How to mitigate risks, liabilities and costs of data breach of health information by third parties April 17, 2012 ID Experts Webinar www.idexpertscorp.com
Rick Kam President and Co-Founder richard.kam@idexpertscorp.com Ellen M. Giblin Privacy Counsel egiblin@ashcroftlawfirm.com 2
Key Take Aways Relevance of the PHI Report on valuing PHI Top threats and risks to PHI Risk mitigation using third party agreements Evolving regulatory environment Steps to mitigate risk 3
The PHI Project REQUIRED: Enhanced programs for safeguarding Protected Health Information (PHI) WHY: Increased number and frequency of data breaches WHO: Guardians of the trust forming the foundation of the health care delivery system SOLUTION: Information and tools to develop a compelling business case fore requesting investments and resources to ensure PHI privacy and security 4
What s Happening? The number of organizations handling PHI is expanding The adoption of ephi has increased the information flow risks The rewards of medical ID theft have surged 5
The Ramifications For the first time in history, it is possible to: Improperly disclose PHI of millions of individuals in a matter of seconds, Steal health information from a virtual location, and Breach PHI in a manner that makes it impossible to restore. 6
Why Steal PHI? Physician ID numbers are used to fraudulently bill for services Patient ID information is lent to friends or relatives in need of services Patient ID numbers are sold on the black market Medicare fraud estimate? $60B/year Majority of clinical fraud? Obtain prescription narcotics for illegitimate use ~5% of clinical fraud: Free health care Patient ID Information: $50/record Social Security number: $1 Average Payout for defrauding a health care organization: $20,000 Regular ID theft? $2,000 7
Top Elements Threatening PHI Security Human Malicious Insider Non-Malicious Insider Outsider State-Sponsored Cyber Crime Evolving Stakeholders BAs and Subcontractors Cloud Providers Virtual Physician s Office Methods Lost / Stolen Media Intrusion Dissemination of Data Mobile Devices Wireless Devices 8
The PHIve Method Conduct Risk Assessment Determine Security Readiness Score Assess the Relevance of a Cost Determine the Impact Calculated the Total Cost of a Breach 9
Sample Case Study Unintentional, Business Associate, 845,000 records, Clinical fraud resulting in 1 death, financial fraud, NYC Estimated Total Impact Grand Total of Breach Costs $26,493,617 Annual Revenue of Entity $241,836,404 % of Cost to Annual Revenue 11% Impact Score Severe 10
How Much to Invest? How much would a data breach cost? Given current safeguards and controls, how often can an organization expect to experience a data breach? What investments can be made to reduce the frequency of a data breach? What are the associated annual savings of a delayed data breach? Which enhancement program costs less than the annual savings but still delivers on the reduced frequency of a breach? 11
Vendor Risk Ecosystem Managing and Mitigating Vendors in the Risk Ecosystem 12
Evolving Regulatory and Enforcement Environment Healthcare organizations, or covered entities under HIPAA, are legally responsible for the protected health information (PHI) they hold. Because of the HITECH Act, that responsibility now carries downstream to their business associates claims processing, administration, data analysis, billing, benefits management and could potentially extend to subcontractors. 13
Evolving Regulatory and Enforcement Environment The Department of Health and Human Services Office for Civil Rights (OCR) recently has deepened its enforcement to include business associates (BA). And the recent Minnesota Attorney General s action against Accretive Health is evidence that states are also stepping up their scrutiny of business associates using their authority under the HITECH Act. 14
Business Associates Integral to the Risk Management Ecosystem That s not without cause. Business associates are the second top source of data breaches, according to a recent benchmark study on patient privacy and data security by the Ponemon Institute. In fact, Leon Rodriguez, director of the OCR, notes that 63 percent of the people affected by OCR-reported data breaches were the result of security lapses at a business associate. 15
Key Steps to Minimize Vendor Risk The OCR s extended scrutiny is putting pressure on covered entities to more proactively and frequently measure business associates HITECH compliance. To keep them in check, covered entities would do well to ask some important questions of, or about, their business associates: 16
Step One: Assess the Criticality of Service How critical is the business associate to my organization? Is it operationally critical or tied to my brand? Is there a viable alternative? Using a metric of sorts to weigh the importance versus the risks of a business associate can be helpful. For instance, an electronic health records systems provider may be a higher risk because of the amount of sensitive data it processes, yet replacing the system may not be feasible. 17
Step Two: Contractual Safeguards Do I have an updated agreement in place with each business associate, one that evolves to meet changing privacy and security needs? Some reasons to update may include changes in types of services provided; change in policies and procedures based on annual review or simulations; or data breaches or environmental changes. 18
Step Three: Due Diligence What security standards does the BA comply with? Does the business associate conduct employee training, annual risk assessment and/or risk analysis according to HIPAA privacy, security and breach notification rules? Can it provide you a copy of their most recent assessment, risk mitigation plan, and progress report? Does it have a privacy and compliance official? 19
Step Three: Due Diligence Has the business associate had privacy or security incidents with other covered entities? Request to talk to other covered entities services to find out about the BA s practices regarding the incident and how it was handled. This can be a predictor of future events and any impact on your organization. 20
Step Four: Operationalize the BA Contract Does the business associate have an incident detection and management process? How does the business associate detect incidents, and what will trigger it to notify the covered entity? How soon must that BA notify you in the event of an incident? Is it enough time to conduct an incident assessment and meet the breach response obligations according to federal and state(s) laws? 21
Step Four: Operationalize the BA Contract What are the contractual obligations or indemnity provisions if there is an incident? Covered entities are responsible for the breaches caused by their business associates, including notification costs. Given the increased enforcement and expensive notification and remediation procedures, however, business associates should assume some financial liability. More importantly, is the business associate able to bear the indemnity costs, either through their own resources, cyber insurance, or other form of security? 22
Step Four: Operationalize the BA Contract What are the legal and contractual requirements for offshore business associates and sub-contractors? These third-party providers are not subject to HIPAA privacy and security regulations. Covered entities or business associates contracting with foreign third parties should include any requirements for safeguarding PHI within the agreements, and not depend on foreign law. 23
Step Five: Minimize the Risk What about termination clauses? Do you have a clear set of guidelines under which you will terminate a business associate agreement? Can you monitor for these guidelines, and can the BA provide you necessary information for making this decision? 24
Step Six: Manage the Risk Ecosystem Covered entities bear an enormous burden for safeguarding the PHI in their care. The further that sensitive data goes downstream, the more difficult it can be to protect it. But with increasing enforcement on the federal and state levels, covered entities have the right and obligation to insist on evidence of compliance from their business associates, and as much as possible, their sub-contractors. 25
Questions & Answers Rick Kam ID Experts President & Co-Founder richard.kam@idexpertscorp.com Ellen M. Giblin Ashcroft Law Firm Privacy Counsel egiblin@ashcroftlawfirm.com 800-298-7558 617-573-9400 26