pwc data security report - healthcare

8/16/2019 Pwc Data Security Report - Healthcare

1/12

 Putting data securityon the top table:How healthcare organisations canmanage information more safely 

 June 2013When we conducted our latest annual global

CEO survey, we were startled to learn that

only 24% of healthcare CEOs worry about

being able to protect intellectual property

and customer data.1  This seems remarkable,

given that in the US alone there have been

571 security breaches affecting at least 500

patients since September 2009.2

Healthcare CIOs are less sanguine about the

situation than CEOs, although even they

sometimes underestimate the risks: 42% of

those we polled in another recent study said

they had an information security strategy

and proactively executed it. But when we

probed more deeply, we found that fewer

than half had policies for safeguarding data

stored in clouds, mobile devices or social

media sites – all increasingly important tools

for sharing and storing information.3

Structural and technological changes

are transforming the way in which the

healthcare industry operates. The rules

governing the protection of personal data are

also becoming more stringent. Meanwhile,

the hackers are getting more numerous

and more creative, one highly experienced

healthcare CIO warns. Today, no healthcare

organisation can afford to rest on its laurels.

 New ways of working together 

One of the biggest changes taking place

concerns the way in which healthcare

providers get paid, as healthcare systems

almost everywhere struggle to contain

soaring costs. Under the US Affordable

Care Act of 2010, for example, all hospitals

serving Medicare patients with the most

common conditions are now paid for the

quality of the care, rather than the quantity

of services, they supply. This concept will

gradually be extended to other healthcare

providers.4 

The British National Health Service has

adopted a similar approach. It launched a

major pay-for-performance initiative, known

 Puttin g data secu rity on the top tab le

8/16/2019 Pwc Data Security Report - Healthcare

2/12

2  Puttin g data secu rit y on the top tabl e

as the Quality and Outcomes Framework, in 2004.

5

 And healthcare payers in othercountries, including the Philippines, Vietnam, Rwanda, Tanzania and Zambia, are

experimenting with their own variants.6

The shift from the traditional fee-for-service model to value-based purchasing has

huge implications for the healthcare industry. All providers will have to capture,

measure and report on vast quantities of outcomes data. Providers and payers

are also likely to become more integrated, with the development of bundled

reimbursement packages for specic conditions.

 A second key change will reinforce this trend towards closer collaboration. It’s

commonly recognised that pooling and mining massive amounts of data cangenerate insights that can’t be gleaned from analysing many smaller, separate data

sets. But unleashing the potential of ‘big data’ entails sharing more information

more widely, both inside and outside the industry.

 Disruptive devices 

The healthcare sector is simultaneously becoming more digitised, as electronic

medical record systems replace the paper-based systems of old and ‘disruptive’

technologies such as the smartphone offer new ways of engaging with patients. By

2017, the number of handheld mobile devices in use is expected to top 8.6 billion.7 

 And the newest models can be congured to interface directly with a patient’s

medical record.

Digitally enfranchised patients can also draw on more than 10,000 tness and

healthcare apps in the iTunes store, including exercise, dieting and diabetes apps,

blood pressure and heart rate monitors, and sleep and mood trackers. In fact,

several companies have even developed peripherals that can be plugged into a

smartphone to perform eye checks and electrocardiograms, although they’re not

 yet available to the public at large.8 

So more – and more sophisticated – mechanisms for capturing health data are

rapidly reaching the market, but many of them are unregulated. Very few health

apps are currently classied as medical devices requiring regulatory oversight,for example, although that may soon change.9 And since most mobile devices are

more vulnerable than computers used over a home network, they’re creating new

security risks.

8/16/2019 Pwc Data Security Report - Healthcare

3/12

3 Putting d ata securit y on the top tab le

Take the case of wirelessly implanted debrillators for controlling the heartbeat.In the right hands, these are valuable medical aids. But researchers have

demonstrated that it’s possible to glean personal information by eavesdropping on

the signals these implants emit. Indeed, they can even be reprogrammed to deliver

a fatal jolt of electricity.10

Nor is it just the patient who’s in danger. When a device interfaces directly with a

patient’s medical record, it exposes that record to viruses. And a virus can spread

from one record to another, until it’s corrupted a healthcare provider’s entire

electronic medical record system.

