Proactive Measures to Reduce the Likelihood, Cost and ... · 6/20/2019 · Primary Factors...

© Clearwater Compliance LLC | All Rights Reserved© Clearwater Compliance LLC | All Rights Reserved

Proactive Measures to Reduce the Likelihood, Cost and Impact of a Breach

June 20, 2019

© Clearwater Compliance LLC | All Rights Reserved

© Clearwater Compliance | All Rights Reserved

Legal Disclaimer

Although the information provided by Clearwater Compliance may be helpful in informing customers and others who have an interest in data privacy and security issues, it does not constitute legal advice. This information may be based in part on current federal law and is subject to change based on changes in federal law or subsequent interpretative guidance. Where this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource and should not be relied upon as a substitute for competent legal advice specific to your circumstances. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED BY CLEARWATER IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.

Copyright Notice

All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.

*The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.

22018-1


3

Some Webinar Logistics

1. Slide materials – Link In Chat Box. Should have also received in reminder email earlier today.

2. All attendees are in “Listen Only Mode”3. Please ask content related questions in “Q&A” 4. In case of technical issues, check “Chat”5. Please complete Exit Survey when you leave session 6. Recorded version and final slides within 48 hours


4

Learning Objectives1. Understand recent trends and statistics of breaches across healthcare2. Gain an understanding of the actual costs of a breach3. Learn fundamental steps an organization can take to reduce the

likelihood of a breach4. Understand ways to reduce the operational and financial impact of a

breach, including the benefits and challenges with cyber insurance and how to ensure your BAAs are structured to transfer risk to responsible parties


5

Agenda

Introductions

General Overview of Cybersecurity in Healthcare Today

Cost of a Breach Statistics

Reducing the Likelihood of a Breach

Reducing the Impact & Cost of a Breach

Conclusion

© Clearwater Compliance LLC | All Rights Reserved Confidential Information - Do No Distribute

6

Baxter Lee | Chief Financial Officer, Clearwater• 16+ years in Finance, primarily in the healthcare sector• 10+ years of experience in banking, private equity and M&A• Former CFO for Entrada Health, successfully leading the company through its sale to NextGen Healthcare

(NASDAQ: NXGN)• BA, Business Administration - Washington & Lee University• MBA - Owen Graduate School of Management at Vanderbilt University• Passionate about helping healthcare organizations protect the highly sensitive data that they are entrusted

with on behalf of their patients

https://www.linkedin.com/in/baxter-lee-9950086/

Today’s Presenters

Travis Holt | Co-Founder and Partner, Brush Creek Partners• 11+ years in technology risk management, cyber liability, and insurance• Continuing Legal Education teacher on transferring technology risk to vendors and subcontractors• BA, Accounting & Finance – Trinity University• Passionate about helping businesses protect their balance sheets and better understand the financial

implications of cyber security and technology failures

https://www.linkedin.com/in/travisholt/

https://www.linkedin.com/in/baxter-lee-9950086/

https://www.linkedin.com/in/travisholt/


We provide cyber risk management and HIPAA compliance solutions that enable our healthcare customers to avoid preventable

breaches, protect patients, and meet OCR’s expectations, while also saving time and money.


Brush Creek Partners is a team of thought leaders in the areas of technology risk management, vendor due diligence, cybersecurity, and cyber liability

We help our clients understand and quantify the potential financial impact of a data breach or other cyber incident

And when the unfortunate but inevitable cyber incident happens, we help you minimize the impact on your balance sheet


General Overview of Cybersecurityin Healthcare Today


10

Digital Transformation in HealthcareRapid adoption of new technology and information systems to support key business initiatives such as value-based care, consumer engagement and data & analytics…

48% Annual Growth

15.1MIndividuals

2018 v 2017

Increasing Cyberattacks

+170%

https://www.healthcaredive.com/news/data-breaches-compromised-151m-patient-records-last-year/548307/https://www.hipaajournal.com/april-2019-healthcare-data-breach-report/

April was the worst ever month for healthcare data breaches, with 46 reported

breaches. - HIPAA Journal

1.2 Breaches per Day

Breached Records:

+152%

https://www.healthcaredive.com/news/data-breaches-compromised-151m-patient-records-last-year/548307/

https://www.hipaajournal.com/april-2019-healthcare-data-breach-report/


11

Healthcare vs Other Industries

• The healthcare industry ranks 15th when compared to 17 major U.S. industries

• The healthcare industry is one of the lowest performing industries in terms of endpoint security

• 60% of the most common cybersecurity issues in healthcare relate to poor patching cadence

