pwc data security report - healthcare
TRANSCRIPT
-
8/16/2019 Pwc Data Security Report - Healthcare
1/12
Putting data securityon the top table:How healthcare organisations canmanage information more safely
June 2013When we conducted our latest annual global
CEO survey, we were startled to learn that
only 24% of healthcare CEOs worry about
being able to protect intellectual property
and customer data.1 This seems remarkable,
given that in the US alone there have been
571 security breaches affecting at least 500
patients since September 2009.2
Healthcare CIOs are less sanguine about the
situation than CEOs, although even they
sometimes underestimate the risks: 42% of
those we polled in another recent study said
they had an information security strategy
and proactively executed it. But when we
probed more deeply, we found that fewer
than half had policies for safeguarding data
stored in clouds, mobile devices or social
media sites – all increasingly important tools
for sharing and storing information.3
Structural and technological changes
are transforming the way in which the
healthcare industry operates. The rules
governing the protection of personal data are
also becoming more stringent. Meanwhile,
the hackers are getting more numerous
and more creative, one highly experienced
healthcare CIO warns. Today, no healthcare
organisation can afford to rest on its laurels.
New ways of working together
One of the biggest changes taking place
concerns the way in which healthcare
providers get paid, as healthcare systems
almost everywhere struggle to contain
soaring costs. Under the US Affordable
Care Act of 2010, for example, all hospitals
serving Medicare patients with the most
common conditions are now paid for the
quality of the care, rather than the quantity
of services, they supply. This concept will
gradually be extended to other healthcare
providers.4
The British National Health Service has
adopted a similar approach. It launched a
major pay-for-performance initiative, known
Puttin g data secu rity on the top tab le
-
8/16/2019 Pwc Data Security Report - Healthcare
2/12
2 Puttin g data secu rit y on the top tabl e
as the Quality and Outcomes Framework, in 2004.
5
And healthcare payers in othercountries, including the Philippines, Vietnam, Rwanda, Tanzania and Zambia, are
experimenting with their own variants.6
The shift from the traditional fee-for-service model to value-based purchasing has
huge implications for the healthcare industry. All providers will have to capture,
measure and report on vast quantities of outcomes data. Providers and payers
are also likely to become more integrated, with the development of bundled
reimbursement packages for specic conditions.
A second key change will reinforce this trend towards closer collaboration. It’s
commonly recognised that pooling and mining massive amounts of data cangenerate insights that can’t be gleaned from analysing many smaller, separate data
sets. But unleashing the potential of ‘big data’ entails sharing more information
more widely, both inside and outside the industry.
Disruptive devices
The healthcare sector is simultaneously becoming more digitised, as electronic
medical record systems replace the paper-based systems of old and ‘disruptive’
technologies such as the smartphone offer new ways of engaging with patients. By
2017, the number of handheld mobile devices in use is expected to top 8.6 billion.7
And the newest models can be congured to interface directly with a patient’s
medical record.
Digitally enfranchised patients can also draw on more than 10,000 tness and
healthcare apps in the iTunes store, including exercise, dieting and diabetes apps,
blood pressure and heart rate monitors, and sleep and mood trackers. In fact,
several companies have even developed peripherals that can be plugged into a
smartphone to perform eye checks and electrocardiograms, although they’re not
yet available to the public at large.8
So more – and more sophisticated – mechanisms for capturing health data are
rapidly reaching the market, but many of them are unregulated. Very few health
apps are currently classied as medical devices requiring regulatory oversight,for example, although that may soon change.9 And since most mobile devices are
more vulnerable than computers used over a home network, they’re creating new
security risks.
-
8/16/2019 Pwc Data Security Report - Healthcare
3/12
3 Putting d ata securit y on the top tab le
Take the case of wirelessly implanted debrillators for controlling the heartbeat.In the right hands, these are valuable medical aids. But researchers have
demonstrated that it’s possible to glean personal information by eavesdropping on
the signals these implants emit. Indeed, they can even be reprogrammed to deliver
a fatal jolt of electricity.10
Nor is it just the patient who’s in danger. When a device interfaces directly with a
patient’s medical record, it exposes that record to viruses. And a virus can spread
from one record to another, until it’s corrupted a healthcare provider’s entire
electronic medical record system.
