Post on 01-Jan-2016
description
Project Mission and Scope
Presented By:
Rick KamPresident/Co-Founder
ID Experts
Advisory Committee MeetingMarch 17, 2011
March 17, 2011 Advisory Committee Meeting Slide 2
The Problem
What is the Financial Impact of the
Unauthorized Disclosure of PHI/PII?
March 17, 2011 Advisory Committee Meeting Slide 3
Man Paid Hospital Employee forPatient Records in Las Vegas Scam
In 2009, Richard Charette paid a University Medical Center supervisor $9,200 for 55 patient record face sheets
Used PHI to solicit business for Las Vegas chiropractors and personal injury lawyers
FBI learned of scam from an “unidentified” chiropractor On Feb. 1, 2011, Charatte pleaded guilty, and could serve
5 years in prison, pay $250,000 fine UMC and Charatte named in potential class-action lawsuit
for victims State Bar of Nevada is also investigating
March 17, 2011 Advisory Committee Meeting Slide 4
Computer Flash Drive with PHI “Misplaced”
A flash drive with the PHI of 280,000 people, including Medicaid recipients, was reported “missing” from the offices of affiliated insurers Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan in Pennsylvania
Flash drive had been used at community health fairs Insurers reported breach to the Penn. Dept. of Welfare;
notified affected population “This is a particularly vulnerable group of people [who]
tend to be vulnerable to identity theft, vulnerable to discrimination.” — Dr. Deborah Peel, founder of Patient Privacy Rights1
No reported misuse of PHI
March 17, 2011 Advisory Committee Meeting Slide 5
Failure to Secure PHI and to Notify Costly for Health Net of Connecticut
In 2009, an unencrypted portable disk drive with the PHI and financial information of 1.5 million patients disappeared
Health Net did not notify authorities or affected population for at least six months
In 2010, Connecticut AG sued Health Net First action by a state AG for violating HIPAA since
HITECH Health Net settled for $250,000 Created a $500,000 reserve for victim’s claims
Connecticut Insurance Dept. fined Health Net $375,000 In 2011, Health Net also settled a complaint with the
Vermont AG for $55,000
March 17, 2011 Advisory Committee Meeting Slide 6
The Rising Cost and Frequency of Healthcare Data Breaches
Ponemon Institute: Data breaches are costing hospitals nearly $6 billion a year1
Medical-related data breaches listed in Privacy Rights Clearinghouse2: 116 breaches listed in 2007-2008 229 breaches listed in 2009-2010
86% of large-hospital employees surveyed believe that the number of data breaches discovered will increase under HITECH3
The Department of Justice secured “$2.5 billion in health care fraud recoveries—the largest in history,” for the fiscal year ending 9-30-2010.4
1- Source: Benchmark Study on Patient Privacy and Data Security, November 9, 2010, Ponemon Institute LLC. 2- Source: http://www.privacyrights.org/3- Source: 2009 HIMSS Analytics Report:“Taking a Pulse on HITECH, Are Hospitals and Business Associates Ready?” November 17, 2009.4- Source: Department of Justice, November 22, 2010, http://www.justice.gov/opa/pr/2010/November/10-civ-1335.html
March 17, 2011 Advisory Committee Meeting Slide 7
HITECH ACT – HIPAA 2.0
State Security Breach Notification
Proposed Legislation Carper/Bennett: Data Security Act Pryor/Rockefeller: Data Security and Breach
Notification Act
Current/Proposed Laws
March 17, 2011 Advisory Committee Meeting Slide 8
Risk Equation
Financial ImpactOf ID Theft
SSNAccount Number
$4,841*
*Javelin Research: Mean Fraud Amount: 2010 Identity Fraud Survey Report
March 17, 2011 Advisory Committee Meeting Slide 9
Risk Equation
Financial ImpactOf “Medical” ID Theft
SSNHealth Insurance #
$20,000*
*Ponemon Institute: National Survey on Medical Identity Theft, Feb 2010
March 17, 2011 Advisory Committee Meeting Slide 10
Risk Equation
Financial Impact
DiagnosisPrescriptionSpecialistProcedure
Unknown
March 17, 2011 Advisory Committee Meeting Slide 11
CPO @ Notable Health System
“Unless an institution has suffered a major data breach and experienced the attendant costs—fiscal, operational and reputational—it is difficult to get senior management to give a reasonable priority to information security among all of the competing needs.
The “cost” of the possible misuse of medical information is particularly difficult to conceptualize under the circumstances of any particular data loss event.
Having more concrete data on the true costs of data breaches can provide a better perspective from which to evaluate those decisions.”
March 17, 2011 Advisory Committee Meeting Slide 12
Project Approach
Based on ANSI and SFG prior projects:
Victim’s Bill of Rights (2009)
Financial Impact of Cyber Risk (2008)
Financial Management of Cyber Risk (2010)
March 17, 2011 Advisory Committee Meeting Slide 13
Approach
Collaboration of “Experts” from Government Industry Academia Standards
Facilitated by ANSI and the Santa-Fe-Group