Proactive Measures to Reduce the Likelihood, Cost and ... · 6/20/2019 · Primary Factors...
Transcript of Proactive Measures to Reduce the Likelihood, Cost and ... · 6/20/2019 · Primary Factors...
© Clearwater Compliance LLC | All Rights Reserved© Clearwater Compliance LLC | All Rights Reserved
Proactive Measures to Reduce the Likelihood, Cost and Impact of a Breach
June 20, 2019
© Clearwater Compliance LLC | All Rights Reserved
© Clearwater Compliance | All Rights Reserved
Legal Disclaimer
Although the information provided by Clearwater Compliance may be helpful in informing customers and others who have an interest in data privacy and security issues, it does not constitute legal advice. This information may be based in part on current federal law and is subject to change based on changes in federal law or subsequent interpretative guidance. Where this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource and should not be relied upon as a substitute for competent legal advice specific to your circumstances. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED BY CLEARWATER IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.
Copyright Notice
All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.
*The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
22018-1
© Clearwater Compliance LLC | All Rights Reserved
3
Some Webinar Logistics
1. Slide materials – Link In Chat Box. Should have also received in reminder email earlier today.
2. All attendees are in “Listen Only Mode”3. Please ask content related questions in “Q&A” 4. In case of technical issues, check “Chat”5. Please complete Exit Survey when you leave session 6. Recorded version and final slides within 48 hours
© Clearwater Compliance LLC | All Rights Reserved
4
Learning Objectives1. Understand recent trends and statistics of breaches across healthcare2. Gain an understanding of the actual costs of a breach3. Learn fundamental steps an organization can take to reduce the
likelihood of a breach4. Understand ways to reduce the operational and financial impact of a
breach, including the benefits and challenges with cyber insurance and how to ensure your BAAs are structured to transfer risk to responsible parties
© Clearwater Compliance LLC | All Rights Reserved
5
Agenda
Introductions
General Overview of Cybersecurity in Healthcare Today
Cost of a Breach Statistics
Reducing the Likelihood of a Breach
Reducing the Impact & Cost of a Breach
Conclusion
© Clearwater Compliance LLC | All Rights Reserved Confidential Information - Do No Distribute
6
Baxter Lee | Chief Financial Officer, Clearwater• 16+ years in Finance, primarily in the healthcare sector• 10+ years of experience in banking, private equity and M&A• Former CFO for Entrada Health, successfully leading the company through its sale to NextGen Healthcare
(NASDAQ: NXGN)• BA, Business Administration - Washington & Lee University• MBA - Owen Graduate School of Management at Vanderbilt University• Passionate about helping healthcare organizations protect the highly sensitive data that they are entrusted
with on behalf of their patients
https://www.linkedin.com/in/baxter-lee-9950086/
Today’s Presenters
Travis Holt | Co-Founder and Partner, Brush Creek Partners• 11+ years in technology risk management, cyber liability, and insurance• Continuing Legal Education teacher on transferring technology risk to vendors and subcontractors• BA, Accounting & Finance – Trinity University• Passionate about helping businesses protect their balance sheets and better understand the financial
implications of cyber security and technology failures
https://www.linkedin.com/in/travisholt/
© Clearwater Compliance LLC | All Rights Reserved© Clearwater Compliance LLC | All Rights Reserved
We provide cyber risk management and HIPAA compliance solutions that enable our healthcare customers to avoid preventable
breaches, protect patients, and meet OCR’s expectations, while also saving time and money.