New technologies such as cloud computing are compounding the challenge. Cloudshave a vital role to play in healthcare as a cost-effective means of storing, sharing

and analysing big data. Medical researchers are, for example, using the Amazon

cloud to crunch 200 terabytes of genetic data in search of new cures.11 But cloud

computing also brings new risks – and data breaches head the list, according to the

Cloud Security Alliance.12

In short, the health ecosystem is becoming increasingly interconnected,

interdependent and integrated (see Figure 1). And that’s a mixed blessing. On the

one hand, it’s paving the way for a much deeper understanding of disease and

the development of new treatments. On the other, it’s exposing all healthcare

providers, payers, patients and researchers to more cyber threats.

Physicians’

practices

Hospitals

Labs

Healthcare

payers

Medical

research

centres

Genetic

testing

companies

Social

media

sites

Patients

Figure 1 The health ecosystem is becoming increasingly interconnected

Source: PwC

Mechanisms for capturing

health data are rapidly reaching

the market, but many of them

are unregulated.

8/16/2019 Pwc Data Security Report - Healthcare

4/12

4  Puttin g data secu rit y on the top tabl e

Moreover, recent research suggests that the industry is ill prepared to manage

them. A year-long study conducted by The Washington Post revealed so many

problems that one data security expert remarked: “If our nancial industryregarded security the way the healthcare sector does, I would stuff my cash in a

mattress under my bed.”13 

Crackdown on compliance

 Yet the healthcare sector – like the nancial services sector – has to full some

exacting regulatory requirements. And the rules governing the protection of

personal data are steadily getting tougher.

In January 2013, the US Department of Health and Social Security (HSS)

published a long-awaited modication of the Health Insurance Portability and

 Accountability (HIPAA) Act of 1996. The Final HIPAA Rule, as it’s known, codiesmany of the interim requirements laid down under the Health Information

Technology for Economic and Clinical Health Act of 2009 and has some

signicant implications.

 Among other things, the new rule extends the privacy and security requirements

of HIPAA from ‘covered entities’ to their business associates and subcontractors,

and increases the penalties for any violations. It also imposes new restrictions on

 what covered entities can disclose, either for marketing and fundraising purposes

or for underwriting purposes.14

In addition, the rule gives patients several new rights, including the right to getelectronic access to their own records within 30 days of requesting it, and the

right to be notied of any suspected breaches affecting those records within 60

days of the breach being discovered. Lastly, it creates a new presumption that any

‘impermissible use or disclosure of protected health information’ is a reportable

breach, unless the organisation concerned can show there is little chance the data

has been compromised.15 

Meanwhile, the member states of the European Union (EU) already have the

most extensive data protection laws in the world, and the European Commission

is currently revising them. In January 2012, it unveiled plans for a comprehensive

overhaul of the existing regulations, both to take account of technological

advances and to harmonise practice within all the member states.

8/16/2019 Pwc Data Security Report - Healthcare

5/12

5 Putting d ata securit y on the top tab le

The proposed reforms include creating a single set of rules, valid throughout the

EU, and making each national data protection authority a one-stop shop with

supervisory powers over any business operating in any member state. A company will only have to report to the authority in the EU country where it ’s based,

instead of having to inform the authorities in every country in which it trades (as

is now the case). But all serious breaches must be reported within 24 hours.16

Moreover, all EU citizens will be able to instigate a complaint through their own

national authorities, regardless of where a company is located or the data is

processed. They will also be able to get personal data deleted, if there are no good

grounds for keeping it. And any violation of the rules will attract a ne of up to €1

million or 2% of a company’s global annual turnover.17 

The new framework has yet to be approved by the relevant bodies, so it’s unlikely

to come into force before 2015. And, given the opposition from various quarters,

it may well be modied.18  But the fact that it’s a ‘regulation’ as opposed to a

‘directive’ means it will be directly applicable to all EU member states without

requiring national legislation to implement it.19

Data protection is also rising up the agenda in Asia and Latin America. India,

Malaysia, South Korea and Taiwan recently passed new cyber security laws. And

the Chinese Ministry of Industry and Information Technology has published a

draft national standard, although whether Beijing plans to enshrine it in law isn’t

 yet clear.20 

Eleven countries in Latin America have likewise enacted data privacy legislation.

