how to mitigate risks, liabilities and costs of data ...second top source of data breaches,...
TRANSCRIPT
![Page 1: How to mitigate risks, liabilities and costs of data ...second top source of data breaches, according to a recent benchmark study on patient privacy and data security by the Ponemon](https://reader034.vdocuments.us/reader034/viewer/2022050121/5f51c9c29b67183a91659d87/html5/thumbnails/1.jpg)
How to mitigate risks, liabilities and costs of data breach of health information by third parties
April 17, 2012 ID Experts Webinar www.idexpertscorp.com
![Page 2: How to mitigate risks, liabilities and costs of data ...second top source of data breaches, according to a recent benchmark study on patient privacy and data security by the Ponemon](https://reader034.vdocuments.us/reader034/viewer/2022050121/5f51c9c29b67183a91659d87/html5/thumbnails/2.jpg)
2
Rick Kam
President and Co-Founder Privacy Counsel
Ellen M. Giblin
![Page 3: How to mitigate risks, liabilities and costs of data ...second top source of data breaches, according to a recent benchmark study on patient privacy and data security by the Ponemon](https://reader034.vdocuments.us/reader034/viewer/2022050121/5f51c9c29b67183a91659d87/html5/thumbnails/3.jpg)
3
Key “Take Aways”
• Relevance of the “PHI Report” on valuing PHI • Top threats and risks to PHI • Risk mitigation using third party agreements • Evolving regulatory environment • Steps to mitigate risk
![Page 4: How to mitigate risks, liabilities and costs of data ...second top source of data breaches, according to a recent benchmark study on patient privacy and data security by the Ponemon](https://reader034.vdocuments.us/reader034/viewer/2022050121/5f51c9c29b67183a91659d87/html5/thumbnails/4.jpg)
4
The “PHI Project”
• REQUIRED: Enhanced programs for safeguarding Protected Health Information (PHI)
• WHY: Increased number and frequency of data breaches • WHO: Guardians of the trust forming the foundation of the
health care delivery system • SOLUTION: Information and tools to develop a compelling
business case fore requesting investments and resources to ensure PHI privacy and security
![Page 5: How to mitigate risks, liabilities and costs of data ...second top source of data breaches, according to a recent benchmark study on patient privacy and data security by the Ponemon](https://reader034.vdocuments.us/reader034/viewer/2022050121/5f51c9c29b67183a91659d87/html5/thumbnails/5.jpg)
5
What’s Happening?
The number of organizations handling PHI is expanding
The adoption of ePHI has increased the information flow risks
The rewards of medical ID theft have surged
![Page 6: How to mitigate risks, liabilities and costs of data ...second top source of data breaches, according to a recent benchmark study on patient privacy and data security by the Ponemon](https://reader034.vdocuments.us/reader034/viewer/2022050121/5f51c9c29b67183a91659d87/html5/thumbnails/6.jpg)
6
The Ramifications
• Improperly disclose PHI of millions of individuals “in a matter of seconds,”
• Steal health information from a virtual location, and
• Breach PHI in a manner that makes it impossible to restore.
For the first time in history, it is possible to:
![Page 7: How to mitigate risks, liabilities and costs of data ...second top source of data breaches, according to a recent benchmark study on patient privacy and data security by the Ponemon](https://reader034.vdocuments.us/reader034/viewer/2022050121/5f51c9c29b67183a91659d87/html5/thumbnails/7.jpg)
7
Why Steal PHI?
• Physician ID numbers are used to fraudulently bill for services
• Patient ID information is lent to friends or relatives in need of services
• Patient ID numbers are sold on the black market
Medicare fraud estimate? $60B/year
Majority of clinical fraud? Obtain prescription
narcotics for illegitimate use
~5% of clinical fraud: Free health care
Patient ID Information: $50/record Social
Security number: $1
Average Payout for defrauding a health care
organization: $20,000 Regular ID theft? $2,000
![Page 8: How to mitigate risks, liabilities and costs of data ...second top source of data breaches, according to a recent benchmark study on patient privacy and data security by the Ponemon](https://reader034.vdocuments.us/reader034/viewer/2022050121/5f51c9c29b67183a91659d87/html5/thumbnails/8.jpg)
8
Top Elements Threatening PHI Security
Human • Malicious Insider • Non-Malicious Insider • Outsider • State-Sponsored Cyber Crime
Evolving Stakeholders • BAs and Subcontractors • Cloud Providers • Virtual Physician’s Office
Methods
• Lost / Stolen Media
Intrusion
• Dissemination of Data
• Mobile Devices
• Wireless Devices
![Page 9: How to mitigate risks, liabilities and costs of data ...second top source of data breaches, according to a recent benchmark study on patient privacy and data security by the Ponemon](https://reader034.vdocuments.us/reader034/viewer/2022050121/5f51c9c29b67183a91659d87/html5/thumbnails/9.jpg)
9
The PHIve Method
Conduct Risk Assessment
Determine Security Readiness Score
Assess the Relevance of a Cost
Determine the Impact
Calculated the Total Cost of a Breach
![Page 10: How to mitigate risks, liabilities and costs of data ...second top source of data breaches, according to a recent benchmark study on patient privacy and data security by the Ponemon](https://reader034.vdocuments.us/reader034/viewer/2022050121/5f51c9c29b67183a91659d87/html5/thumbnails/10.jpg)
10
Sample Case Study Unintentional, Business Associate, 845,000 records, Clinical fraud resulting
in 1 death, financial fraud, NYC
Estimated Total Impact Grand Total of Breach Costs $26,493,617
Annual Revenue of Entity $241,836,404
% of Cost to Annual Revenue 11%
Impact Score Severe
![Page 11: How to mitigate risks, liabilities and costs of data ...second top source of data breaches, according to a recent benchmark study on patient privacy and data security by the Ponemon](https://reader034.vdocuments.us/reader034/viewer/2022050121/5f51c9c29b67183a91659d87/html5/thumbnails/11.jpg)
11
How Much to Invest?
• How much would a data breach cost? • Given current safeguards and controls, how
often can an organization expect to experience a data breach?
• What investments can be made to reduce the frequency of a data breach?
• What are the associated annual savings of a delayed data breach?
• Which enhancement program costs less than the annual savings but still delivers on the reduced frequency of a breach?
![Page 12: How to mitigate risks, liabilities and costs of data ...second top source of data breaches, according to a recent benchmark study on patient privacy and data security by the Ponemon](https://reader034.vdocuments.us/reader034/viewer/2022050121/5f51c9c29b67183a91659d87/html5/thumbnails/12.jpg)
12
Vendor Risk Ecosystem Managing and Mitigating Vendors in the Risk Ecosystem
![Page 13: How to mitigate risks, liabilities and costs of data ...second top source of data breaches, according to a recent benchmark study on patient privacy and data security by the Ponemon](https://reader034.vdocuments.us/reader034/viewer/2022050121/5f51c9c29b67183a91659d87/html5/thumbnails/13.jpg)
13
Evolving Regulatory and Enforcement Environment
• Healthcare organizations, or covered entities under HIPAA, are legally responsible for the protected health information (PHI) they hold. Because of the HITECH Act, that responsibility now carries downstream to their business associates — claims processing, administration, data analysis, billing, benefits management — and could potentially extend to subcontractors.
![Page 14: How to mitigate risks, liabilities and costs of data ...second top source of data breaches, according to a recent benchmark study on patient privacy and data security by the Ponemon](https://reader034.vdocuments.us/reader034/viewer/2022050121/5f51c9c29b67183a91659d87/html5/thumbnails/14.jpg)
14
Evolving Regulatory and Enforcement Environment
• The Department of Health and Human Services Office for Civil Rights (OCR) recently has deepened its enforcement to include business associates (BA). And the recent Minnesota Attorney General’s action against Accretive Health is evidence that states are also stepping up their scrutiny of business associates using their authority under the HITECH Act.
![Page 15: How to mitigate risks, liabilities and costs of data ...second top source of data breaches, according to a recent benchmark study on patient privacy and data security by the Ponemon](https://reader034.vdocuments.us/reader034/viewer/2022050121/5f51c9c29b67183a91659d87/html5/thumbnails/15.jpg)
15
Business Associates Integral to the Risk Management Ecosystem
• That’s not without cause. Business associates are the second top source of data breaches, according to a recent benchmark study on patient privacy and data security by the Ponemon Institute. In fact, Leon Rodriguez, director of the OCR, notes that 63 percent of the people affected by OCR-reported data breaches were the result of security lapses at a business associate.
![Page 16: How to mitigate risks, liabilities and costs of data ...second top source of data breaches, according to a recent benchmark study on patient privacy and data security by the Ponemon](https://reader034.vdocuments.us/reader034/viewer/2022050121/5f51c9c29b67183a91659d87/html5/thumbnails/16.jpg)
16
Key Steps to Minimize Vendor Risk
• The OCR’s extended scrutiny is putting pressure on covered entities to more proactively and frequently measure business associates’ HITECH compliance. To keep them in check, covered entities would do well to ask some important questions of, or about, their business associates:
![Page 17: How to mitigate risks, liabilities and costs of data ...second top source of data breaches, according to a recent benchmark study on patient privacy and data security by the Ponemon](https://reader034.vdocuments.us/reader034/viewer/2022050121/5f51c9c29b67183a91659d87/html5/thumbnails/17.jpg)
17
Step One: Assess the Criticality of Service
• How critical is the business associate to my organization? Is it operationally critical or tied to my brand? Is there a viable alternative? Using a metric of sorts to weigh the importance versus the risks of a business associate can be helpful. For instance, an electronic health records systems provider may be a higher risk because of the amount of sensitive data it processes, yet replacing the system may not be feasible.
![Page 18: How to mitigate risks, liabilities and costs of data ...second top source of data breaches, according to a recent benchmark study on patient privacy and data security by the Ponemon](https://reader034.vdocuments.us/reader034/viewer/2022050121/5f51c9c29b67183a91659d87/html5/thumbnails/18.jpg)
18
Step Two: Contractual Safeguards
• Do I have an updated agreement in place with each business associate, one that evolves to meet changing privacy and security needs? Some reasons to update may include changes in types of services provided; change in policies and procedures based on annual review or simulations; or data breaches or environmental changes.
![Page 19: How to mitigate risks, liabilities and costs of data ...second top source of data breaches, according to a recent benchmark study on patient privacy and data security by the Ponemon](https://reader034.vdocuments.us/reader034/viewer/2022050121/5f51c9c29b67183a91659d87/html5/thumbnails/19.jpg)
19
Step Three: Due Diligence
• What security standards does the BA comply with? Does the business associate conduct employee training, annual risk assessment and/or risk analysis according to HIPAA privacy, security and breach notification rules? Can it provide you a copy of their most recent assessment, risk mitigation plan, and progress report? Does it have a privacy and compliance official?
![Page 20: How to mitigate risks, liabilities and costs of data ...second top source of data breaches, according to a recent benchmark study on patient privacy and data security by the Ponemon](https://reader034.vdocuments.us/reader034/viewer/2022050121/5f51c9c29b67183a91659d87/html5/thumbnails/20.jpg)
20
Step Three: Due Diligence
• Has the business associate had privacy or security incidents with other covered entities? Request to talk to other covered entities services to find out about the BA’s practices regarding the incident and how it was handled. This can be a predictor of future events and any impact on your organization.
![Page 21: How to mitigate risks, liabilities and costs of data ...second top source of data breaches, according to a recent benchmark study on patient privacy and data security by the Ponemon](https://reader034.vdocuments.us/reader034/viewer/2022050121/5f51c9c29b67183a91659d87/html5/thumbnails/21.jpg)
21
Step Four: Operationalize the BA Contract
• Does the business associate have an incident detection and management process? How does the business associate detect incidents, and what will trigger it to notify the covered entity? How soon must that BA notify you in the event of an incident? Is it enough time to conduct an incident assessment and meet the breach response obligations according to federal and state(s) laws?
![Page 22: How to mitigate risks, liabilities and costs of data ...second top source of data breaches, according to a recent benchmark study on patient privacy and data security by the Ponemon](https://reader034.vdocuments.us/reader034/viewer/2022050121/5f51c9c29b67183a91659d87/html5/thumbnails/22.jpg)
22
Step Four: Operationalize the BA Contract
• What are the contractual obligations or indemnity provisions if there is an incident? Covered entities are responsible for the breaches caused by their business associates, including notification costs. Given the increased enforcement and expensive notification and remediation procedures, however, business associates should assume some financial liability. More importantly, is the business associate able to bear the indemnity costs, either through their own resources, cyber insurance, or other form of security?
![Page 23: How to mitigate risks, liabilities and costs of data ...second top source of data breaches, according to a recent benchmark study on patient privacy and data security by the Ponemon](https://reader034.vdocuments.us/reader034/viewer/2022050121/5f51c9c29b67183a91659d87/html5/thumbnails/23.jpg)
23
Step Four: Operationalize the BA Contract
• What are the legal and contractual requirements for offshore business associates and sub-contractors? These third-party providers are not subject to HIPAA privacy and security regulations. Covered entities or business associates contracting with foreign third parties should include any requirements for safeguarding PHI within the agreements, and not depend on foreign law.
![Page 24: How to mitigate risks, liabilities and costs of data ...second top source of data breaches, according to a recent benchmark study on patient privacy and data security by the Ponemon](https://reader034.vdocuments.us/reader034/viewer/2022050121/5f51c9c29b67183a91659d87/html5/thumbnails/24.jpg)
24
Step Five: Minimize the Risk
• What about termination clauses? Do you have a clear set of guidelines under which you will terminate a business associate agreement? Can you monitor for these guidelines, and can the BA provide you necessary information for making this decision?
![Page 25: How to mitigate risks, liabilities and costs of data ...second top source of data breaches, according to a recent benchmark study on patient privacy and data security by the Ponemon](https://reader034.vdocuments.us/reader034/viewer/2022050121/5f51c9c29b67183a91659d87/html5/thumbnails/25.jpg)
25
Step Six: Manage the Risk Ecosystem
• Covered entities bear an enormous burden for safeguarding the PHI in their care. The further that sensitive data goes downstream, the more difficult it can be to protect it. But with increasing enforcement on the federal and state levels, covered entities have the right and obligation to insist on evidence of compliance from their business associates, and as much as possible, their sub-contractors.
![Page 26: How to mitigate risks, liabilities and costs of data ...second top source of data breaches, according to a recent benchmark study on patient privacy and data security by the Ponemon](https://reader034.vdocuments.us/reader034/viewer/2022050121/5f51c9c29b67183a91659d87/html5/thumbnails/26.jpg)
26
Rick Kam
President & Co-Founder Privacy Counsel
Ellen M. Giblin
Questions & Answers
800-298-7558
617-573-9400
ID Experts Ashcroft Law Firm