© Clearwater Compliance LLC | All Rights Reserved© Clearwater Compliance LLC | All Rights Reserved
Brush Creek Partners is a team of thought leaders in the areas of technology risk management, vendor due diligence, cybersecurity, and cyber liability
We help our clients understand and quantify the potential financial impact of a data breach or other cyber incident
And when the unfortunate but inevitable cyber incident happens, we help you minimize the impact on your balance sheet
© Clearwater Compliance LLC | All Rights Reserved© Clearwater Compliance LLC | All Rights Reserved
General Overview of Cybersecurityin Healthcare Today
© Clearwater Compliance LLC | All Rights Reserved
10
Digital Transformation in HealthcareRapid adoption of new technology and information systems to support key business initiatives such as value-based care, consumer engagement and data & analytics…
48% Annual Growth
15.1MIndividuals
2018 v 2017
Increasing Cyberattacks
+170%
https://www.healthcaredive.com/news/data-breaches-compromised-151m-patient-records-last-year/548307/https://www.hipaajournal.com/april-2019-healthcare-data-breach-report/
April was the worst ever month for healthcare data breaches, with 46 reported
breaches. - HIPAA Journal
1.2 Breaches per Day
Breached Records:
+152%
© Clearwater Compliance LLC | All Rights Reserved
11
Healthcare vs Other Industries
• The healthcare industry ranks 15th when compared to 17 major U.S. industries
• The healthcare industry is one of the lowest performing industries in terms of endpoint security
• 60% of the most common cybersecurity issues in healthcare relate to poor patching cadence
• Social engineering attacks continue to put patient data at risk
© Clearwater Compliance LLC | All Rights Reserved
12
2018 Breaches by Type of Entity and Source
Hacking, 45%
Insider-Error, 25%
Insider-Wrongdoing, 6%
Theft, 9%
Lost/Missing, 8%
Unknown, 7%
Breaches by Source
Healthcare Providers, 70%
BA/Vendors, 10%
Health Plans, 12%
Misc/Other, 8%
Breaches by Type of Entity
https://www.protenus.com/2019-breach-barometer
© Clearwater Compliance LLC | All Rights Reserved
13
Cyber Insurance Claim Statistics
https://netdiligence.com/2018/11/07/netdiligence-releases-data-driven-analysis-on-cyber-claims-2/
Under $50M49%
$50M-$300M22%
$300M-$2B14%
Over $2B7%
Unknown8%
Size of Company by Revenue
Education4% Financial Services
13%
Healthcare18%
Hospitality4%
Non-Profit8%
Professional Services
18%
Retail11%
Technology7%
All other sectors17%
% of Claims by Business Sector (N=591)
© Clearwater Compliance LLC | All Rights Reserved
14
Two-thirds of chief information security officers (CISOs) believe that their companies are more likely to fall victim to a cyber attack or will face a data breach this year• 66% - Data breach• 59% - Cyber attack • 54% - Inability to reduce employee negligence• 48% - Ransomware• 47% - Unsecured IoT devices• 42% - 3rd party data breach• 34% - Inadequate Budget• 25% - Malicious Insider
What are CISOs Worried About?
https://www.healthcare-informatics.com/news-item/cybersecurity/what-are-cisos-worried-about-2018-data-breaches-and-human-factor-survey
When asked which threats they worry most about in 2018, 70% cited “lack of competent in-house staff” as the number one concern
© Clearwater Compliance LLC | All Rights Reserved
15
$6,193
$23,505
$20,393
$25,683
$-
$5,000
$10,000
$15,000
$20,000
$25,000
$30,000
2015 2016 2017 2018
OCR Penalties & Settlements by Year ($000s)
OCR Enforcement Actions To Date
To date, OCR has settled or imposed civil money penalties in 66 cases for a
total of $107M
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.htmlhttps://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
• “2018 was a ‘banner’ year for enforcement.”- Roger Severino, Director, Office for Civil Rights (OCR) at the U.S.
Department of Health and Human Services
• Nearly 500 organizations currently under investigation
• OCR enforcement activity is not slowing down!