New technologies such as cloud computing are compounding the challenge. Cloudshave a vital role to play in healthcare as a cost-effective means of storing, sharing
and analysing big data. Medical researchers are, for example, using the Amazon
cloud to crunch 200 terabytes of genetic data in search of new cures.11 But cloud
computing also brings new risks – and data breaches head the list, according to the
Cloud Security Alliance.12
In short, the health ecosystem is becoming increasingly interconnected,
interdependent and integrated (see Figure 1). And that’s a mixed blessing. On the
one hand, it’s paving the way for a much deeper understanding of disease and
the development of new treatments. On the other, it’s exposing all healthcare
providers, payers, patients and researchers to more cyber threats.
Physicians’
practices
Hospitals
Labs
Healthcare
payers
Medical
research
centres
Genetic
testing
companies
Social
media
sites
Patients
Figure 1 The health ecosystem is becoming increasingly interconnected
Source: PwC
Mechanisms for capturing
health data are rapidly reaching
the market, but many of them
are unregulated.
-
8/16/2019 Pwc Data Security Report - Healthcare
4/12
4 Puttin g data secu rit y on the top tabl e
Moreover, recent research suggests that the industry is ill prepared to manage
them. A year-long study conducted by The Washington Post revealed so many
problems that one data security expert remarked: “If our nancial industryregarded security the way the healthcare sector does, I would stuff my cash in a
mattress under my bed.”13
Crackdown on compliance
Yet the healthcare sector – like the nancial services sector – has to full some
exacting regulatory requirements. And the rules governing the protection of
personal data are steadily getting tougher.
In January 2013, the US Department of Health and Social Security (HSS)
published a long-awaited modication of the Health Insurance Portability and
Accountability (HIPAA) Act of 1996. The Final HIPAA Rule, as it’s known, codiesmany of the interim requirements laid down under the Health Information
Technology for Economic and Clinical Health Act of 2009 and has some
signicant implications.
Among other things, the new rule extends the privacy and security requirements
of HIPAA from ‘covered entities’ to their business associates and subcontractors,
and increases the penalties for any violations. It also imposes new restrictions on
what covered entities can disclose, either for marketing and fundraising purposes
or for underwriting purposes.14
In addition, the rule gives patients several new rights, including the right to getelectronic access to their own records within 30 days of requesting it, and the
right to be notied of any suspected breaches affecting those records within 60
days of the breach being discovered. Lastly, it creates a new presumption that any
‘impermissible use or disclosure of protected health information’ is a reportable
breach, unless the organisation concerned can show there is little chance the data
has been compromised.15
Meanwhile, the member states of the European Union (EU) already have the
most extensive data protection laws in the world, and the European Commission
is currently revising them. In January 2012, it unveiled plans for a comprehensive
overhaul of the existing regulations, both to take account of technological
advances and to harmonise practice within all the member states.
-
8/16/2019 Pwc Data Security Report - Healthcare
5/12
5 Putting d ata securit y on the top tab le
The proposed reforms include creating a single set of rules, valid throughout the
EU, and making each national data protection authority a one-stop shop with
supervisory powers over any business operating in any member state. A company will only have to report to the authority in the EU country where it ’s based,
instead of having to inform the authorities in every country in which it trades (as
is now the case). But all serious breaches must be reported within 24 hours.16
Moreover, all EU citizens will be able to instigate a complaint through their own
national authorities, regardless of where a company is located or the data is
processed. They will also be able to get personal data deleted, if there are no good
grounds for keeping it. And any violation of the rules will attract a ne of up to €1
million or 2% of a company’s global annual turnover.17
The new framework has yet to be approved by the relevant bodies, so it’s unlikely
to come into force before 2015. And, given the opposition from various quarters,
it may well be modied.18 But the fact that it’s a ‘regulation’ as opposed to a
‘directive’ means it will be directly applicable to all EU member states without
requiring national legislation to implement it.19
Data protection is also rising up the agenda in Asia and Latin America. India,
Malaysia, South Korea and Taiwan recently passed new cyber security laws. And
the Chinese Ministry of Industry and Information Technology has published a
draft national standard, although whether Beijing plans to enshrine it in law isn’t
yet clear.20
Eleven countries in Latin America have likewise enacted data privacy legislation.
