Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Protecting patient information


Published on

Everyone is accountable and expected to protect health information. The circle is large and encompasses many different organizations. Patient data is protected for a reason. Let’s look at some brief reminders:

Published in: Education
  • Be the first to comment

Protecting patient information

  1. 1. The Health Sciences series presents:Privacy Breaches:How Protected is Your Patient’sSensitive Health and Personal Data?Amry Junaideen, Principal, Deloitte & Touche LLPRena Mears, Partner, Deloitte & Touche LLPRuss Rudish, Principal, Deloitte Consulting LLPDecember 16, 2008
  2. 2. Agenda • Increased collaboration in the marketplace • The challenge of protecting information • Breach causes and effects • Preventing a breach • Finding the right solution • ConclusionCopyright © 2008 Deloitte Development LLC. All rights reserved.
  3. 3. Health care and information sharing Collaboration is vital for improving health care quality and meeting consumers’ needs. However, it involves a significant amount of information sharing. The protection of information is a critical ingredient for success Health Systems, Long Term Care, Ambulatory Care, Hospitals/ Facilities Suppliers Providers Patients Enable Deliver Services $ Pharmaceutical, Financial Bio-tech, Medical Deliver $ Care devices Payment $ Payers Regulators protect public Regulators welfare and ensure that healthcare services and products are safe Patients, Private, and effective GovernmentCopyright © 2008 Deloitte Development LLC. All rights reserved. 1
  4. 4. Challenge of protecting information The protection of information within an organization and among multiple organizations is not a simple matter for a myriad of reasons 6. Clinical Trials Data 1. Data Acquisition / Data Storage / 4. Data Sharing / In- 5. Data Archival / 2. Data Storage Tracking & Results Collection Destruction transit Destruction Providers store PHI and Expert opinion sharing, Patient Health Providers store PHI and Providers transmit PHI Archive and destroy update the patient’s and adverse event Inf ormation (PHI) is update the patient’s to either payer or third PHI per the retention medical records. reporting cross-border: collected at this stage. medical records. parties f or processing. policy. PII and IP consideration. Drug manufacturers Suppliers Equipment suppliers Provide eligibility, Bill Evaluation of Referral, Co-pay Received Patient Insurance Payer And coverage Dependency Plan Bill pay Phone Mail Claim bill Collection Clinical info/ Provider/ Provider/ Appointment Front-office 1.Insurance Perform Order placed Medical Physician Physician Provider scheduling staff checks 2.Patient Info services -lab, imaging, Charges, Generates a Receive the patient in 3. Other forms pharmacy Coded in HIS Bill/claim payment Personal visit Appointment Bill if “self-pay” Bill for extra services Receive Bill Concerned Patient Bill Received if Patient About Wants to be Referral/ Eligibility received Services are symptoms Checked in Paperwork Not covered 3. Data Usage Bill pay Providers use PHI to Make Bank Provide services to the payment patient .Copyright © 2008 Deloitte Development LLC. All rights reserved. 2
  5. 5. Data risk levels Although ID Theft has the most severe impact, other forms of enterprise data Data leakage are far more likely and require management attention. The majority of data losses – internal or external – are accidental • Personally Identifiable Information PII or other Generally Accessible Authorized Disclosure sensitive data (PII) – Leakage of generally accessible PII and IT data occur most commonly • Sensitive – Data such as intellectual Sensitive data, such as PII or Intellectual Unauthorized Property. Disclosure property and/or PII with a higher contextual value Subset of PII Single • Fraud – Internal or external use of PII or Combined Fraud for fraudulent gain Specific Subset ID Theft • ID Theft – The assuming of one’s identity to obtain credit for purchases. LOW MODERATE HIGH SEVERE Specific subset of PII or combination Level of Enterprise Risk Potential for Harm to the ConsumerCopyright © 2008 Deloitte Development LLC. All rights reserved. 3
  6. 6. Poll question #1 Do you share electronic medical records with business partners that requires asset protection measures – such as encryption? • Yes • No • Don’t know • Not applicableCopyright © 2008 Deloitte Development LLC. All rights reserved.
