance-based strategies are: Advantages of the risk-based approach:
• Reactionary • Free organization from reactionary cycles
• Comparatively inefficient • Allocate scarce resources efficiently and
according to specific threat levels
• Deliver value as quickly as possible
• Provides efficiency and focus to successfully
address compliance requirements from a
risk-based perspective
Copyright © 2008 Deloitte Development LLC. All rights reserved.
13
18. Avoid the disconnect
A “disconnect” between corporate policies, actual operational practices, and
technology infrastructure reduces the ability to successfully implement changes
into the business environment
DP
Strategy
Policies Structured
framework
Disconnect
Processes
Disconnect
Technology
Copyright © 2008 Deloitte Development LLC. All rights reserved.
14
19. Poll question #3
Which of the following have you most recently
implemented in your organization as it relates to your
privacy program?
• Process for corporate governance to establish accountability and
manage enterprise privacy risk
• A framework to assess risk in business processes as they relate to PII
• Procedures to implement privacy policies within operational processes,
including designing and implementing measurable controls
• An enterprise-wide privacy & data protection training program
• Process to stay current and assess new legal regulations and legislative
developments
• None
Copyright © 2008 Deloitte Development LLC. All rights reserved.
20. Protect data across its lifecycle
Organizations need an enterprise level solution which includes data governance
strategies, organizational policies and procedures, and controls to identify,
monitor, and protect data through its lifecycle
Enterprise Data Lifecycle
Business Process
Risk Based Approach
• Management
• Segmentation and commitment
least privileges • Policies, guidelines,
GOVERNANCE and procedures
• Contracts and
enforcements IDENTITY ASSET • Training & Awareness
RISK Data • Review and monitoring
Identity ROLE Facilities
Management
CREDENTIAL Processes CLASSIFICATION
INFRASTRUCTURE
• Asset type definition
• Physical security
• Asset inventory
• End-to-end security
• Risk assessment
• Defense in depth
• Asset classification
• Enabling technology
• Process reengineering
Copyright © 2008 Deloitte Development LLC. All rights reserved.
15
21. Consider all environments
Organizations should take a practical and business focused view and addresses
data breach risks across seven control environments
Data in Use and Data in Motion
associated with privileged and Data in Use and Data in
other users accessing database Motion via email, web
containing sensitive data traffic, IM, blogs, etc
7 1
Transaction
Data at Rest in and Activity Communications
repositories (databases, Monitoring Data at Rest in
email stores, repositories
file systems, etc) Third (databases, email
6 Party Sensitive Database 2
stores, file systems,
Data etc)
Developer
Limiting access to Access to Mobile Data in Use and
production data and Production Media Data at Rest on
3
controlling the movement 5 Archival and mobile computing
of data from production to Disposal devices such as
development and test 4 laptops, PDA’s,
Data management infrastructure for etc
migrating data to storage or disposing
Copyright © 2008 Deloitte Development LLC. All rights reserved.
16
22. Create a business process flow and data flow
mapping
A company’s risk assessment should consider the data lifecycle for each of its
business processes
Clinical / Bio Hospital
Universities Third Party Finance
Medical Infrastructure
Customer System/
Operational
Activity
Business Divisions Third Party Vendor
Copyright © 2008 Deloitte Development LLC. All rights reserved.
17
23. Organizational risk view
Set Policy
Deploy Controls
DLP Encryption DAM Data Redaction Archive
DR
Branch Offices WAN Data warehouse Back up
Business Analytics
tape
Customers
Partners WWW
Customer Portal
Production Data Disk storage
Outsourced
WAN Development
Remote Employees Staging Back up
Enterprise disk
VPN e-mail
File Server
Enforce and Monitor Controls
Copyright © 2008 Deloitte Development LLC. All rights reserved.
18
24. Determine solution set to meet critical risks
Implementing solutions involves more than technology, it requires a view of
policy management, process and procedure development, technology evaluation
and planning, technology implementation, ongoing operational management,
leakage reporting and integration into incident response, training and awareness
Data Management and Protection Solution Types
Data Discovery Data Archiving Database Activity Data Destruction
Discovery and Services such as Monitoring Enforcement of data
classification of data retention, distribution, Monitoring of user and security policies
from disparate sources and security of tapes administrator activity, addressing disposal of
(email, file-shares, web) focused at databases information media
Data Redaction Endpoint Protection Data Leak Prevention Encryption
Protection of sensitive Workstation, laptop and Solutions to identify and Tools to provide data
data via de-identifying, other mobile device prevent accidental encryption across the
sanitizing, masking, or protection such as data disclosures of sensitive enterprise – including key
obfuscating monitoring, full disk data at the edge of the management and
encryption, local media network recovery
encryption
Copyright © 2008 Deloitte Development LLC. All rights reserved.
19
25. Poll question #4
Which of the following privacy and data protection
technologies have you already implemented?
• Governance Solutions (Data inventory, data classification, Digital rights
management)
• Preventive Solutions (Data leak prevention, Identity and access
management, Segregation of duties, database security /scanning,
Encryption (data at rest), Encryption (data in motion))
• Monitoring Solutions (Content monitoring, audit logging and monitoring,
intrusion detection and prevention, fraud discovery and monitoring)
• More than one
• Miscellaneous/ None of the above
• Not applicable
Copyright © 2008 Deloitte Development LLC. All rights reserved.
26. Conclusion
• Strategic collaboration with business partners, frequent reporting of data
breaches, and increased regulatory mandates have brought to the
forefront the need for privacy and data protection capabilities throughout
the entire value chain
• Security breaches can result in a number of business issues including
reputation and revenue loss, as well as legal exposure
• A data protection solution requires avoiding the “disconnect”
– Engaging the business to define the sensitive data to protect
– Updating risk management policies
– Tuning business processes
– Raising user awareness
– Integrating key technologies to provide policy enforcement throughout the
data life cycle and the seven control environments
Copyright © 2008 Deloitte Development LLC. All rights reserved.
20
28. Join us January 22nd at 2 PM EST
as our Health Sciences series
presents:
Eye of the Storm – Improving
Financial Performance in the
Credit Crunch
29. Thank you for joining
today’s webcast.
To request CPE credit,
click the link below.
Copyright © 2008 Deloitte Development LLC. All rights reserved.
30. Contact information
• Amry Junaideen, Principal, Deloitte & Touche LLP
ajunaideen@deloitte.com
Ph: 203-708-4195
• Rena Mears, Partner, Deloitte & Touche LLP
renamears@deloitte.com
Ph: 415-783-5662
• Russ Rudish, Principal, Deloitte Consulting LLP
rrudish@deloitte.com
Ph: 212-313-1820
Copyright © 2008 Deloitte Development LLC. All rights reserved.
31. This presentation contains general information only and is based on the
experiences and research of Deloitte practitioners. Deloitte is not, by means of this
presentation, rendering business, financial, investment, or other professional
advice or services. This presentation is not a substitute for such professional
advice or services, nor should it be used as a basis for any decision or action that
may affect your business. Before making any decision or taking any action that
may affect your business, you should consult a qualified professional advisor.
Deloitte, its affiliates, and related entities shall not be responsible for any loss
sustained by any person who relies on this presentation.
Copyright © 2008 Deloitte Development LLC. All rights reserved.
32. About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network of member
firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a
detailed description of the legal structure of Deloitte Touche Tohmatsu and its member firms. Please see
www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its
subsidiaries.
Copyright © 2008 Deloitte Development LLC. All rights reserved.
33. A member firm of
Deloitte Touche Tohmatsu
Copyright © 2008 Deloitte Development LLC. All rights reserved.