These laws vary signicantly from one country to another, but they all require

registration with a national data protection authority and impose cross-border

restrictions.21  So the safeguarding of personal data is becoming a hot topic

almost everywhere, and the penalties for leaking it are getting more punitive.

 Impact of breaches to the business

Legal issues aren’t the only concern, though. The business risks are equally

important. In one recent survey of 80 US healthcare providers, the average

economic impact of a data breach was put at $2.4 million – an increase of

$400,000 since 2010. Worse still, 39% of those that had experienced medical

identify theft said it resulted in inaccuracies in the patient’s medical record, while

26% said it affected the patient’s medical treatment. And 21% thought their

employee records were also at risk.22

8/16/2019 Pwc Data Security Report - Healthcare

6/12

6  Puttin g data secu rit y on the top tabl e

The damage to an organisation’s reputation may be immeasurable, then, since

patients take a dim view of having their privacy breached. And they’re likely to be

even less forgiving, if that results in the wrong clinical care. The more sensitivethe data, the greater the offence – and medical data is often very sensitive indeed.

 Health hacking on the rise

It’s also very valuable. A stolen medical identity sells for about US$50, whereas a

stolen social security number only fetches a couple of dollars, which explains why

hackers are now targeting the healthcare industry so actively.23  Reliable gures

on the incidence of cyber attacks are difcult, if not impossible, to obtain. But the

experts we’ve talked to unanimously report that health hacking is on the rise and

the criminals are becoming more devious.

What’s more, medical theft may soon seem like a trivial problem, as ourunderstanding of biology advances. DNA is the original operating system, notes

global security expert Marc Goodman, and to hackers, it’s just another system

to be hacked. In the future, he predicts, biocriminals will easily be able to create

genetically modied versions of existing viruses and even develop personalised

bioweapons targeted at specic individuals.24 

That said, hackers aren’t the sole – or even, perhaps, the main – threat. Hacking

accounts for only 48 of the 572 reported breaches in the US, whereas loss of

a portable electronic device or back-up tapes accounts for 78 breaches. 25  So

negligence is a factor, too.

Disgruntled staff and lax suppliers can likewise cause problems. Our research

suggests that two-fths of all cybercrimes are ‘inside jobs’ perpetrated by

employees working alone or with external fraudsters.26  It also shows that most

healthcare providers don’t require third parties to comply with their data privacy

policies – and a company is only as strong as its weakest link. 27 

Cyber security’s strategic value

To sum up, the protection of personal data is becoming an ever-bigger challenge,

as the healthcare industry turns to new business models and technologies. The

regulations are concurrently hardening, and the criminals are coming out in

force. But good cyber security isn’t just about blocking and tackling; it’s alsoabout creating business value (see Figure 2).

With strong data security measures in place, an organisation can adopt new

medical systems more rapidly and become more efcient. It can offer new mobile

healthcare services, such as remote surveillance or remote surgery. And it can

8/16/2019 Pwc Data Security Report - Healthcare

7/12

7

• Deploy services quickly

• Improve user experience

• Enter into new partnerships

• Embrace mobile users

• Combat threats

• Protect sensitive information

• Govern solutions

• Control access

• Automate security processes

• Adopt cloud models

• Increase virtualisation—securely

• Improve collaboration

Grow the business

Improve efficiency 

Protect the business

form new partnerships to make the most of the data it holds, be they partnerships

 with pharmaceutical researchers to develop new medicines, partnerships with

healthcare providers to develop better treatment protocols or partnerships with

health insurers to get a better understanding of costs. The ability to manage and

share sensitive data safely isn’t simply a legal requirement, then; it’s a source of

competitive advantage.

 Inadequate budgets and other roadblocks

So what’s stopping many healthcare providers and payers from making their data

more secure? Insufcient funding is one major obstacle. More than half of the

healthcare IT managers whom we’ve surveyed say their budgets are too small (see

Figure 3).28 Other evidence bears them out. Total IT spending as a percentage of

revenues or gross output is just 3.8% in the healthcare sector, compared with 7.3% in

nancial services and 4.5% in education and social services.29 

 Putting d ata securit y on the top tab le

2012

Insufficient capital expenditure 27%

Insufficient operating expenditure 26%

 Absence of shortage of in-house technical expertise 24%

Leadership—CEO, president, board or equivalent 20%

Lack of actionable vision or understanding 19%

Leadership—CIO or equivalent 10%

Leadership—CISO, CSO or equivalent 10%

Figure 2: Good cyber security helps a business get bigger and better

Figure 3: Lack of money, expertise and leadership are the biggest problems

Source: PwC

Source: PwC

8/16/2019 Pwc Data Security Report - Healthcare

8/12

8  Puttin g data secu rit y on the top tabl e

Lack of in-house technical expertise is another hurdle. Many healthcare

organisations employ relatively few IT people, which means they have to rely on

third parties. But that’s like asking the man who sells you a wrench to service

 your vehicle, one healthcare CIO notes. Most vendors can’t see the big picture or

help an organisation formulate the right strategy, he explains.

The most serious problems arguably arise when executive management is the

roadblock, though. This is mostly because top managers without any experience

of IT don’t really understand the risks they’re running. And given a choice

between spending limited funds on data security or more obvious measures for

stimulating growth, they opt for the latter.

Stepping stones on the path to better data protection

The rst task for the healthcare CIO who wants to beef up an organisation’s

cyber security is to assess the threats, review every IT system, assess its strengths

and weaknesses and prioritise measures. No business can eliminate all risk, so

it makes sense to focus on the biggest sources of danger: the data that’s most

 valuable and the people with the most privileged access.

Ranking risks in order of severity shows an organisation where to start. It also

allows it to manage its security investments as a portfolio, by separating measures

that are needed to keep the lights on from those that are strategic and those thatare optional, value-creating extras.

This process usually highlights several common problems. In our experience, one

frequent error is forgetting to terminate an employee’s access to a particular part

of the system when the employee moves to another department. But it’s quite easy

to automate such changes with identity and access management software. It’s

also a good idea to classify and tag all data, encrypt the most sensitive data and

give those with access to it stronger passwords.

Patch management is another common trouble spot. All systems need periodic

upgrades to x bugs or security issues, and improve their performance. Butgetting the downtime needed to install a patch isn’t always easy, and some

patches could cause a system-wide crash. So it’s essential to have a clear patch

management policy and ensure the board can make educated decisions about

 which patches to delay implementing.

8/16/2019 Pwc Data Security Report - Healthcare

9/12

9

The next step is to make sure the board is onside with the data security strategy –

and, here, the internal compliance and assurance department can be a very useful

ally. The compliance team can help to get data protection on the management

agenda by reinforcing the CIO’s arguments and explaining why requests for more

money are fuelled by legitimate concerns, not the desire for new gadgets.

Cyber security isn’t just the board’s concern, though; it’s everybody’s business.

That means it’s vital to communicate the importance of preserving condential

data to every employee in the organisation and show them how they can help.

It’s also imperative to test and audit an organisation’s systems regularly, bothto measure how secure they are and to assess the impact of any attacks. In fact,

 we recommend completing a full audit at least once a year. The worst risks

aren’t the ones a company knows about, they’re the ones it doesn’t even know it

doesn’t know about. And some breaches are so subtle that nobody realises they’re

happening, cautions one healthcare CIO.

Lastly, it’s advisable for any company with a global footprint to adopt the data

security standards of the country with the strictest regulations. That way, it can

be assured of meeting the required standards wherever it operates. And, where it

exceeds the standards, its efforts certainly won’t be wasted; it will simply be in a

stronger position to capitalise on the benets really robust data protection brings.

One obvious benet is a reputation for taking data protection seriously; patients

 want to know their private details will stay private. But the ability to move fast,

partner speedily and effectively with other participants in the health ecosystem

and pre-empt the competition are also major strategic advantages. So, when it

comes to cyber security, the right thing is also the smart thing.

 Putting d ata securit y on the top tab le

How to be an information

security leader 

1. Assess your current IT systems

for strengths and weaknesses.

2. Prioritise the risks, focusing on

the data that’s most valuable.

3. Assess your employee user

access policy.

4. Have a clear patch managementpolicy that ensures seamless

implementation.

5. Engage your board of directors

as partners to help secure

appropriate funding and

resources.

6. Communicate your data

security policy to all employees

and stakeholders.

7. Audit your IT systems at leastonce a year.

8/16/2019 Pwc Data Security Report - Healthcare

10/12

10  Puttin g data secu rit y on the top tabl e

 Notes

 1

PwC, ‘Dealing with disruption: Howhealthcare CEOs are creating resilient

organisations’ (February 2013).

