10 things all industries can learnfrom the revolution inhealthcareThursday, March 7, 2012

The future of privacy:

Thursday, March 7, 2012

Introductions

James H. Koenig, JD, CIPPLeader, Privacy Practice and Security Leader, HealthInformation Technology PracticeCo-Founder & Former General Counsel, InternationalAssociation of Privacy ProfessionalsZoe Strickland, CIPP

PwC 2

Zoe Strickland, CIPPChief Privacy Officer, UnitedHealth GroupBoard, International Association of Privacy Professionals

Kimberly S. Gray, Esq., CIPPChief Privacy Officer, Global, IMS HealthBoard, International Association of Privacy Professionals

Agenda

Section

1 Introduction: The data-sharing playground

2 The future of privacy and data protection: Ten developments youneed to plan for now

3 Conclusion/Q&A3 Conclusion/Q&A

Introduction: The data-sharing playground

Securing data and protecting privacy are critical as thehealth industry converges in a new data-sharing playground

PwCFooter Date

4

About our research

• Conducted 25 in-depth interviews with chiefprivacy officers (CPOs), chief informationsecurity officers (CISOs), and chiefinformation officers (CIOs), and otherexecutives of healthcare organizations.

PwC 5

• Commissioned online surveys in Spring 2011of more than 600 providers, health insurers,and pharmaceutical and life sciencescompanies on the privacy and securityimplications of the explosion of new datasources and uses in the healthcare industry

New Business Opportunities Based on Trends inHealthcare & Healthcare Information EconomyMedicine is becoming increasingly personalized as greater access to information moves the

industry towards a market of individualized treatment.

Convergence Consumerism

• New care delivery models to reducecost and improve quality and outcomes:

– Medical in-home visits andtreatment: Transform primary care,

• Personalized medicine: Facilitating amovement from the treatment of diseasetoward wellness and prevention

• mHealth: Using wireless and broadband

PwC 6

treatment: Transform primary care,driving physician visits into the home

– Accountable care organizations(ACOs): Develop a virtually-integrated,“connected” care model that coordinatescare across providers and with payors

• mHealth: Using wireless and broadbandtechnologies to provide health services orhealth information to “un-tether”healthcare and/or empower patients

Technology

• Genetics to allow personalized diagnostics and treatments• Advanced informatics to better understand effectiveness of drugs, tests and course of

treatments• Electronic health records and health information exchanges to facilitate access

to patient information and analyze data across a population of patients

Healthcare surprisingly will create many next generationprivacy innovations• Developments:

• Obama’s Stimulus Bill created $17.2 billion to stimulate the adoptionof electronic health records. With the advent of EHRs, expanded globalclinical trials, new care delivery models and the sharing of health data foroutcomes research, more people will have access to consolidated, larger, oftenshared honey pots of sensitive health information.• In 2009, as part of the American Recovery and Reinvestment Act (ARRA), $17.2

billion was designated to stimulate the implement the meaningful use ofelectronic health records (EHRs).

PwC 7

electronic health records (EHRs).• Physicians and hospitals who implement EHRs between 2011 and 2014 are

eligible for funds.• Heightened Risks with New Technology and Secondary Uses of Data.

New Health Information Economy will start pushing data mining techniques anduse of third party providers.

• Tactical/Practical Implications:• New innovative products/services from health that can be used by all

industries. Next generation technologies for minimum necessary access, glassbreak system and log monitoring, encryption and other areas that need to bedeveloped to satisfy requirements.

Personalized Medicine & Care Delivery OpportunitiesMedicine is increasingly personalized as greater access to information moves the industry towards a

market of individualized treatment and more cost-effective care. This trend creates patient, physician,hospital-facing and infrastructure businesses opportunities. With incentive funds, many focus onEHRs and care delivery

• New targeted therapeutics• Personal Health Records

Personalized

Predictive

• Customized preventive drug design

• Molecular diagnostics• Genomic sequencing

PwC 88

Preventative

Participatory

• Customized preventive drug design• Services/programs for wellness/compliance• Nutritional/functional foods

• Enhance access to care in rural communitiesand for special conditions

• Telemedicine/Telemetry• mHealth home and mobile-based

monitoring and treatment

Other• Informatics and EHR products/services• Radiology image management• Physician office infrastructure/services

Note: Bolded areas above indicate areas ofpotential TWC business cases

Picture sources: GlowCap , LifeSource , Partners and VitalHub Websites

- Nearly 75% of healthcare organizations said theyare using or intend to use some form of secondary data

- Less than half of healthcare organizations have addressed theprivacy/security implications of secondary data

78%

68% 68%74%

PwC 9

Source: PwC Health Research Institute privacy and security survey, 2011

Providers Health Insurers Pharma/LS Total

43%

57% 50% 47%Pursuing or will pursuesecondary data

Addressed or addressingprivacy and securityimplications

Healthcare organizations are concerned aboutneeding more granular EHR access controls