  7. 7. The sophistication of “attackers” Organized rings of thieves have developed sophisticated methods for compromising value chain security and stealing sensitive data 80’s 90’s 2000’s Dumpster Diving Hacking “Phishing” • Simple techniques that • Improved techniques for • High-tech crime with the involved theft of information gathering personal emergence of professional, Techniques • Required thief to manually information international gangs collect personal information • Wide use of electronic • Criminals target the booming • Unorganized crime databases and internet e-commerce and financial growth lead to a loosely networks organized hacking community • Mail Theft • Stealing information from • Data Theft/ Hacking/ • Sifting through garbage for employers, banks and Keystroke loggers Schemes confidential information government agencies (HR , • Pharming & Phishing • Social Engineering payroll, bank, and SSA data) • Theft of W-2 Information • Hacking • Counterfeit Tax Returns • Fake W-2 Forms and Returns Instances per year ~300-400 ~80,000 ~9,900,000Copyright © 2008 Deloitte Development LLC. All rights reserved. 4
  8. 8. Recent data breach trends Numerous data breaches have been reported leading to a heightened awareness of this topic at the senior levels within an organization Data breaches are common across sectors; medical and health care facilities contributed to 14.9% of the 449 security breaches in 2008** *From a survey conducted by HIMSS Analytics and Kroll Fraud Solutions ** Data until 8/22/2008 from Identity Theft Resource CentreCopyright © 2008 Deloitte Development LLC. All rights reserved. 5
  9. 9. Increased regulatory mandates Organizations must consider increased regulatory mandates that provide specific requirements for data protection in the US and abroad California Breach Notification Law, S&P HIPAA European Commission’s on Enterprise Risk Management (ERM) Directive on Data Protection 2008 ICD 10 bill 1996 1998 2007 2009 2011 California Identity Theft Red HIPPA legislation Flags, AB 1298 Massachusetts Regulations Law present California Massachusetts Law User increasing Breach Notification expectations requirements Law Health for data on the protection are protection of Sciences high sensitive Identity Industry information Theft Standard Red Flags & Poor’s Regulations On ERM International RegulationsCopyright © 2008 Deloitte Development LLC. All rights reserved. 6
  10. 10. Breach causes and effects How do these breaches occur? Causes Effects • Data is not treated as a strategic • Data assets are not inventoried asset or classified • Reactive rather than • Use and sharing of data is not programmatic approach understood • Governance, process and • Data risk is incorrectly technologies are not aligned identified or evaluated • Data is not inventoried and • Policies, processes and mapped technologies are not aligned • Failure to adopt adequate • Controls do not adequately process and technology controls protect data assets • Training is inadequate or non- • Organization and stakeholders existent unable to respond to threatCopyright © 2008 Deloitte Development LLC. All rights reserved. 7
  11. 11. What are the risks A breach impacts many aspects of the business including putting assets at risk, increasing number of breaches, rising costs, and decline in shareholder value Risks Regulatory Financial Operational IT Legal Risk Brand Risk Risk Risk Risk Risk • Litigation or • Failure to • Heightened • Excessive • Excessive • Virus attacks/ lawsuits from comply with media post breach internal hacking and patients, due the complex scrutiny related costs resource loss of data consumption “in-flight” Impact to loss of and surrounding • Loss of patient relatively leakage of due to time patient • Wrongful sensitive new customer information spent dealing access to information regulations sensitive can impact with sensitive information breaches • Failure to • Failure to patient information conduct • Meeting new relationships/ • Post M&A meet 3rd retention • Theft during party compliance demands of Integration physical audits the • Ineffective requirements transportation consumer capital driven health management care marketCopyright © 2008 Deloitte Development LLC. All rights reserved. 8
  12. 12. Cost of a breach The total average cost of a data breach grew to $197 per record compromised. The average total cost per reporting was more than $6.3 million per breach and ranged from $225,000 to almost $35 million Deloitte’s 2007 Privacy and Data Protection Survey included 827 participants in North America* • Over 85% of respondents reported at least one breach and over 63% reported multiple breaches requiring notification • Resource allocation associated with notification activities alone appeared to be a significant hidden cost *19.9% of privacy professionals were from Health Sciences *12% of security professionals were from Health SciencesCopyright © 2008 Deloitte Development LLC. All rights reserved. 9
  13. 13. Poll question #2 In the past year, how many privacy and data breach incidents at your organization are you aware have occurred? • Never • 1-5 • 6-10 • 10-20 • More than 20 • Not applicable/Don’t knowCopyright © 2008 Deloitte Development LLC. All rights reserved.
  14. 14. Data as an asset Treating data as an asset helps prevent breaches and enables collaborative information sharing Some day, on the corporate balance sheet, there will be an entry which reads, “Information”; for in most cases, the information is more valuable than the hardware which processes it. – Grace Murray Hopper, USN (Ret)Copyright © 2008 Deloitte Development LLC. All rights reserved. 10
  15. 15. Understand the data lifecycle The intrinsic and contextual value of data and associated ownership risk vary throughout the data life cycle and throughout the value chain Creation Preservation Classification Acquisition Storage Destruction Governance Archival Use Indefinite Disposition Archive SharingCopyright © 2008 Deloitte Development LLC. All rights reserved. 11
  16. 16. Data types and data flow Sensitive data such as customer information, financial data, and intellectual property moves horizontally across organizational boundaries, including vertical business processes (e.g., order fulfillment process). Organizations often do not have a good understanding of the movement, proliferation, and evolution of their data Health care Develop Procure Manufacture Order Industry Products Materials Products Management Marketing Start Start Start Start Start End End End End EndCopyright © 2008 Deloitte Development LLC. All rights reserved. 12
  17. 17. Compliance vs. risk-based approach Risk-based strategies go beyond compliance mandates to provide a more holistic approach towards managing and protecting data assets. A risk-based approach enables organizations to be adaptive to changing regulatory and business environments COMPLIANCE-BASED RISK-BASED STRATEGY STRATEGY  Detailed  Regulatory  Specific  Brand  Binary  Competitive Compliance-based strategies are: Advantages of the risk-based approach: • Reactionary • Free organization from reactionary cycles • Comparatively inefficient • Allocate scarce resources efficiently and according to specific threat levels • Deliver value as quickly as possible • Provides efficiency and focus to successfully address compliance requirements from a risk-based perspectiveCopyright © 2008 Deloitte Development LLC. All rights reserved. 13
  18. 18. Avoid the disconnect A “disconnect” between corporate policies, actual operational practices, and technology infrastructure reduces the ability to successfully implement changes into the business environment DP Strategy Policies Structured framework Disconnect Processes Disconnect TechnologyCopyright © 2008 Deloitte Development LLC. All rights reserved. 14
  19. 19. Poll question #3 Which of the following have you most recently implemented in your organization as it relates to your privacy program? • Process for corporate governance to establish accountability and manage enterprise privacy risk • A framework to assess risk in business processes as they relate to PII • Procedures to implement privacy policies within operational processes, including designing and implementing measurable controls • An enterprise-wide privacy & data protection training program • Process to stay current and assess new legal regulations and legislative developments • NoneCopyright © 2008 Deloitte Development LLC. All rights reserved.
  20. 20. Protect data across its lifecycle Organizations need an enterprise level solution which includes data governance strategies, organizational policies and procedures, and controls to identify, monitor, and protect data through its lifecycle Enterprise Data Lifecycle Business Process Risk Based Approach • Management • Segmentation and commitment least privileges • Policies, guidelines, GOVERNANCE and procedures • Contracts and enforcements IDENTITY ASSET • Training & Awareness RISK Data • Review and monitoring Identity ROLE Facilities Management CREDENTIAL Processes CLASSIFICATION INFRASTRUCTURE • Asset type definition • Physical security • Asset inventory • End-to-end security • Risk assessment • Defense in depth • Asset classification • Enabling technology • Process reengineeringCopyright © 2008 Deloitte Development LLC. All rights reserved. 15
  21. 21. Consider all environments Organizations should take a practical and business focused view and addresses data breach risks across seven control environments Data in Use and Data in Motion associated with privileged and Data in Use and Data in other users accessing database Motion via email, web containing sensitive data traffic, IM, blogs, etc 7 1 Transaction Data at Rest in and Activity Communications repositories (databases, Monitoring Data at Rest in email stores, repositories file systems, etc) Third (databases, email 6 Party Sensitive Database 2 stores, file systems, Data etc) Developer Limiting access to Access to Mobile Data in Use and production data and Production Media Data at Rest on 3 controlling the movement 5 Archival and mobile computing of data from production to Disposal devices such as development and test 4 laptops, PDA’s, Data management infrastructure for etc migrating data to storage or disposingCopyright © 2008 Deloitte Development LLC. All rights reserved. 16
  22. 22. Create a business process flow and data flow mapping A company’s risk assessment should consider the data lifecycle for each of its business processes Clinical / Bio Hospital Universities Third Party Finance Medical Infrastructure Customer System/ Operational Activity Business Divisions Third Party VendorCopyright © 2008 Deloitte Development LLC. All rights reserved. 17
  23. 23. Organizational risk view Set Policy Deploy Controls DLP Encryption DAM Data Redaction Archive DR Branch Offices WAN Data warehouse Back up Business Analytics tape Customers Partners WWW Customer Portal Production Data Disk storage Outsourced WAN Development Remote Employees Staging Back up Enterprise disk VPN e-mail File Server Enforce and Monitor ControlsCopyright © 2008 Deloitte Development LLC. All rights reserved. 18
  24. 24. Determine solution set to meet critical risks Implementing solutions involves more than technology, it requires a view of policy management, process and procedure development, technology evaluation and planning, technology implementation, ongoing operational management, leakage reporting and integration into incident response, training and awareness Data Management and Protection Solution Types Data Discovery Data Archiving Database Activity Data Destruction Discovery and Services such as Monitoring Enforcement of data classification of data retention, distribution, Monitoring of user and security policies from disparate sources and security of tapes administrator activity, addressing disposal of (email, file-shares, web) focused at databases information media Data Redaction Endpoint Protection Data Leak Prevention Encryption Protection of sensitive Workstation, laptop and Solutions to identify and Tools to provide data data via de-identifying, other mobile device prevent accidental encryption across the sanitizing, masking, or protection such as data disclosures of sensitive enterprise – including key obfuscating monitoring, full disk data at the edge of the management and encryption, local media network recovery encryptionCopyright © 2008 Deloitte Development LLC. All rights reserved. 19
  25. 25. Poll question #4 Which of the following privacy and data protection technologies have you already implemented? • Governance Solutions (Data inventory, data classification, Digital rights management) • Preventive Solutions (Data leak prevention, Identity and access management, Segregation of duties, database security /scanning, Encryption (data at rest), Encryption (data in motion)) • Monitoring Solutions (Content monitoring, audit logging and monitoring, intrusion detection and prevention, fraud discovery and monitoring) • More than one • Miscellaneous/ None of the above • Not applicableCopyright © 2008 Deloitte Development LLC. All rights reserved.
  26. 26. Conclusion • Strategic collaboration with business partners, frequent reporting of data breaches, and increased regulatory mandates have brought to the forefront the need for privacy and data protection capabilities throughout the entire value chain • Security breaches can result in a number of business issues including reputation and revenue loss, as well as legal exposure • A data protection solution requires avoiding the “disconnect” – Engaging the business to define the sensitive data to protect – Updating risk management policies – Tuning business processes – Raising user awareness – Integrating key technologies to provide policy enforcement throughout the data life cycle and the seven control environmentsCopyright © 2008 Deloitte Development LLC. All rights reserved. 20
  27. 27. Questions & Answers
  28. 28. Join us January 22nd at 2 PM EST as our Health Sciences series presents:Eye of the Storm – ImprovingFinancial Performance in the Credit Crunch
  29. 29. Thank you for joining today’s webcast. To request CPE credit, click the link below.Copyright © 2008 Deloitte Development LLC. All rights reserved.
  30. 30. Contact information • Amry Junaideen, Principal, Deloitte & Touche LLP Ph: 203-708-4195 • Rena Mears, Partner, Deloitte & Touche LLP Ph: 415-783-5662 • Russ Rudish, Principal, Deloitte Consulting LLP Ph: 212-313-1820Copyright © 2008 Deloitte Development LLC. All rights reserved.
  31. 31. This presentation contains general information only and is based on the experiences and research of Deloitte practitioners. Deloitte is not, by means of this presentation, rendering business, financial, investment, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation.Copyright © 2008 Deloitte Development LLC. All rights reserved.
  32. 32. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of Deloitte Touche Tohmatsu and its member firms. Please see for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.Copyright © 2008 Deloitte Development LLC. All rights reserved.
  33. 33. A member firm of Deloitte Touche TohmatsuCopyright © 2008 Deloitte Development LLC. All rights reserved.