$1,032
$1,808 $1,854
$2,568
$0
$500
$1,000
$1,500
$2,000
$2,500
$3,000
2015 2016 2017 2018
Average $/Settlement ($000s)
© Clearwater Compliance LLC | All Rights Reserved
16
OCR Update to Maximum CMPs – 45 CFR § 160.404
Violation Category- Section 1176(a)(1)
Penalty Range for Each Violation
Maximum Penalty(Previous)
Maximum Penalty (Updated)
(A) Reasonable Diligence (Did Not Know)
$100 - $50,000 $1,500,000 $25,000
(B) Reasonable Cause $1,000 - $50,000 $1,500,000 $100,000
(C)(i) Willful Neglect – Corrected $10,000 - $50,000 $1,500,000 $250,000
(C)(i) Willful Neglect – Not Corrected
$50,000 $1,500,000 $1,500,000
April 2019: OCR announced it has reduced the maximum financial penalties for three of the four HITECH Act tiers of HIPAA violations. This announcement confirms that while minor HIPAA violations may now attract lower financial penalties, when serious violations of HIPAA Rules are discovered and healthcare organizations fail to take prompt action to correct violations, the financial penalties can be considerable.
“With this change in enforcement discretion, we might see an increase in the
velocity and volume of settlements and CMPs.”
John Moore, Chief Risk Officer, Clearwater
© Clearwater Compliance LLC | All Rights Reserved© Clearwater Compliance LLC | All Rights Reserved
Cost of a Breach Statistics
© Clearwater Compliance LLC | All Rights Reserved
18
Primary Factors Affecting the Cost of a Data Breach• Size of the Data Breach (number of records lost or stolen)• Time to Identify & Contain a Data Breach• Detection & Escalation Costs
• Forensic and investigative activities, assessment and audit services, crisis team management and communications to executive leadership and Board of Directors
• Service Disruption• Post Data Breach Costs
• Help desk activities, customer communications, legal expenditures, identity protection services and regulatory costs
• Loss of Customers• Customer goodwill and churn can often be the hardest to calculate but is one
of the costliest impacts
© Clearwater Compliance LLC | All Rights Reserved
19
Ponemon Study: 2018 Cost of a Data Breach
https://healthitsecurity.com/news/healthcare-data-breach-costs-remain-highest-among-industries
© Clearwater Compliance LLC | All Rights Reserved
20
Direct vs Indirect Costs
Direct Costs
Indirect Costs
© Clearwater Compliance LLC | All Rights Reserved
21
Other Considerations
https://www.idexpertscorp.com/index.php/knowledge-center/single/ANSI-PHI-Project
© Clearwater Compliance LLC | All Rights Reserved
22
What is Risk?Likelihood x Impact…
© Clearwater Compliance LLC | All Rights Reserved
23
Average Cost of a BreachLikelihood: Not if, but when…• Ponemon: 96% of all the healthcare providers who participated in the study say they
have had at least one data breach over a 24-month period
Impact (main drivers):• Size of the breach• Time to identify and contain the breach• The vulnerability exploited
Average size of a breach = 10,000 records # of records breached 10,000 Average cost/record 408$ Cost of a Breach 4,080,000$
© Clearwater Compliance LLC | All Rights Reserved© Clearwater Compliance LLC | All Rights Reserved
Reducing the Likelihood of a Breach
© Clearwater Compliance LLC | All Rights Reserved
25
Common Weaknesses of Organizations
Any combination of the below can increase the likelihood and impact of a breach…• Inadequate Policies & Procedures
• Inadequate Workforce Training • Inadequate Sanctions for Non-Compliance
• Inadequate Security Awareness• Inadequate Access Controls & Activity Monitoring
• Inadequate Security & Privacy Governance
• Inadequate Incidence Response & Mitigation Plans• Inadequate Risk Analysis & Risk Management Programs
© Clearwater Compliance LLC | All Rights Reserved
26
OCR-Quality Risk AnalysisCompleting Bona Fide, Comprehensive OCR-Quality Risk Analysis and Risk Response
45 C.F.R. §164.308(a)(1)(i) Standard: Security Management Process(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.(ii) Implementation specifications:
(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
© Clearwater Compliance LLC | All Rights Reserved
27
Risk Analysis & Risk Management Adverse Findings
1. WRONG REPORT: submission of a Non-Technical Evaluation or Technical Evaluation or something else2. NOT ASSET-BASED: too many organizations treating Risk Analysis as a checklist matter3. NOT COMPREHENSIVE ENOUGH: must include every asset in every LOB in every facility in every location4. NOT DETAILED ENOUGH: not considering every asset-threat-vulnerability scenario5. NOT FOLLOWING OCR/NIST GUIDANCE: 9 essential elements in OCR guidance 6. NOT ENOUGH DOCUMENTATION/ENGAGEMENT: little evidence of ongoing program and/or
management engagement
TO DATE, THERE HAVE BEEN
66OFFICE FOR CIVIL RIGHTS ENFORCEMENT ACTIONS
90%of ePHI-related cases included
adverse findings in organizations’ RISK ANALYSIS &
RISK MANAGEMENT
© Clearwater Compliance LLC | All Rights Reserved
28
Reducing the Likelihood of a Breach
1. What are ALL the exposures of ALL of our information assets (e.g., ePHI)?
2. What decisions do we need we need to make to treat or manage risks?
Must have a systematic, ongoing process!
Risk Response
Risk Assessment
© Clearwater Compliance LLC | All Rights Reserved
29
VendorsUnderstanding and underwriting your key vendors is critical to reducing the chances that they are responsible for a cyber incident.
You should include the following in your vendor onboarding process: • Understand what type of data you are sharing and how are you sharing it• At a minimum, conduct a high-level external assessment• Cybersecurity questionnaire to include questions about compliance• Make sure the vendor only has access to the data they need• Proper BAA’s and MSA’s • Requirements for professional, media and cyber liability insurance
© Clearwater Compliance LLC | All Rights Reserved
30
Employee Training & EducationYour people are your #1 exposure, so employee education is critical to reducing the likelihood of a breach
Focus on these critical areas:• Phishing• Thumb drives and removable media• Public Wifi usage• Password Security
https://www.thesslstore.com/blog/80-eye-opening-cyber-security-statistics-for-2019/
According to the FBI, Business E-mail Compromise has caused over $12.5 Billion in losses to companies between October 2013 and May 2018
© Clearwater Compliance LLC | All Rights Reserved© Clearwater Compliance LLC | All Rights Reserved
Reducing the Cost & Impact of a Breach
© Clearwater Compliance LLC | All Rights Reserved
32
Ways to Reduce the Cost of a Breach1) Invest in prevention/avoidance:
o Establish proper Governance, Risk Management and Compliance programs suited for your organization
o Establish an internal framework for satisfying governance requirementso Evaluate risk across the enterprise (conduct regular and thorough Risk Analyses) and
have an ongoing Risk Management program in placeo Conduct regular and frequent workforce training
2) Utilize good data protection practices:o Encryption, backups, employee training, etc.
3) Have an incident response plan and team in placeo The faster a data breach can be identified and contained, the lower the costs
4) Have a business continuity program or disaster recovery plan in place5) Have proper insurance and Business Continuity Management (BCM)
protections in place
© Clearwater Compliance LLC | All Rights Reserved
33
Including Other Considerations
10,000 1,000$
10,000,000$
2 5,000,000$
Reducing the Cost…
BUT WHAT IF…..
Ponemon
# of records breached 10,000 Average cost/record 408$ Cost of a Breach 4,080,000$
Probabilized # of years between breaches 2 Average annual cost of a probable breach 2,040,000$
# of years between breaches 3 Annual cost of a breach 1,360,000$
Annual $ investment with breakeven ROI 680,000$
3 3,333,333$
1,666,667$
© Clearwater Compliance LLC | All Rights Reserved
34
Using Cyber Insurance to Offset the Cost of a Breach
Covered Not Covered
Ransom Costs
Business InterruptionContingent BI
Reputational HarmHIPAA Investigations
& Fines
Does your policy haveminimum security
requirements?
Any limitations for lossescaused by vendors?
Third Party Lawsuits
Computer Forensics
Notification Costs
Credit/IdentityMonitoring
Call CenterSupport
SometimesCovered Terrorism – Is Cyber
Terrorism Included?
Cyber Crime What is the trigger forfirst party coverage?
Theft of Services
© Clearwater Compliance LLC | All Rights Reserved
35
A Common Cyber Insurance Exclusion
© Clearwater Compliance LLC | All Rights Reserved
36
How Much Limit Should You Purchase
© Clearwater Compliance LLC | All Rights Reserved
37
How Much Should You Pay?
The median price per million of limit for healthcare entities is just over $11,000
© Clearwater Compliance LLC | All Rights Reserved
38
How BAAs & MSAs Impact Your Cyber Policy
• What risks should you transfer?• Data breach• Regulatory Investigations• Business Interruption/Outage • IP Infringement
• What type of insurance should you be asking for?• Professional Liability• Media Liability to include infringement of software code• Cyber Liability to include full first party cyber limits – you must
understand the actual policy wording
You can transfer risk off of your balance sheet contractually or through an insurance policy
In order to hold your vendors responsible for a breach, make sure you have proper BAAs and MSAs in place
© Clearwater Compliance LLC | All Rights Reserved
39
Mitigating OCR Enforcement ActionsOCR has demonstrated that they are more lenient and patient when healthcare organizations have documented plans in place and are making serious efforts to comply with requirements, such as enterprise-wide security risk analysis
“Lowering the maximum penalty in the lower tiers now creates additional incentives for covered entities to begin to take action to demonstrate to OCR that they are making serious efforts to comply with the regulations. The lower potential maximum penalties for organizations demonstrating
reasonable diligence further reinforces this message.”
Jon MooreChief Risk Officer, Clearwater
© Clearwater Compliance LLC | All Rights Reserved
40
Bottom Line
It’s About Saving Your Assets and Doing No Harm!
© Clearwater Compliance LLC | All Rights Reserved
41
Stronger Financials …Balance sheet, lower cost of
capital, competitve insurance rates
Lower Career Risk … Confidence, passion, energy, engagement, taking the right
risks
Higher Satisfaction … Patients, physicians, workforce members, board, investors, community
Increased Quality … Access to care, timely care, confidentiality, integrity & availability of information
Financials Satisfaction
People Quality
Fewer/No Breaches, Fewer/No Complaints, No Failed IRM-related Audits
Business Outcomes
© Clearwater Compliance LLC | All Rights Reserved© Clearwater Compliance LLC | All Rights Reserved
Conclusion
© Clearwater Compliance LLC | All Rights Reserved
43
Conclusion• Significant security incidents will continue to occur in healthcare and the weakest
links will be exposed, it is incumbent on security leaders to remain vigilant and advance their cybersecurity practices, know-how, and acumen
• Focus on the fundamentals: you must have an asset inventory and know where your ePHI is stored and understand how it is performing on your network within your environment
• Regularly perform an enterprise-wide, security risk assessment of ALL of your information assets. From there, figure out where you have deficiencies and opportunities for enhancements.
• Organizations should think about whether they are executing a good, fundamental security program before investing in the latest and greatest security technology
• Cyber insurance isn’t a panacea; you must know what is in your policy so if you have an incident, it will actually cover some of the costs of a breach
© Clearwater Compliance LLC | All Rights Reserved
44
Conclusion
Understanding the various factors that increase the cost of a breach can help you invest your security
resources more strategically and lower the likelihood and cost of a breach for your organization
© Clearwater Compliance LLC | All Rights Reserved
45
Upcoming Educational Events
Learn More & Register at:https://clearwatercompliance.com/upcoming-educational-events/
© Clearwater Compliance LLC | All Rights Reserved
46
Thank You
Baxter LeeBaxter.Lee@ClearwaterCompliance.comwww.clearwatercompliance.com
Travis [email protected]://www.brushkc.com/
© Clearwater Compliance LLC | All Rights Reserved© Clearwater Compliance LLC | All Rights Reserved
www.ClearwaterCompliance.comLINKEDIN | www.linkedin.com/company/clearwater-compliance-llc/
TWITTER | @clearwaterhipaaEMAIL | [email protected]
PHONE | 800-704-3394
#ManageCyberRiskRight