These laws vary signicantly from one country to another, but they all require
registration with a national data protection authority and impose cross-border
restrictions.21 So the safeguarding of personal data is becoming a hot topic
almost everywhere, and the penalties for leaking it are getting more punitive.
Impact of breaches to the business
Legal issues aren’t the only concern, though. The business risks are equally
important. In one recent survey of 80 US healthcare providers, the average
economic impact of a data breach was put at $2.4 million – an increase of
$400,000 since 2010. Worse still, 39% of those that had experienced medical
identify theft said it resulted in inaccuracies in the patient’s medical record, while
26% said it affected the patient’s medical treatment. And 21% thought their
employee records were also at risk.22
-
8/16/2019 Pwc Data Security Report - Healthcare
6/12
6 Puttin g data secu rit y on the top tabl e
The damage to an organisation’s reputation may be immeasurable, then, since
patients take a dim view of having their privacy breached. And they’re likely to be
even less forgiving, if that results in the wrong clinical care. The more sensitivethe data, the greater the offence – and medical data is often very sensitive indeed.
Health hacking on the rise
It’s also very valuable. A stolen medical identity sells for about US$50, whereas a
stolen social security number only fetches a couple of dollars, which explains why
hackers are now targeting the healthcare industry so actively.23 Reliable gures
on the incidence of cyber attacks are difcult, if not impossible, to obtain. But the
experts we’ve talked to unanimously report that health hacking is on the rise and
the criminals are becoming more devious.
What’s more, medical theft may soon seem like a trivial problem, as ourunderstanding of biology advances. DNA is the original operating system, notes
global security expert Marc Goodman, and to hackers, it’s just another system
to be hacked. In the future, he predicts, biocriminals will easily be able to create
genetically modied versions of existing viruses and even develop personalised
bioweapons targeted at specic individuals.24
That said, hackers aren’t the sole – or even, perhaps, the main – threat. Hacking
accounts for only 48 of the 572 reported breaches in the US, whereas loss of
a portable electronic device or back-up tapes accounts for 78 breaches. 25 So
negligence is a factor, too.
Disgruntled staff and lax suppliers can likewise cause problems. Our research
suggests that two-fths of all cybercrimes are ‘inside jobs’ perpetrated by
employees working alone or with external fraudsters.26 It also shows that most
healthcare providers don’t require third parties to comply with their data privacy
policies – and a company is only as strong as its weakest link. 27
Cyber security’s strategic value
To sum up, the protection of personal data is becoming an ever-bigger challenge,
as the healthcare industry turns to new business models and technologies. The
regulations are concurrently hardening, and the criminals are coming out in
force. But good cyber security isn’t just about blocking and tackling; it’s alsoabout creating business value (see Figure 2).
With strong data security measures in place, an organisation can adopt new
medical systems more rapidly and become more efcient. It can offer new mobile
healthcare services, such as remote surveillance or remote surgery. And it can
-
8/16/2019 Pwc Data Security Report - Healthcare
7/12
7
• Deploy services quickly
• Improve user experience
• Enter into new partnerships
• Embrace mobile users
• Combat threats
• Protect sensitive information
• Govern solutions
• Control access
• Automate security processes
• Adopt cloud models
• Increase virtualisation—securely
• Improve collaboration
Grow the business
Improve efficiency
Protect the business
form new partnerships to make the most of the data it holds, be they partnerships
with pharmaceutical researchers to develop new medicines, partnerships with
healthcare providers to develop better treatment protocols or partnerships with
health insurers to get a better understanding of costs. The ability to manage and
share sensitive data safely isn’t simply a legal requirement, then; it’s a source of
competitive advantage.