 2 U.S. Department of Health & Human

Services, ‘Breaches Affecting 500 or

More Individuals’, http://www.hhs.

gov/ocr/privacy/hipaa/administrative/

breachnoticationrule/breachtool.

html(accessed 12 April 2013).

 3 PwC, ‘Changing the game:

Healthcare providers: ndings from

The Global State of Information

Security Survey 2013’ (September

2012).

4 PwC Health Research Institute,

‘Implications of the US Supreme Court

ruling on healthcare’, (August 2012

update).

 5 UK Health & Social Care Information

Centre, ‘Quality and Outcomes

Framework’, http://www.hscic.gov.uk/

services/qof/

 6 S. Witter, A. Fretheim, F. L. Kessy &

 A. K. Lindahl, ‘Paying for performance

to improve the delivery of health

interventions in low- and middle-

income countries’, Cochrane Database

of Systematic Reviews, Issue 2 (2012).

 7

 Cisco, ‘Cisco Visual NetworkingIndex: Global Mobile Data Trafc

Forecast Update, 2012-2017’ (6

February 2013).

8  Dr Jody Rank, ‘How Connected

Health, Public-Private Cooperation,

 And Big Data Can Revolutionize

Health Care’, Forbes (6 July 2012),

http://www.forbes.com/sites/

benkerschberg/2012/07/06/how-

connected-health-public-private-

cooperation-and-big-data-can-revolutionize-health-care/

 9 The US Food and Drug

 Administration proposes to regulate

a small subset of mobile medical

apps that are capable of affecting

the performance or functionality of

currently regulated medical devices,

and is now devising guidelines. The

European Union already operates

a system under which standalone

software can be registered as amedical device with a CE mark, but

it has yet to clarify precisely which

kinds of standalone software must be

registered.

10

 Barnaby J. Feder, ‘A Heart DeviceIs Found Vulnerable to Hacker

 Attacks’, The New York Times (12

March 2008), http://www.nytimes.

com/2008/03/12/business/12heart-

 web.html?_r=0

11  Brian T. Horowitz, ‘Amazon Cloud

to Ease 1000 Genomes Project

Disease Research’, eweek (31 March

2012), http://www.eweek.com/c/a/

Health-Care-IT/Amazon-Cloud-to-

Ease-1000-Genomes-Project-Disease-Research-649156/

 12 Ted Samson, ‘9 top threats to

cloud computing security’, InfoWorld

(25 February 2013), http://www.

infoworld.com/t/cloud-security/9-

top-threats-cloud-computing-

security-213428

 13 Robert O’ Harrow, Jr., ‘Health-

care sector vulnerable to hackers,

researchers say’, The Washington

Post (26 December 2012), http://

 www.washingtonpost.com/

investigations/health-care-sector-

 vulnerable-to-hackers-researcherss

ay/2012/12/25/72933598-3e50-11e2-

ae43-cf491b837f7b_print.html

8/16/2019 Pwc Data Security Report - Healthcare

11/12

 14

 PwC, ‘How to Respond to the FinalOmnibus HIPAA Rule: 10 things you

need to know’ (March 2013).

 15 Ibid.

16 European Commission press

release, ‘Commission proposes

a comprehensive reform of data

protection rules to increase users’

control of their data and to cut costs for

businesses’ (25 January 2012), http://

europa.eu/rapid/press-release_IP-12-

46_en.htm?locale=en

  17 Ibid.

18 Warwick Ashford, ‘UK calls for

opt-out of online right to be forgotten’,

ComputerWeekly.com (5 April 2013),

http://www.computerweekly.com/

news/2240180878/UK-calls-for-opt-

out-of-online-right-to-be-forgotten

 19 ‘Essential guide: EU Data Protection

Regulation’, ComputerWeekly.com,http://www.computerweekly.com/

guides/Essential-guide-What-the-EU-

Data-Protection-Regulation-changes-

mean-to-you

 20

 Freshelds Bruckhaus Deringer,‘New wave of data privacy regulations

in Asia’ (May 2012), http://m.

freshelds.com/uploadedFiles/

SiteWide/Knowledge/33207.pdf 

21  Cynthia Rich, Marian Waldmann

 Agarwal & Miriam Wugmeister,

‘Privacy in Latin America’, Bureau of

National Affairs, Privacy & Security

Law Report, 12 PVLR 12 (7 January

2013).