• Social engineering attacks continue to put patient data at risk


12

2018 Breaches by Type of Entity and Source

Hacking, 45%

Insider-Error, 25%

Insider-Wrongdoing, 6%

Theft, 9%

Lost/Missing, 8%

Unknown, 7%

Breaches by Source

Healthcare Providers, 70%

BA/Vendors, 10%

Health Plans, 12%

Misc/Other, 8%

Breaches by Type of Entity

https://www.protenus.com/2019-breach-barometer

https://www.protenus.com/2019-breach-barometer


13

Cyber Insurance Claim Statistics

https://netdiligence.com/2018/11/07/netdiligence-releases-data-driven-analysis-on-cyber-claims-2/

Under $50M49%

$50M-$300M22%

$300M-$2B14%

Over $2B7%

Unknown8%

Size of Company by Revenue

Education4% Financial Services

13%

Healthcare18%

Hospitality4%

Non-Profit8%

Professional Services

18%

Retail11%

Technology7%

All other sectors17%

% of Claims by Business Sector (N=591)

https://netdiligence.com/2018/11/07/netdiligence-releases-data-driven-analysis-on-cyber-claims-2/


14

Two-thirds of chief information security officers (CISOs) believe that their companies are more likely to fall victim to a cyber attack or will face a data breach this year• 66% - Data breach• 59% - Cyber attack • 54% - Inability to reduce employee negligence• 48% - Ransomware• 47% - Unsecured IoT devices• 42% - 3rd party data breach• 34% - Inadequate Budget• 25% - Malicious Insider

What are CISOs Worried About?

https://www.healthcare-informatics.com/news-item/cybersecurity/what-are-cisos-worried-about-2018-data-breaches-and-human-factor-survey

When asked which threats they worry most about in 2018, 70% cited “lack of competent in-house staff” as the number one concern

https://www.healthcare-informatics.com/news-item/cybersecurity/what-are-cisos-worried-about-2018-data-breaches-and-human-factor-survey


15

$6,193

$23,505

$20,393

$25,683

$-

$5,000

$10,000

$15,000

$20,000

$25,000

$30,000

2015 2016 2017 2018

OCR Penalties & Settlements by Year ($000s)

OCR Enforcement Actions To Date

To date, OCR has settled or imposed civil money penalties in 66 cases for a

total of $107M

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.htmlhttps://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

• “2018 was a ‘banner’ year for enforcement.”- Roger Severino, Director, Office for Civil Rights (OCR) at the U.S.

Department of Health and Human Services

• Nearly 500 organizations currently under investigation

• OCR enforcement activity is not slowing down!

$1,032

$1,808 $1,854

$2,568

$0

$500

$1,000

$1,500

$2,000

$2,500

$3,000

2015 2016 2017 2018

Average $/Settlement ($000s)

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf


16

OCR Update to Maximum CMPs – 45 CFR § 160.404

Violation Category- Section 1176(a)(1)

Penalty Range for Each Violation

Maximum Penalty(Previous)

Maximum Penalty (Updated)

(A) Reasonable Diligence (Did Not Know)

$100 - $50,000 $1,500,000 $25,000

(B) Reasonable Cause $1,000 - $50,000 $1,500,000 $100,000

(C)(i) Willful Neglect – Corrected $10,000 - $50,000 $1,500,000 $250,000

(C)(i) Willful Neglect – Not Corrected

$50,000 $1,500,000 $1,500,000

April 2019: OCR announced it has reduced the maximum financial penalties for three of the four HITECH Act tiers of HIPAA violations. This announcement confirms that while minor HIPAA violations may now attract lower financial penalties, when serious violations of HIPAA Rules are discovered and healthcare organizations fail to take prompt action to correct violations, the financial penalties can be considerable.

“With this change in enforcement discretion, we might see an increase in the

velocity and volume of settlements and CMPs.”

John Moore, Chief Risk Officer, Clearwater

https://www.hipaajournal.com/updated-hipaa-penalties-hitech-act/


Cost of a Breach Statistics


18

Primary Factors Affecting the Cost of a Data Breach• Size of the Data Breach (number of records lost or stolen)• Time to Identify & Contain a Data Breach• Detection & Escalation Costs

• Forensic and investigative activities, assessment and audit services, crisis team management and communications to executive leadership and Board of Directors

• Service Disruption• Post Data Breach Costs

• Help desk activities, customer communications, legal expenditures, identity protection services and regulatory costs

• Loss of Customers• Customer goodwill and churn can often be the hardest to calculate but is one

of the costliest impacts


19

Ponemon Study: 2018 Cost of a Data Breach

https://healthitsecurity.com/news/healthcare-data-breach-costs-remain-highest-among-industries

https://healthitsecurity.com/news/healthcare-data-breach-costs-remain-highest-among-industries


20

Direct vs Indirect Costs

Direct Costs

Indirect Costs


21

Other Considerations

https://www.idexpertscorp.com/index.php/knowledge-center/single/ANSI-PHI-Project

https://www.idexpertscorp.com/index.php/knowledge-center/single/ANSI-PHI-Project


22

What is Risk?Likelihood x Impact…


23

Average Cost of a BreachLikelihood: Not if, but when…• Ponemon: 96% of all the healthcare providers who participated in the study say they

have had at least one data breach over a 24-month period

Impact (main drivers):• Size of the breach• Time to identify and contain the breach• The vulnerability exploited

Average size of a breach = 10,000 records # of records breached 10,000 Average cost/record 408$ Cost of a Breach 4,080,000$


25

Common Weaknesses of Organizations

Any combination of the below can increase the likelihood and impact of a breach…• Inadequate Policies & Procedures

• Inadequate Workforce Training • Inadequate Sanctions for Non-Compliance

• Inadequate Security Awareness• Inadequate Access Controls & Activity Monitoring

• Inadequate Security & Privacy Governance

• Inadequate Incidence Response & Mitigation Plans• Inadequate Risk Analysis & Risk Management Programs


26

OCR-Quality Risk AnalysisCompleting Bona Fide, Comprehensive OCR-Quality Risk Analysis and Risk Response

45 C.F.R. §164.308(a)(1)(i) Standard: Security Management Process(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.(ii) Implementation specifications:

(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.


27

Risk Analysis & Risk Management Adverse Findings

1. WRONG REPORT: submission of a Non-Technical Evaluation or Technical Evaluation or something else2. NOT ASSET-BASED: too many organizations treating Risk Analysis as a checklist matter3. NOT COMPREHENSIVE ENOUGH: must include every asset in every LOB in every facility in every location4. NOT DETAILED ENOUGH: not considering every asset-threat-vulnerability scenario5. NOT FOLLOWING OCR/NIST GUIDANCE: 9 essential elements in OCR guidance 6. NOT ENOUGH DOCUMENTATION/ENGAGEMENT: little evidence of ongoing program and/or

management engagement

TO DATE, THERE HAVE BEEN

66OFFICE FOR CIVIL RIGHTS ENFORCEMENT ACTIONS

90%of ePHI-related cases included

adverse findings in organizations’ RISK ANALYSIS &

RISK MANAGEMENT

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html


28


1. What are ALL the exposures of ALL of our information assets (e.g., ePHI)?

2. What decisions do we need we need to make to treat or manage risks?

Must have a systematic, ongoing process!

Risk Response

Risk Assessment


29

VendorsUnderstanding and underwriting your key vendors is critical to reducing the chances that they are responsible for a cyber incident.

You should include the following in your vendor onboarding process: • Understand what type of data you are sharing and how are you sharing it• At a minimum, conduct a high-level external assessment• Cybersecurity questionnaire to include questions about compliance• Make sure the vendor only has access to the data they need• Proper BAA’s and MSA’s • Requirements for professional, media and cyber liability insurance


30

Employee Training & EducationYour people are your #1 exposure, so employee education is critical to reducing the likelihood of a breach

Focus on these critical areas:• Phishing• Thumb drives and removable media• Public Wifi usage• Password Security

https://www.thesslstore.com/blog/80-eye-opening-cyber-security-statistics-for-2019/

According to the FBI, Business E-mail Compromise has caused over $12.5 Billion in losses to companies between October 2013 and May 2018

https://www.thesslstore.com/blog/80-eye-opening-cyber-security-statistics-for-2019/


Reducing the Cost & Impact of a Breach


32

Ways to Reduce the Cost of a Breach1) Invest in prevention/avoidance:

o Establish proper Governance, Risk Management and Compliance programs suited for your organization

o Establish an internal framework for satisfying governance requirementso Evaluate risk across the enterprise (conduct regular and thorough Risk Analyses) and

have an ongoing Risk Management program in placeo Conduct regular and frequent workforce training

2) Utilize good data protection practices:o Encryption, backups, employee training, etc.

3) Have an incident response plan and team in placeo The faster a data breach can be identified and contained, the lower the costs

4) Have a business continuity program or disaster recovery plan in place5) Have proper insurance and Business Continuity Management (BCM)

protections in place


33

Including Other Considerations

10,000 1,000$

10,000,000$

2 5,000,000$

Reducing the Cost…

BUT WHAT IF…..

Ponemon

# of records breached 10,000 Average cost/record 408$ Cost of a Breach 4,080,000$

Probabilized # of years between breaches 2 Average annual cost of a probable breach 2,040,000$

# of years between breaches 3 Annual cost of a breach 1,360,000$

Annual $ investment with breakeven ROI 680,000$

3 3,333,333$

1,666,667$


34

Using Cyber Insurance to Offset the Cost of a Breach

Covered Not Covered

Ransom Costs

Business InterruptionContingent BI

Reputational HarmHIPAA Investigations

& Fines

Does your policy haveminimum security

requirements?

Any limitations for lossescaused by vendors?

Third Party Lawsuits

Computer Forensics

Notification Costs

Credit/IdentityMonitoring

Call CenterSupport

SometimesCovered Terrorism – Is Cyber

Terrorism Included?

Cyber Crime What is the trigger forfirst party coverage?

Theft of Services


35

A Common Cyber Insurance Exclusion


36

How Much Limit Should You Purchase


37

How Much Should You Pay?

The median price per million of limit for healthcare entities is just over $11,000


38

How BAAs & MSAs Impact Your Cyber Policy

• What risks should you transfer?• Data breach• Regulatory Investigations• Business Interruption/Outage • IP Infringement

• What type of insurance should you be asking for?• Professional Liability• Media Liability to include infringement of software code• Cyber Liability to include full first party cyber limits – you must

understand the actual policy wording

You can transfer risk off of your balance sheet contractually or through an insurance policy

In order to hold your vendors responsible for a breach, make sure you have proper BAAs and MSAs in place


39

Mitigating OCR Enforcement ActionsOCR has demonstrated that they are more lenient and patient when healthcare organizations have documented plans in place and are making serious efforts to comply with requirements, such as enterprise-wide security risk analysis

“Lowering the maximum penalty in the lower tiers now creates additional incentives for covered entities to begin to take action to demonstrate to OCR that they are making serious efforts to comply with the regulations. The lower potential maximum penalties for organizations demonstrating

reasonable diligence further reinforces this message.”

Jon MooreChief Risk Officer, Clearwater


40

Bottom Line

It’s About Saving Your Assets and Doing No Harm!


41

Stronger Financials …Balance sheet, lower cost of

capital, competitve insurance rates

Lower Career Risk … Confidence, passion, energy, engagement, taking the right

risks

Higher Satisfaction … Patients, physicians, workforce members, board, investors, community

Increased Quality … Access to care, timely care, confidentiality, integrity & availability of information

Financials Satisfaction

People Quality

Fewer/No Breaches, Fewer/No Complaints, No Failed IRM-related Audits

Business Outcomes


Conclusion


43

Conclusion• Significant security incidents will continue to occur in healthcare and the weakest

links will be exposed, it is incumbent on security leaders to remain vigilant and advance their cybersecurity practices, know-how, and acumen

• Focus on the fundamentals: you must have an asset inventory and know where your ePHI is stored and understand how it is performing on your network within your environment

• Regularly perform an enterprise-wide, security risk assessment of ALL of your information assets. From there, figure out where you have deficiencies and opportunities for enhancements.

• Organizations should think about whether they are executing a good, fundamental security program before investing in the latest and greatest security technology

• Cyber insurance isn’t a panacea; you must know what is in your policy so if you have an incident, it will actually cover some of the costs of a breach


44

Conclusion

Understanding the various factors that increase the cost of a breach can help you invest your security

resources more strategically and lower the likelihood and cost of a breach for your organization


45

Upcoming Educational Events

Learn More & Register at:https://clearwatercompliance.com/upcoming-educational-events/

https://clearwatercompliance.com/upcoming-educational-events/


46

Thank You

Baxter LeeBaxter.Lee@ClearwaterCompliance.comwww.clearwatercompliance.com

Travis [email protected]://www.brushkc.com/

mailto:[email protected]

http://www.clearwatercompliance.com/


http://www.brushkc.com/


www.ClearwaterCompliance.comLINKEDIN | www.linkedin.com/company/clearwater-compliance-llc/

TWITTER | @clearwaterhipaaEMAIL | [email protected]

PHONE | 800-704-3394

#ManageCyberRiskRight

http://www.clearwatercompliance.com/

http://www.linkedin.com/company/clearwater-compliance-llc/


Proactive Measures to Reduce the Likelihood, Cost and ... · 6/20/2019 · Primary Factors...

Documents

Transcript of Proactive Measures to Reduce the Likelihood, Cost and ... · 6/20/2019 · Primary Factors...