Providers Health insurers Pharma/LS

EHR/PHR access controlsand identity management(81%)

EHR/PHR access controlsand identity management(58%)

Document retentioncompliance (56%)

Encryption in storage and Encryption in storage and Encryption in storage and

Top 3 security issues by health sector

PwC 10

Source: PwC Health Research Institute privacy and security survey, 2011

Encryption in storage andin transit (57%)

Encryption in storage andin transit (52%)

Encryption in storage andin transit (42%)

Required software upgrades(28%)

Alternative identifiers andinformation masking (34%)

End-user access controlsand identity management(41%)

New innovative products/services from health that can be used by allindustries. Next generation technologies for minimum necessary access, glassbreak system and log monitoring, encryption and other areas that need to bedeveloped to satisfy requirements.

10 things all industries can learn from therevolution in healthcare

PwCFooter Date

11

10 things all industries can learn from therevolution in healthcare

Developments around data, security and new technologies1. De-identification strategies improving the best privacy and security protection!2. Access controls and moving beyond role-based access to “Minimum Necessary”3. Monitoring and watching the sea of data4. Encryption and the standards to keep you out of trouble5. mHealth and new broadband solutions

PwC 12

Developments around key program building blocks and risks6. Breach notification, enforcements and the drive to improve training and

sanctions7. Paper protection and the drive to address old risks in new wrappers8. Data sharing and vendors/BAs – high risk, setting standards and new

approaches9. Annual assessment and the case for having a 3-year roadmap/plan10. The case for integrated frameworks

#1: De-identification strategies improving the best privacyand security protection!

• Healthcare Trend/Development• Laws Including HIPAA/HITECH Now Define Personal Information by

Data Elements.• US state breach laws, EU, Japan, PCI and others• HIPAA has a Safe Harbor for PHI using 18 data elements• Statistical de-identification option

• Broader Implications:

PwC 13

• Broader Implications:› Big Idea. Laws and big companies are using data elements and a new approach

to manage data at the element level, not the application/system level.› Conduct Data Element Inventories to know scope of your program (and

where it does not apply). Required for FTC and other enforcements.› Statistical De-Identification. Already used by new technologies in cable,

mobile and other interactive technologies.› Data Rationalization and Elimination Projects. To minimize risk,

compliance obligation and costs, these initiatives are springing up. Better toeliminate, than to spend ongoing funds to maintain, unneeded regulated data.

#2: Access controls and moving beyond role-based access to“Minimum Necessary”

• Healthcare Trend/Development• “Minimum Necessary” and “Legitimate Business Purpose.” Laws and

breaches driving work in this area.• EHRs. Under one of the 9 Office of the National Coordinator (ONC) Meaningful Use

requirements, EHR systems must be able to:• Assign a unique name and/or number for identifying and tracking

user identity and establish controls that permit only authorized usersto access electronic health information. §170.302(o)

PwC 14

to access electronic health information. §170.302(o)

• Broader Implications:› Data Element Access Rationalization. New efforts to move beyond role-

based access to more granular controls and authorizations.› New Technologies. Custom and more mass-market access and identity

management solutions.

#3: Monitoring and watching the sea of data

• Healthcare Trend/Development• EHRs. Under one of the 9 Office of the National Coordinator (ONC) Meaningful Use

requirements, EHR systems must be able to:1. Record actions. Actions related to electronic health information must be

recorded. §170.210(b):

• “The date, time, patient identification, and user identification must berecorded when electronic health information is created, modified, accessed,or deleted; and an indication of which action(s) occurred and by whom mustalso be recorded.” §170.210(b)

PwC 15

also be recorded.” §170.210(b)

2. Generate audit log. Enable a user to generate an audit log for a specific timeperiod and to sort entries in the audit log according to any of the elementsspecified above. §170.302(r)

• Broader Implications:› New Glass Break Monitoring Controls. New solutions are being developed

for monitoring not just transactions, changes and deletions, but also for justaccessing and viewing data.

› Predictive Science. New algorithms are being developed to better identifywrongful activity.

#4: Encryption and the standards to keep you out of trouble• Healthcare Trend/Development

• The design of new US laws allow encryption to help companies avoid liability.• Examples: (i) MA 201, (ii) PCI Laws in MN and WA and (iii) exception from

most state breach laws.• HIPAA Encryption. HIPAA Security Rule states that a covered entity

implement a mechanism to encrypt ePHI whenever deemed appropriate.• Encryption of EHRs and HIEs. To meet Meaningful Use requirements, EHRs

must encrypt electronic health records and information shared in a healthinformation exchange.

PwC 16

• Encryption &the HITECH Breach Notification Provision. For data to beconsidered "secure" and not subject to the HITECH breach provision, HHS setencryption standards.

• Broader Implications:• Use of NIST Encryption Standards. Since US healthcare law applies to both

healthcare and human resources benefits data, many companies are adoptingencryption that complies with NIST specifications as the highest denominator

• See National Institute for Standards and Technology (NIST) Special Publication (SP) 800-111,Guide to Storage Encryption Technologies for End User Devices, for data at rest, and FederalInformation Processing Standard (FIPS) 140-2, NIST SP 800-52, Guidelines for the Selectionand Use of Transport Layer Security Implementations, SP 800-77, Guide to IPsec VPNs, or SP800-113, Guide to SSL VPNs, for data in motion.

#5: mHealth and new broadband solutions• Healthcare Trend/Development

• Less than half of healthcare organizations have addressed or are addressingthe privacy/security implications of mobile devices.

50%

43%

45%

Providers

Healthinsurers

Total

PwC 17

• Broader Implications:• Limit information flow. Companies are starting to ensure that policies

are in place to secure devices and to limit the information stored on localdrives, a particular concern with mobile.

• Mobile Access Enhancements. Companies are working on easier, butmore sophisticated mobile device access, moving away from generic log-ons.

Source: PwC Health Research Institute privacy and security survey, 2011

36%

50%

Pharma/LS

Providers

#6: Breach notification, enforcements and the drive toimprove training and sanctions

• Healthcare Trend/Development• HITECH Breach Notification. New features:

• OCR notification and web site reporting.• Desk reviews of organizations that have breaches.• Major enforcements, including fines and corrective action plans with education

and sanctions.

• Broader Implications:

PwC 18

• Broader Implications:• New Incident Response Plans address privacy. Breach response plans can

influence whether action is brought. Existing technical incident response planscan satisfy new privacy requirements with 2 fixes:• Add potential unauthorized disclosure or access of personal information to list

of events to be investigated and managed under plan and• Add a breach notification process for personal information security breaches

• Training and Sanctions. Focus on people and culture. Move beyond constantretraining or informal responses.

More than 70% of respondents said recent breachenforcement actions have forced them to focusmore on privacy and security

Loss

The

ft

Una

utho

rize

dac

cess

/dis

clos

ure

Hac

king

/IT

inci

dent

Unk

now

nPwC 19

Source: U.S. Department of Health and Human Services Office for Civil Rights, accessed June 27, 2011,http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html.

14% 66% 10% 9% 1%

Loss

The

ft

Una

utho

rize

dac

cess

/dis

clos

ure

Hac

king

/IT

inci

dent

Unk

now

n

Electronic 73%

209 incidents and 10,122,893individuals affected

Paper 23%

67 incidents and 356,235individuals affected

Unknown 4%

12 incidents and 507,710individuals affected

54% of healthcare organizations have experienceda privacy/security issue in the last two years

50%

60%

70%

Within the last two years, have you experienced any of the following?Please select all that apply.

PwC 2020

0%

10%

20%

30%

40%

Improper useof PHI by aninternal party

Patientsseekingservices

under others'names

Improper filetransfer

containingPHRI

Transfer ofPHI to an

unauthorizedparty

Securitybreach of

PHI

Improper useof PHI by an

externalparty

Financial IDtheft

Do not know

Total Health insurers Providers Pharma/LS

#7: Paper protection and the drive to address old risks innew wrappers

• Healthcare Trend/Development• Most Laws Applied to Only Electronic. Many breach notification laws apply

only to electronic-based information.• New Laws Cover Paper Too. HITECH breach notification covers paper,

although HIPAA security does not.• OCR/FTC Enforcements Highlight the Point. Multi-million dollar fines for

enforcements that involved paper handling/dumpster diving.

PwC 21

• Broader Implications:• Integration of Physical and Technical Security. Increasingly a trend.• New Focus on Paper. Many companies have been starting records destruction

and green initiatives to reduce paper (and costs).• ID Theft Risk Too. With almost 2/3rd of identity theft cases involving paper,

new risk focus on paper in addition to just compliance.• Cost Savings. Also, costs reduction possibilities has increased the popularity of

initiatives in this area.

#8: Data sharing and vendors/BAs – high risk, settingstandards and new approaches

• Healthcare Trend/Development• Many breaches have been committed by BAs.

• Of the 11 million people affected by data breachessince 2009, 55% were affected by breachesinvolving business associates

• 33% of all companies received a vendor breach ormishandling notice last year

• Only 38% performed a pre-contract assessment

Third Parties Behind MostImproper Disclosures

PwC 22

• Only 38% performed a pre-contract assessment• More vendor risk with outsourcing and cloud

computing.• Risks for and Scrutiny of Business Associates

Grows Under HITECH. HITECH requires BAscomply with HIPAA Privacy and Security Rules.

• Enhanced Privacy & Security ArePrerequisites for Existing & New BusinessModels. Needed to meet regulatory and businesspartner expectations and to access the new dataflows and sharing in the new health informationeconomy.

Organizations are sharing, but few have identifiedrestrictions or have agreements in place

19%

17%

17%

16%

22%

25%

Implemented process for managing patient consent

Have an audit process in place

If you are currently sharing data externally, which of the following activities has yourorganization completed? Please select all that apply.

PwC 23

Source: PwC Health Research Institute privacy and security survey, 2011

22%

25%

14%

19%

19%

26%

10%

20%

33%

43%

34%

16%

Executed data-sharing agreements with all participants

Identified restrictions on the sharing/use of data (e.g.,contractual, policy, legal)

Developed access management policies related to familymembers

Determined data exchange requirements for particularlysensitive data (e.g., behavioral health, substance abuse) Pharma/LS

Providers

Health insurers

#8: Data sharing and vendors/BAs – high risk, settingstandards and new approaches (cont.)

Vendor Privacy & Security Analysis

100.0%

• Broader Implications:• Contract. Enhanced contractual safeguards with specific security controls schedule• Vendor Assessments. Vendor Assessments (and risk scoring)

• Example Online Surveys and Scoring Models: Many develop scoring models,automate data collection & compliance reporting processes for speed and savings.

PwC 24

Vendor A

Vendor B

Vendor F

Vendor G

Vendor H

Vendor C

Vendor DVendor E Vendor I

50.0%

55.0%

60.0%

65.0%

70.0%

75.0%

80.0%

85.0%

90.0%

95.0%

100.0%

50.0% 55.0% 60.0% 65.0% 70.0% 75.0% 80.0% 85.0% 90.0% 95.0% 100.0%

Controls Index

Sen

siti

vity

Ind

ex

Vendor A Vendor B Vendor C Vendor D Vendor E Vendor F Vendor G Vendor H Vendor I

#9: Annual assessment and the case for having a 3-yearroadmap/plan

• Healthcare Trend/Development• Meaningful Use Certification. An organization

must “conduct an accurate and thorough assessment ofthe potential risks and vulnerabilities to theconfidentiality, integrity, and availability of [ePHI]created or maintained by certified [EHR].

• Remediation Plan. Organizations must “[i]mplementsecurity updates and correct identified security

Providers that will applyfor “meaningful use”

incentives in 2011.

50%

PwC 25

security updates and correct identified securitydeficiencies as part of its risk management process.”

• Use of a Comprehensive Assessment and 3-YearPlan. There have been cases where these documentsconvinced OCR and/or a state attorney general towithhold any enforcement if they stayed on plan andreported back.

• Broader Implications:• Have a Plan. Develop a plan of (i) key privacy

program initiatives and (ii) program-related elatedinitiatives owned by others (e.g., encryption, records,SSN removal, others).

50%Providers that have

completed theprerequisite security

assessment that includescriteria for access control,

identity management,and encryption.

19%

#10: The case forintegrated frameworks

• Many companiesoperate in verticalsilos withdifferentframeworks.

• Clients often askfor one-off

An

Privacy• US - Fair Information

Practices (e.g., HIPAA,GLBA)

• Global - Organization ofEconomic Cooperation &Development (e.g., EU DataProtection Directive)

• APEC Framework

RiskRegulatoryTechnical Standards

Technical Standards• ISO 27001 and 27002• •NIST 800-53 and FIPS• COBIT• PCI DSS• HITRUST• Others

PwC 26

for one-offassessments ofGLBA, HIPAA,HITECH, PCI, IDTheft, SecurityBreach Laws,Marketing Laws,EU DPD or otherglobal law

• The trend is tosearch for commonrequirements andpoints of leverage.

AnIntegratedApproach

Risk• COSO II• SOX• Basel II

Compliance• Federal Sentencing

Guidelines(7 Principles of an EffectiveCompliance Program)

Technical Standards• HIPAA & HITECH• MA 201, NV & PCI Laws• FTC GLBA 501(b)

Safeguards Rule• Italian DBA/Other EU laws• FTC, CMS & DPA cases

Organizations that have integrated approaches toprivacy and security have experienced benefits

Response to survey questionIntegrated approaches to a

great extent All others

Health insurers were more likely to have integrated their approach to privacyand security to a great extent

PwC 27

Source: PwC Health Research Institute privacy and security survey, 2011

The security of my organization's data hasincreased compared to last year. 66% 49%

Compared to last year, my organization'sprivacy/security staffing has increased. 48% 31%

Average reported number of privacy/securityissues per respondent in last two years. 1.14 1.22

Conclusion / Q&A

PwCFooter Date

28

Questions or Presentation Copies

James KoenigLeader, Privacy Practice; andSecurity Leader, Health InformationTechnology Practicejames.h.koenig@us.pwc.com610-246-4426

PwC 29