 22 Ponemon Institute, ‘Third Annual

Benchmark Study on Patient Privacy &

Data Security ’ (December 2012).

23  Robin Erb, ‘Data breaches put

patients at risk for identity theft ’, USA

Today (12 February 2012), http://

usatoday30.usatoday.com/news/

health/story/health/story/2012-02-12/

Data-breaches-put-patients-at-risk-for-

identity-theft/53065576/1

 24

 Marc Goodman: A vision of crimesin the future, TED Talks (June 2012),

http://www.ted.com/talks/marc_

goodman_a_vision_of_crimes_in_the_

future.html#1128409

 25 U.S. Department of Health & Human

Services, ‘Breaches Affecting 500 or

More Individuals’, http://www.hhs.

gov/ocr/privacy/hipaa/administrative

breachnoticationrule/breachtool.

html (accessed 12 April 2013).

 26 PwC, ‘Cybercrime: protecting

against the growing threat’ (November

2011), http://www.pwc.com/en_GX/

gx/economic-crime-survey/assets/

GECS_GLOBAL_REPORT.pdf 

27  PwC, ‘Changing the game:

Healthcare providers: ndings from

The Global State of Information

Security Survey 2013 (September

2012).

28 Ibid.

29 Deutsche Bank, ‘IT in banks: What

does it cost?’ (20 December 2012), p. 2.

8/16/2019 Pwc Data Security Report - Healthcare

12/12

© 2013 PwC. All rights reserved. “PwC” refers to the network of member firms of PricewaterhouseCoopers International Limited (PwCIL), or, as the context requires,individual member firms of the PwC network. Each member firm is a separate legal entity and does not act as agent of PwCIL or any other member firm. PwCILdoes not provide any services to clients. PwCIL is not responsible or liable for the acts or omissions of any of its member firms nor can it control the exercise of theirprofessional judgment or bind them in any way. No member firm is responsible or liable for the acts or omissions of any other member firm nor can it control theexercise of another member firm’s professiona l judgment or bind another member firm or PwCIL in any way. NY-13-0708

 For more information, please visit www.pwc.com/global-health

 Australia 

Klaus Boehncke

+61 2 8266 0626

klaus.boehncke@au.pwc.com

Canada 

William Falk

+1 416 687 8486

 william.f.falk@ca.pwc.com

China/HK  

Mark Gilbraith+86 21 2323 2898

mark.gilbraith@cn.pwc.com

Germany

Robert Paffen

+49 89 5790 6025

robert.paffen@de.pwc.com

 Finland

Karita Reijonsaari

+358 (0) 9 22800

karita.reijonsaari@.pwc.com

 India

Dr. Rana Mehta

+91 124 330 6006

rana.mehta@in.pwc.com

 Italy

 Andrea Fortuna

+2 66 720 547

andrea.fortuna@it.pwc.com

 Japan

 Yasushi Tabuchi

+81 80 3710 4138

 yasushi.tabuchi@jp.pwc.com

 Mexico

José Alarcón

+52 55 5263 6028

 jose.alarcon@mx.pwc.com

 Netherlands

Otto Vermeulen+31 (0) 887926374

otto.vermeulen@nl.pwc.com

Cokky Hilhorst

+31 (0) 8879 27384

cokky.hilhorst@nl.pwc.com

Sweden

Jon Arwidson

+46 (0) 10 213 3102

 jon.arwidson@se.pwc.com

Switzerland Axel Timm

+41 (0) 58 792 2722

axel.timm@ch.pwc.com

South Africa

Diederik Fouche

+27 11 797 4291

diederik.fouche@za.pwc.com

United States

Daniel Garrett

+1 267 330 8202

daniel.garrett@us.pwc.com

Peter Harries

+1 213 356 6760

peter.harries@us.pwc.com

James H. Koenig

+1 267 330 1537

 james.h.koenig@us.pwc.com

Nalneesh Gaur

+1 214 649 1261

nalneesh.gaur@us.pwc.com

Mick Coady

+1 713 356 4366

mick.coady@us.pwc.com

United Kingdom

Sunil Patel

+44 (0) 207 212 3484

sunil.k.patel@uk.pwc.com

Contacts: