HEALTHCARE INDUSTRY SESSION CYBER IND 011 Speakers: Jody Westby, Chief Executive Officer, Global Cyber Risk René Siemens, Partner, Covington & Burling LLP Brent Rieth, Senior Vice President and Team Leader, Aon Risk Solutions Jeff Driver, Chief Executive Officer, The Risk Authority Stanford 1
Learning Objectives At the end of this session, you will: Have an understanding of the cyber threats facing healthcare Be able to identify the most common drivers of cyber risk in healthcare Understand cyber insurance coverage, key coverage concerns, potential gaps and limitations Learn strategies for managing and mitigating healthcare cyber risk 2
Healthcare in Cybercrime Bullseye 100 million medical records breached in 2015; 1/3 US population (Fox News) 81% of medical organizations targeted by cyber attack or malware (KPMG, 8/15) 2014 FBI issued a Private Industry Notification to healthcare sector warning of attacks on electronic health care records and medical devices AHA 2015 Most Wired survey: weak areas are use of encryption, use of intrusion detection systems, and incident response planning In 2013, researchers Rios and McCorkle found that medical devices had same type of software vulnerabilities as those found in other control systems manufactured by same company Medical data more valuable than PII: credit card numbers sell for $1-2 each but medical data can bring $20+; a complete medical record combined with a SSN can go for $300; Medicare # $500. Individuals can spend 200+ hours to respond; avg $13,450 (Ponemon) 3
Healthcare Technology Assets at Risk Healthcare sector utilizes many types of data, applications, networks, and devices Corporate business systems Industrial control systems Medical devices, shared databases, interconnected networks Data involves: Personally identifiable information (PII): SSN, drivers license, passport, permanent residence card, family information Personal health information (PHI): medical benefit plans, need for life support systems, physician statements, device data Debit and credit card data Confidential and proprietary data (bank account info, transactional data, payroll data, internal communications, strategic plans, R&D data, intellectual property) Privileged data (attorney-client privilege, attorney work product) Control system data 4
Cyber Threat Environment Events involve: Targeted attacks & sophisticated malware Ransomware and cyber extortion Hacktivism and cyber espionage Nation states Insider actions Multi-pronged attacks signal new era in cybercrime Cybercriminals cooperate with one another Many jurisdictions may be involved The objective is to mitigate; it is not possible to eliminate 5
Drivers of Cyber Risk in Healthcare Todays operating environment Globalization & 24/7 connectivity Dependence on IT to operate (pharmacy, lab data, patient info, medical testing, monitoring) Complex IT architectures, clouds, outsourcing, mobile, IoT Blending of personal/professional lives Management awareness lags behind threats Little understanding of impact of cyber events No data on cyber risks & loss exposures Lack of governance structure or defined roles/responsibilities Lack of resources to develop adequate cybersecurity programs Terrorism on the rise Conflicting compliance requirements, inconsistent cybercrime laws Difficulties in attribution and prosecuting cybercrimes Inadequate security controls & incident response planning 6
Cybercrime Facilitating Factors Criminals Data: PII, PHI, IP, Conf/Proprietary Medical Industrial Control Systems International Cooperation: MLAT or Letters Rogatory Process May Take Months Senior Management & Board Lack Cyber Governance Weak Cybersecurity Programs Medical Devices Lack Security Victims Cyberterrorism Conflicting or Inconsistent Laws & Regulations 7
What are the Risks? Source: 2015 Annual Cost of Cyber Crime Study (Ponemon Institute) 8
Severity of Risk (millions) Average Annualized Cost of Cyber Crime by Industry Segment Source: 2015 Annual Cost of Cyber Crime Study (Ponemon Institute) 9
Tangible Financial Cyber Loss Spectrum 1 st Party 3 rd Party Any major cyber event will result in PR, Response, and continuity costs Immediate and extended revenue loss Restoration expenses Defense costs Third parties will seek to recover Civil penalties and awards Consequential revenue loss Restoration expenses Cyber Loss Spectrum Physical damage is now possible 1 st party property damage 1 st party bodily injury Physical damage may cascade to others 3 rd party property damage 3 rd party bodily injury 10
First Party Coverage (triggered by discovery of an incident) Privacy Event Expenses Cyber Extortion Business Interruption / Dependent Business Interruption / Systems Failure Digital Asset Protection / Extra Expense Third Party Liability (triggered by a claim) Security Liability Privacy Liability Privacy Regulatory Proceedings Media Liability Coverage Overview Payment Card Industry Data Security Standards (PCI-DSS) Please note this is a summary of coverage. Actual policy language will expand upon this overview. 11
Who is Issuing Cyber Insurance Policies? 12
Cyber Insurance Market Trends $3,000,000,000 $2,500,000,000 $2,750,000,000 $2,000,000,000 $1,500,000,000 $1,000,000,000 $500,000,000 $0 $300,000,000 $800,000,000 $600,000,000 $500,000,000 $1,000,000,000 $1,300,000,000 $2,000,000,000 2005 2008 2009 2010 2011 2012 2013 2014 Total Premiums Underwritten Source: The Betterly Report 13
Cyber Insurance Key Coverage Concerns Lack of Standardization 14
Cyber Insurance Key Coverage Concerns Complexity 15
Cyber Insurance Key Coverage Concerns Coverage Limitations 16
Cyber Insurance Key Coverage Concerns Coverage Gaps 17
Cyber Insurance Key Coverage Concerns Claims Process 18
Cyber Insurance Common Limitations Covered Services/Breach Response Expenses 19
Cyber Insurance Common Limitations Limits 20
Cyber Insurance Common Limitations Prior Events/Retroactive Coverage 21
Cyber Insurance Other Common Limitations Notice Provision Choice of Counsel Definition of Application Definition of Insureds Network Definition of Wrongful Act (Trigger of Coverage) Intentional Acts Exclusion / Rogue Employees Legacy Systems Exclusions (i.e. Unencrypted Devices) 22
Cyber Insurance Potential Gaps Terrorism 23
Cyber Insurance Potential Gaps Bodily Injury/Infrastructure Damage 24
Cyber Insurance Claims Process Subrogation 25
Cyber Insurance Claims Process Vendor Indemnities 26
Cyber Insurance Claims Process Covered Damages 27
Commercial Considerations Contract Certainty Use your resources Broker Claims Counsel Coverage Counsel Engage with the underwriters Read your policy(ies) and ask questions Rinse and repeat Test Your Strategy Conduct table top exercises AND include your broker Secure breach response vendors and communicate with your insurer(s) Cultivate Relationships Meet with your underwriters and their claims staff Ask about their experiences 28
What about Traditional Insurance? 29
Traditional Insurance Will it Apply? 30
Traditional Insurance General Liability Insurance 31
Traditional Insurance Property Insurance 32
Traditional Insurance D&O Insurance 33
Traditional Insurance Crime Insurance 34
The Risk Authority Stanford Stanford University Medical Network 35
In the Headlines U.S. hospitals are getting hit by hackers http://money.cnn.com/2016/03/23/technology/hospi tal-ransomware/index.html 24x7 Magazine http://www.24x7mag.com/2016/03/st-joseph-health-7-5mpatient-data-dump/ 36
It s not IF it s WHEN Top Health Care Cyber Attacks Individuals Affected Anthem 78.8M Premera Blue Cross 11M Excellus Health Plan 10M UCLA Health 4.5M Medical Informatics Engineering 3.9M CareFirst Blue Cross BlueShield 1.1M Beacon Health System 220K Advantage Dental 151K Muhlenberg Community Hospital 84K Source: http://hitconsultant.net/2016/01/05/healthcare-cyber-attacks-in-2015-infographic/ Accessed: March 23, 2016 37
An Enterprise View Operational Financial Clinical Cyber is a risk to the entire enterprise. Reputational Cyber Incident Legal / Regulatory It is not an isolated information technology event. Technology 38
The CRO s Perspective Cyber is an immature risk, changing quickly The potential impact of an incident is not easily quantified Reputational costs can be greater than financial costs Auditors and rating agencies are beginning to include an organization s approach to cyber as part of their analysis Cyber risk needs more than the traditional downside risk management approach 39
Value-Driven Enterprise Risk Management Builds on the core of Traditional Risk Management and Enterprise Risk Management Value-focused Uses data and decision analysis to create actionable risk intelligence 40
Value-Driven Enterprise Risk Management Decision Analysis Based Process Value Protected & Value Create 41
Methodology Value-Driven Enterprise Risk Management Decision Analysis Based Process Methodology Description Applications Statistical Data Analysis Subjective Probability Assessment Analyze historical data and construct statistical model for making projections Produces probabilities and significance as outputs of analysis Careful use of appropriate methods to assess subjective estimates for uncertainties Uses probabilities to describe the likelihood for either discrete events (a fire) or continuous ones (the number of patients next year) Appropriate for a stable system and statistically significant data set Most risks (competitor actions, capital project cost and schedule, economic variables, etc.) The use of scenario analysis and subjective probability assessment for cyber is appropriate. Cyber is an evolving risk and historical events may not be a good representation of future events. 42
Value Creation Value-Driven Enterprise Risk Management Decision Analysis Based Process Value Protection Value & Risk Maps Quantified Risks and Uncertainties Quantified Value Model Key Value Drivers Value at Risk Value-based Risk Tolerance Components of Value Simple, Decision Analysis-based Process Monitor & React Mitigate Risk & Increase Value Evaluate Assess Identify Value Protected & Value Created 43
Value-Driven Enterprise Risk Management Identify Identify what kinds of future events might prevent or slow the achievement of objectives Severe Batch Medical Malpractice Earthquake Regulatory Cyber Uninsurable Insurable Directors & Officers Brand/ Reputation Financial Partially Insurable Not Severe Workers Comp Nurse Strike Known Unknown 44
Value-Driven Enterprise Risk Management Assess Determine which risks are most critical and how individual risks are related to each other UNKNOWN RISKS Cyber KNOWN RISKS Insurable 45
Value-Driven Enterprise Risk Management Evaluate Evaluate outcomes and decide which risks to address Scenario 1: Financial 1M Medical Records Breached $12.5M Legal $1M Reputation $100M Technology $10M Operational $1M Unknown $12.5M Scenario 1: $137M Online tools can help estimate data breach costs. Example: http://www.privacyrisksadvisors.com/data-breach-toolkit/data-breach-calculators/ But they only help estimate the financial costs, other components such as reputation, can be multiples of the financial loss, as seen above. 46
Value-Driven Enterprise Risk Management Mitigate Once risks are evaluated, identify opportunities to mitigate risk and increase value. Insurance/Captive Awareness/Training IT Controls and Compliance Policies and Procedures Network Infrastructure Leadership Alignment and Support 1. Review all options 2. Build a statistical model that tests all the options 3. Select the options that give the best return 4. Implement 47
Value-Driven Enterprise Risk Management Scenario 1: 1M Medical Records Breached Potential Mitigation Financial $12.5M Insurance / Captive Legal $1M Reputation $100M Technology $10M Operational $1M Insurance / Captive Awareness / Training IT Security / Infrastructure Policies / Procedures and Leadership Support Unknown $12.5M Total Estimate: $137M Ongoing Assessment and Monitoring 48
Outputs: Violation of Risk Appetite 49
Mitigating Cyber Risk Leadership Alignment Proactive Security Measures Awareness and Training Governance and support of C-Suite and executives from IT, IT Security, Risk Management, General Counsel and Legal Two Councils Operational Privacy Governance Executive Privacy Governance Co-chaired by Privacy Officers of SHC/SCH and Stanford University Encryption for all computers, tablets, phones and USBs Mobile Device Management - AirWatch Robust process for all agreements that include any PHI and PII All vendor agreements are reviewed diligently for compliance with SHC/LPCH policies including an IT security review for contracts with IT components Value Protected & Value Create Strong privacy and security compliance program with robust policies including: Business Associate Electronic Data Access and Transfer Information Access Management PHI Removal/Transport Security Incident Monitoring, Detection and Response Privacy-Related Complaints, Reporting and Breach Notification 50
Mitigating Cyber Risk Captive Utilization Explore funding cyber policy SIR within captive Consider excess limits within captive Benefits: Improved, symmetrical enterprise approach to cyber liability Long-term cost smoothing for cyber liability risks Captive board oversight and support Value Protected & Value Create 51
Value-Driven Enterprise Risk Management Monitor Monitor the effectiveness of outlined steps and mitigation opportunities to reduce risks and boost gains. Value Protected & Value Create 52
Value-Driven Enterprise Risk Management Helps to understand the correlation of risks Communicates cyber risk in actionable business terms Weaves an ongoing business process into the decision framework Connects with different areas of the organization to fully understand and integrate risk Utilizes internal and external data Evolves as the system and cyber risk changes 53
Discussion and Questions 54