Inadequate budgets and other roadblocks
So what’s stopping many healthcare providers and payers from making their data
more secure? Insufcient funding is one major obstacle. More than half of the
healthcare IT managers whom we’ve surveyed say their budgets are too small (see
Figure 3).28 Other evidence bears them out. Total IT spending as a percentage of
revenues or gross output is just 3.8% in the healthcare sector, compared with 7.3% in
nancial services and 4.5% in education and social services.29
Putting d ata securit y on the top tab le
2012
Insufficient capital expenditure 27%
Insufficient operating expenditure 26%
Absence of shortage of in-house technical expertise 24%
Leadership—CEO, president, board or equivalent 20%
Lack of actionable vision or understanding 19%
Leadership—CIO or equivalent 10%
Leadership—CISO, CSO or equivalent 10%
Figure 2: Good cyber security helps a business get bigger and better
Figure 3: Lack of money, expertise and leadership are the biggest problems
Source: PwC
Source: PwC
-
8/16/2019 Pwc Data Security Report - Healthcare
8/12
8 Puttin g data secu rit y on the top tabl e
Lack of in-house technical expertise is another hurdle. Many healthcare
organisations employ relatively few IT people, which means they have to rely on
third parties. But that’s like asking the man who sells you a wrench to service
your vehicle, one healthcare CIO notes. Most vendors can’t see the big picture or
help an organisation formulate the right strategy, he explains.
The most serious problems arguably arise when executive management is the
roadblock, though. This is mostly because top managers without any experience
of IT don’t really understand the risks they’re running. And given a choice
between spending limited funds on data security or more obvious measures for
stimulating growth, they opt for the latter.
Stepping stones on the path to better data protection
The rst task for the healthcare CIO who wants to beef up an organisation’s
cyber security is to assess the threats, review every IT system, assess its strengths
and weaknesses and prioritise measures. No business can eliminate all risk, so
it makes sense to focus on the biggest sources of danger: the data that’s most
valuable and the people with the most privileged access.
Ranking risks in order of severity shows an organisation where to start. It also
allows it to manage its security investments as a portfolio, by separating measures
that are needed to keep the lights on from those that are strategic and those thatare optional, value-creating extras.
This process usually highlights several common problems. In our experience, one
frequent error is forgetting to terminate an employee’s access to a particular part
of the system when the employee moves to another department. But it’s quite easy
to automate such changes with identity and access management software. It’s
also a good idea to classify and tag all data, encrypt the most sensitive data and
give those with access to it stronger passwords.
Patch management is another common trouble spot. All systems need periodic
upgrades to x bugs or security issues, and improve their performance. Butgetting the downtime needed to install a patch isn’t always easy, and some
patches could cause a system-wide crash. So it’s essential to have a clear patch
management policy and ensure the board can make educated decisions about
which patches to delay implementing.
-
8/16/2019 Pwc Data Security Report - Healthcare
9/12
9
The next step is to make sure the board is onside with the data security strategy –
and, here, the internal compliance and assurance department can be a very useful
ally. The compliance team can help to get data protection on the management
agenda by reinforcing the CIO’s arguments and explaining why requests for more
money are fuelled by legitimate concerns, not the desire for new gadgets.
Cyber security isn’t just the board’s concern, though; it’s everybody’s business.
That means it’s vital to communicate the importance of preserving condential
data to every employee in the organisation and show them how they can help.
It’s also imperative to test and audit an organisation’s systems regularly, bothto measure how secure they are and to assess the impact of any attacks. In fact,
we recommend completing a full audit at least once a year. The worst risks
aren’t the ones a company knows about, they’re the ones it doesn’t even know it
doesn’t know about. And some breaches are so subtle that nobody realises they’re
happening, cautions one healthcare CIO.
Lastly, it’s advisable for any company with a global footprint to adopt the data
security standards of the country with the strictest regulations. That way, it can
be assured of meeting the required standards wherever it operates. And, where it
exceeds the standards, its efforts certainly won’t be wasted; it will simply be in a
stronger position to capitalise on the benets really robust data protection brings.
One obvious benet is a reputation for taking data protection seriously; patients
want to know their private details will stay private. But the ability to move fast,
partner speedily and effectively with other participants in the health ecosystem
and pre-empt the competition are also major strategic advantages. So, when it
comes to cyber security, the right thing is also the smart thing.
Putting d ata securit y on the top tab le
How to be an information
security leader
1. Assess your current IT systems
for strengths and weaknesses.
2. Prioritise the risks, focusing on
the data that’s most valuable.
3. Assess your employee user
access policy.
4. Have a clear patch managementpolicy that ensures seamless
implementation.
5. Engage your board of directors
as partners to help secure
appropriate funding and
resources.
6. Communicate your data
security policy to all employees
and stakeholders.
7. Audit your IT systems at leastonce a year.
-
8/16/2019 Pwc Data Security Report - Healthcare
10/12
10 Puttin g data secu rit y on the top tabl e
Notes
1
PwC, ‘Dealing with disruption: Howhealthcare CEOs are creating resilient
organisations’ (February 2013).
2 U.S. Department of Health & Human
Services, ‘Breaches Affecting 500 or
More Individuals’, http://www.hhs.
gov/ocr/privacy/hipaa/administrative/
breachnoticationrule/breachtool.
html(accessed 12 April 2013).
3 PwC, ‘Changing the game:
Healthcare providers: ndings from
The Global State of Information
Security Survey 2013’ (September
2012).
4 PwC Health Research Institute,
‘Implications of the US Supreme Court
ruling on healthcare’, (August 2012
update).
5 UK Health & Social Care Information
Centre, ‘Quality and Outcomes
Framework’, http://www.hscic.gov.uk/
services/qof/
6 S. Witter, A. Fretheim, F. L. Kessy &
A. K. Lindahl, ‘Paying for performance
to improve the delivery of health
interventions in low- and middle-
income countries’, Cochrane Database
of Systematic Reviews, Issue 2 (2012).
7
Cisco, ‘Cisco Visual NetworkingIndex: Global Mobile Data Trafc
Forecast Update, 2012-2017’ (6
February 2013).
8 Dr Jody Rank, ‘How Connected
Health, Public-Private Cooperation,
And Big Data Can Revolutionize
Health Care’, Forbes (6 July 2012),
http://www.forbes.com/sites/
benkerschberg/2012/07/06/how-
connected-health-public-private-
cooperation-and-big-data-can-revolutionize-health-care/
9 The US Food and Drug
Administration proposes to regulate
a small subset of mobile medical
apps that are capable of affecting
the performance or functionality of
currently regulated medical devices,
and is now devising guidelines. The
European Union already operates
a system under which standalone
software can be registered as amedical device with a CE mark, but
it has yet to clarify precisely which
kinds of standalone software must be
registered.
10
Barnaby J. Feder, ‘A Heart DeviceIs Found Vulnerable to Hacker
Attacks’, The New York Times (12
March 2008), http://www.nytimes.
com/2008/03/12/business/12heart-
web.html?_r=0
11 Brian T. Horowitz, ‘Amazon Cloud
to Ease 1000 Genomes Project
Disease Research’, eweek (31 March
2012), http://www.eweek.com/c/a/
Health-Care-IT/Amazon-Cloud-to-
Ease-1000-Genomes-Project-Disease-Research-649156/
12 Ted Samson, ‘9 top threats to
cloud computing security’, InfoWorld
(25 February 2013), http://www.
infoworld.com/t/cloud-security/9-
top-threats-cloud-computing-
security-213428
13 Robert O’ Harrow, Jr., ‘Health-
care sector vulnerable to hackers,
researchers say’, The Washington
Post (26 December 2012), http://
www.washingtonpost.com/
investigations/health-care-sector-
vulnerable-to-hackers-researcherss
ay/2012/12/25/72933598-3e50-11e2-
ae43-cf491b837f7b_print.html
-
8/16/2019 Pwc Data Security Report - Healthcare
11/12
14
PwC, ‘How to Respond to the FinalOmnibus HIPAA Rule: 10 things you
need to know’ (March 2013).
15 Ibid.
16 European Commission press
release, ‘Commission proposes
a comprehensive reform of data
protection rules to increase users’
control of their data and to cut costs for
businesses’ (25 January 2012), http://
europa.eu/rapid/press-release_IP-12-
46_en.htm?locale=en
17 Ibid.
18 Warwick Ashford, ‘UK calls for
opt-out of online right to be forgotten’,
ComputerWeekly.com (5 April 2013),
http://www.computerweekly.com/
news/2240180878/UK-calls-for-opt-
out-of-online-right-to-be-forgotten
19 ‘Essential guide: EU Data Protection
Regulation’, ComputerWeekly.com,http://www.computerweekly.com/
guides/Essential-guide-What-the-EU-
Data-Protection-Regulation-changes-
mean-to-you
20
Freshelds Bruckhaus Deringer,‘New wave of data privacy regulations
in Asia’ (May 2012), http://m.
freshelds.com/uploadedFiles/
SiteWide/Knowledge/33207.pdf
21 Cynthia Rich, Marian Waldmann
Agarwal & Miriam Wugmeister,
‘Privacy in Latin America’, Bureau of
National Affairs, Privacy & Security
Law Report, 12 PVLR 12 (7 January
2013).
22 Ponemon Institute, ‘Third Annual
Benchmark Study on Patient Privacy &
Data Security ’ (December 2012).
23 Robin Erb, ‘Data breaches put
patients at risk for identity theft ’, USA
Today (12 February 2012), http://
usatoday30.usatoday.com/news/
health/story/health/story/2012-02-12/
Data-breaches-put-patients-at-risk-for-
identity-theft/53065576/1
24
Marc Goodman: A vision of crimesin the future, TED Talks (June 2012),
http://www.ted.com/talks/marc_
goodman_a_vision_of_crimes_in_the_
future.html#1128409
25 U.S. Department of Health & Human
Services, ‘Breaches Affecting 500 or
More Individuals’, http://www.hhs.
gov/ocr/privacy/hipaa/administrative
breachnoticationrule/breachtool.
html (accessed 12 April 2013).
26 PwC, ‘Cybercrime: protecting
against the growing threat’ (November
2011), http://www.pwc.com/en_GX/
gx/economic-crime-survey/assets/
GECS_GLOBAL_REPORT.pdf
27 PwC, ‘Changing the game:
Healthcare providers: ndings from
The Global State of Information
Security Survey 2013 (September
2012).
28 Ibid.
29 Deutsche Bank, ‘IT in banks: What
does it cost?’ (20 December 2012), p. 2.
-
8/16/2019 Pwc Data Security Report - Healthcare
12/12
© 2013 PwC. All rights reserved. “PwC” refers to the network of member firms of PricewaterhouseCoopers International Limited (PwCIL), or, as the context requires,individual member firms of the PwC network. Each member firm is a separate legal entity and does not act as agent of PwCIL or any other member firm. PwCILdoes not provide any services to clients. PwCIL is not responsible or liable for the acts or omissions of any of its member firms nor can it control the exercise of theirprofessional judgment or bind them in any way. No member firm is responsible or liable for the acts or omissions of any other member firm nor can it control theexercise of another member firm’s professiona l judgment or bind another member firm or PwCIL in any way. NY-13-0708
For more information, please visit www.pwc.com/global-health
Australia
Klaus Boehncke
+61 2 8266 0626
Canada
William Falk
+1 416 687 8486
China/HK
Mark Gilbraith+86 21 2323 2898
Germany
Robert Paffen
+49 89 5790 6025
Finland
Karita Reijonsaari
+358 (0) 9 22800
India
Dr. Rana Mehta
+91 124 330 6006
Italy
Andrea Fortuna
+2 66 720 547
Japan
Yasushi Tabuchi
+81 80 3710 4138
Mexico
José Alarcón
+52 55 5263 6028
Netherlands
Otto Vermeulen+31 (0) 887926374
Cokky Hilhorst
+31 (0) 8879 27384
Sweden
Jon Arwidson
+46 (0) 10 213 3102
Switzerland Axel Timm
+41 (0) 58 792 2722
South Africa
Diederik Fouche
+27 11 797 4291
United States
Daniel Garrett
+1 267 330 8202
Peter Harries
+1 213 356 6760
James H. Koenig
+1 267 330 1537
Nalneesh Gaur
+1 214 649 1261
Mick Coady
+1 713 356 4366
United Kingdom
Sunil Patel
+44 (0) 207 212 3484
Contacts: