© Clearwater Compliance LLC | All Rights Reserved© Clearwater Compliance LLC | All Rights Reserved

July 25, 2019

CIO Virtual Cybersecurity SymposiumSession 3 | Module 6

Making the Case for Cyber Risk Management Investments

Baxter LeeChief Financial Officer, Clearwater

© Clearwater Compliance LLC | All Rights Reserved

2

1. Learn the potential repercussions of a data breach 2. Prepare to calculate the cost of a data breach specific for

your organization3. Understand how to present a compelling Return on

Investment (“ROI”) calculation for your Information Risk Management Program

4. Turn the breach cost into a compelling business plan to strengthen your security program

Making the Cast for Cyber Risk Management Investment

Module Duration = 50 Minutes

Learning Objectives Addressed in This Module:

Module 6 Overview

© Clearwater Compliance LLC | All Rights Reserved

3

Your Presenter:

Baxter LeeChief Financial Officer, Clearwater

• 17+ years in Finance, primarily in the healthcare sector• 10+ years of experience in banking, private equity and M&A• Former CFO for Entrada Health, successfully leading the company

through its sale to NextGen Healthcare (NASDAQ: NXGN)• BA, Business Administration - Washington & Lee University• MBA - Owen Graduate School of Management at Vanderbilt University• Passionate about helping healthcare organizations protect the highly

sensitive data that they are entrusted with on behalf of their patients

© Clearwater Compliance LLC | All Rights Reserved

4

Digital Transformation in Healthcare• Rapid adoption of new technology and information systems to support key

business initiatives such as value-based care, consumer engagement and data & analytics…

196% Annual Growth

10.2MIndividuals

2019 v 2018+170%

Dell EMC annual Global Data Protection Index, 2019https://www.hipaajournal.com/may-2019-healthcare-data-breach-report/

1.2 Breaches per Day

© Clearwater Compliance LLC | All Rights Reserved

5

Healthcare vs Other Industries

• The healthcare industry ranks 15th when compared to 17 major U.S. industries

• The healthcare industry is one of the lowest performing industries in terms of endpoint security

• 60% of the most common cybersecurity issues in healthcare relate to poor patching cadence

• Social engineering attacks continue to put patient data at risk

© Clearwater Compliance LLC | All Rights Reserved

6

2018 Breaches by Type of Entity and Source

Hacking, 45%

Insider-Error, 25%

Insider-Wrongdoing, 6%

Theft, 9%

Lost/Missing, 8%

Unknown, 7%

Breaches by Source

Healthcare Providers, 70%

BA/Vendors, 10%

Health Plans, 12%

Misc/Other, 8%

Breaches by Type of Entity

https://www.protenus.com/2019-breach-barometer

© Clearwater Compliance LLC | All Rights Reserved

7

Two-thirds of chief information security officers (CISOs) believe that their companies are more likely to fall victim to a cyber attack or will face a data breach this year• 66% - Data breach• 59% - Cyber attack • 54% - Inability to reduce employee negligence• 48% - Ransomware• 47% - Unsecured IoT devices• 42% - 3rd party data breach• 34% - Inadequate Budget• 25% - Malicious Insider

What are CISOs Worried About?

https://www.healthcare-informatics.com/news-item/cybersecurity/what-are-cisos-worried-about-2018-data-breaches-and-human-factor-survey

70% cited “lack of competent in-house staff” as the #1 concern

© Clearwater Compliance LLC | All Rights Reserved

8

$6,193

$23,505

$19,414

$28,683

$-

$5,000

$10,000

$15,000

$20,000

$25,000

$30,000

$35,000

2015 2016 2017 2018

OCR Penalties & Settlements by Year ($000s)

OCR Enforcement Actions are Increasing To date, OCR has settled or imposed civil money penalties in 66 cases

for a total of $107M

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.htmlhttps://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

• “2018 was a ‘banner’ year for enforcement.”- Roger Severino, Director, Office for Civil Rights (OCR) at the U.S.

Department of Health and Human Services

• Nearly 500 organizations currently under investigation

• 90% of all ePHI fines related to insufficient Risk Analysis

• OCR enforcement activity is not slowing down!

$1,032

$1,808 $1,941

$2,608

$0

$500

$1,000

$1,500

$2,000

$2,500

$3,000

2015 2016 2017 2018

Average $/Settlement ($000s)

© Clearwater Compliance LLC | All Rights Reserved

9

Developing Your Business Plan…

What ….• Bad Thing Could Happen?• Vulnerabilities Exist? • Offsetting Controls or Safeguards Exist?• Is the Likelihood of that Bad Thing Happening?• Is the Potential Impact if the Bad Thing Happens?

© Clearwater Compliance LLC | All Rights Reserved

10

What is Risk?• Risk = Likelihood x Impact

© Clearwater Compliance LLC | All Rights Reserved

11

What do many breaches have in common?Any of the below can increase the likelihood of a breach…• Inadequate Policies & Procedures• Inadequate Workforce Training • Inadequate Sanctions for Non-Compliance• Inadequate Security Awareness• Inadequate Access Controls & Activity Monitoring• Inadequate Security & Privacy Governance• Inadequate Incidence Response & Mitigation Plans• Inadequate Risk Analysis & Risk Management Programs

© Clearwater Compliance LLC | All Rights Reserved

12

VulnerabilityAverage

Risk RatingIS Security Staffing Deficiencies 20.0Old or Outdated Equipment 17.8Unsupported Operating System 17.8Network Configuration Deficiencies 17.1Insecure Device Configuration 17.1Wireless Network Deficiencies 16.7Endpoint Leakage 16.7Weak Passwords 16.3Password Creation and Distribution Deficiencies 16.2Inadequate Device or Data Encryption 16.1

Top Vulnerabilities in Risk Ratings

© Clearwater Compliance LLC | All Rights Reserved

13

The Last Word on Sources of Likelihood

© Clearwater Compliance LLC | All Rights Reserved

14

Determining the Impact

© Clearwater Compliance LLC | All Rights Reserved

15

Ponemon Study: 2018 Cost of a Data Breach

https://healthitsecurity.com/news/healthcare-data-breach-costs-remain-highest-among-industries

© Clearwater Compliance LLC | All Rights Reserved

16

Average Cost of a Breach• Likelihood: Not if, but when…• Ponemon: 96% of all the healthcare providers who participated in the study say they

have had at least one data breach over a 24-month period

• Impact (main drivers):• Size of the breach• Time to identify and contain the breach• The vulnerability exploited

• Average size of a breach = 10,000 records # of records breached 10,000 Average cost/record 408$ Cost of a Breach 4,080,000$

© Clearwater Compliance LLC | All Rights Reserved

17

Direct vs Indirect Costs

Direct Costs

Indirect Costs

© Clearwater Compliance LLC | All Rights Reserved

18

Deloitte’s 2019 Future of Cyber Survey

https://deloitte.wsj.com/cio/2019/07/11/cyber-incidents-and-breaches-the-data-dilemma/?mod=djemCIO

© Clearwater Compliance LLC | All Rights Reserved

19

But What If…

BUT WHAT IF…..

Ponemon

# of records breached 10,000 Average cost/record 408$ Cost of a Breach 4,080,000$

Probabilized # of years between breaches 2 Average annual cost of a probable breach 2,040,000$

# of years between breaches 3 Annual cost of a breach 1,360,000$

Annual $ investment with breakeven ROI 680,000$

© Clearwater Compliance LLC | All Rights Reserved

20

Calculating the Financial Impact of a Breach

https://www.idexpertscorp.com/index.php/knowledge-center/single/ANSI-PHI-Project

Table of Contents

1. The Progression of the Health Care Ecosystem

2. The Evolution of Laws, Rules, and Regulations

3. PHI Data Breach Landscape

4. Threats and Vulnerabilities

5. Safeguards and Controls

6. Survey Findings: Current Practices and Attitudes

7. Data Breach Costing Framework

8. Calculating the Cost of a PHI Breach

9. Finale

10. Appendices

© Clearwater Compliance LLC | All Rights Reserved

21

Repercussions…

© Clearwater Compliance LLC | All Rights Reserved

22

Relevance Considerations• Type of Business (CE or BA)• Availability of Competitive Alternatives• Acceptability of Competitive Alternatives

Impact Considerations• Size of the Breach• Sensitivity of Data• Age of Affected Individuals• Income of Affected Individuals

Reputational Repercussions

© Clearwater Compliance LLC | All Rights Reserved

23

Abnormal Churn Rates

“The biggest financial consequence to organizations that experience a data breach is lost business. Following a data breach, organizations need to take steps to retain customers’ trust to reduce the long-term financial impact.”

https://healthitsecurity.com/news/healthcare-data-breach-costs-remain-highest-among-industries

© Clearwater Compliance LLC | All Rights Reserved

24

Sensitivity to Privacy Matters – Demographics Matter

% Age Groups Reporting High Health Privacy Sensitivity % Income Level Reporting High Health Privacy Sensitivity

http://www.laresinstitute.com/blog/study-on-privacy-demographics

© Clearwater Compliance LLC | All Rights Reserved

25

Cost of Replacing Staff

Not including advertising, administrative time, recruiting fees, and interview costshttps://www.recruiter.com/salaries/healthcare-professionals-salary.htmlhttp://www.businessknowhow.com/QandA/recruit.htm

Recruiters Charge 20-35% of Starting Salary

© Clearwater Compliance LLC | All Rights Reserved

26

Suggested FormulasLoss of Patients = (average revenue per patient) x (estimated # of patients lost) x (variable margin)

Loss of current customers = (average revenue per customer) x (estimated # of customers lost) x (variable margin)

Loss of new customers = (expected average revenue per customer) x (estimated # of new customers lost) x (variable margin)

Loss of strategic partners = (projected margin per partner) x (estimated # of partners lost)

Loss of staff = (average cost of recruiting and training new staff) x (estimated # of new staff replaced) + (average margin not being generated during transition)

© Clearwater Compliance LLC | All Rights Reserved

27

Relevance Considerations• Size of Breach• Complexity of Breach• Strength of Safeguards• Type of Company (public or private)• Breached Party (CE or BA)

Impact Considerations• Size of the Breach• Type of Breach (malicious vs. unintentional)• Further Disclosure• Type of Data (financial as well as health)

Financial Repercussions

© Clearwater Compliance LLC | All Rights Reserved

28

Elements of Notification CostsNotification to Affected Individuals

• Set Up of Contact Databases

• Message Development

• Legal Review

• Printing

• Postage

• Assembly

• Call Center Support

PR and/or IR Campaign

• Content Development

• Legal Review

• Advertising

• Inquiry Response Time

Notification to Media

• Identification of Media Groups

• Message Development

• Legal Review

• Inquiry Response Time

Notification to HHS

• Content Development

• Legal Review

• Inquiry Response Time

> 500 records

$50 per record

© Clearwater Compliance LLC | All Rights Reserved

29

Credit & Identity Theft Monitoring

http://www.nextadvisor.com/identity_theft_protection_services/compare.php

Wide Range:$10 - $30/month/ person

© Clearwater Compliance LLC | All Rights Reserved

30

Relevance Considerations• Size of Breach• Type of Business (public vs. private)• Strength of Compliance Program• History of Previous Breaches• Board Oversight• Accreditation Requirements

Impact Considerations• Size of the Breach• Type of Breach (malicious vs. unintentional)• Type of Data (financial as well as health)• Age of Affected Individuals• Income of Affected Individuals• Celebrity Status of Affected Individuals• Resident State of Affected Individuals

Legal & Regulatory Repercussions

© Clearwater Compliance LLC | All Rights Reserved

31

Fines and Settlement Agreements are Increasing

5

76

13

1011

0

2

4

6

8

10

12

14

2013 2014 2015 2016 2017 2018

# of Settlements

$748

$1,134 $1,032

$1,808 $1,941

$2,608

$-

$500

$1,000

$1,500

$2,000

$2,500

$3,000

2013 2014 2015 2016 2017 2018

Average $/Settlement ($000s)

Recent Significant Cases:• Touchstone Medical Imaging – $3.0M;

uncontrolled access to ePHI via the internet• Cottage Health – $3.0M; 2 violations of

unsecured ePHI accessible via the internet• Fresenius Medical - $3.5M; multiple breaches

across 5 locations• MD Anderson - $4.3M; theft of unencrypted

laptop and loss of unencrypted thumb drives• Anthem - $16M; Impermissible disclosure of

ePHI due to cyberattack

© Clearwater Compliance LLC | All Rights Reserved

32

State AG Settlements in 2018-2019

• Business Associates have been responsible for 9 of the Breaches (41%) and $7.0M (36%) of the settlement amounts

• After 3 settlement agreements totaling ~$2.7MM, Aetna has filed a lawsuit against its BA for breach

© Clearwater Compliance LLC | All Rights Reserved

33

Class Action Lawsuits $1,000-$2,500 per• St. Joseph Health System - $7.5MM Settlement + $7.5MM attorney fees• State of Texas – 3.5 MM state employees • Stanford Hospital & Clinic - 20,000 patients• Sutter Health Hit With $1B Class-Action Lawsuit • TRICARE Health Management Sued for $4.9B• AvMed Health sued over 'one of the largest medical breaches in history'• Emory Healthcare Faces Class-Action Suit Over Data Breach• Landmark $115 million settlement reached in Anthem data breach suit...• CHS reaches $3.1M settlement with 4.5M patients affected by data breach

http://www.mainjustice.com/2013/09/05/settlement-reached-in-healthcare-data-breach-lawsuit/

© Clearwater Compliance LLC | All Rights Reserved

34

Operational Repercussions

Relevance Considerations• Sufficiency of Current Resources• Level of Change in Procedures Required• Level of Oversight of Compliance Program

Impact Considerations• Type of Breach (malicious vs. unintentional)• # of Additional Resources Needed• Level of Disruption of Organizational Changes

© Clearwater Compliance LLC | All Rights Reserved

35

Top Reasons for Cyber Workforce shortage• Business Conditions• Can’t find Qualified Personnel• Requirements not Understood• No Clear Career Path• Retainment Issues

“The issue isn’t distribution of cyber resources – it’s that there just aren’t enough of them out there”

68% of cyber security experts in North America say they don’t have the professionals they need

on their security teams

And then there may be the need to add Cyber Security Talent

By Focal Point InsightsFebruary 22, 2018

© Clearwater Compliance LLC | All Rights Reserved

36

Clinical Repercussions

Relevance Considerations• Type of Data (financial vs medical)• Likelihood of Compromise• Involvement in Research

Impact Considerations• Type of Breach (malicious vs. unintentional)• Age and income of affective individuals• Type of Research

http://www.ponemon.org/local/upload/file/Third_Annual_Survey_on_Medical_Identity_Theft_FINAL.pdf

© Clearwater Compliance LLC | All Rights Reserved

37

Clinical Repercussions on the Patient

Confidentiality Integrity Availability• Identity Theft

• Reputational Damage

• Relationship Damage

• Employment Damage

• Financial Damage

• Anxiety

• Depression

• Incorrect Diagnosis

• Incorrect Treatment

• Incorrect Prescriptions

• Incorrect Billing Charges

• Contaminated Clinical Trial

• Identity Theft

• Reputational Damage

• Death

• Delayed Admittance

• Delayed Diagnosis

• Delayed Surgery

• Delayed Prescriptions

• Delayed Discharge

• Diagnosis Errors

• Treatment Errors

• Death

What if there is a Compromise of the …

Affects Patient Safety, Satisfaction and Quality of Care

© Clearwater Compliance LLC | All Rights Reserved

38

Putting it all together…

Insignificant <2% of RevenueMinor 2% of RevenueModerate 4% of RevenueMajor 6% of RevenueSevere >6% of Revenue

Total Impact Scoring

Annual Revenues 250,000,000$ # of records breached 10,000

COST CATEGORY COST IMPACT COST SUB-CATEGORY COST TOTAL COSTLoss of Current Patients/Customers 2,625,000$ Loss of New Business 225,000$ Loss of Strategic Partners 31,500$ Loss of Staff 392,500$

Detection/Escalation Cost 200,000$ Credit & ID Theft Monitoring 1,320,000$ Mitigation Costs 113,240$ Lost Productivity 300,000$ Customer Notification 229,000$ Media Notification 60,360$ Attorney Fees 69,960$

Cyber Liability Insurance New Policy or Deductible 225,000$ Change in Vendor (if BA-related) RFP and Other Transition Costs -$

Civil Monetary Penalty or Settlement -$ OCR Corrective Action Plan 575,250$ State Fines 95,000$ OCR Corrective Action Plan 25,000$ Settlement Costs 1,363,396$ Attorney Fees 235,849$ Insurance Dedcutible 300,000$ Cost of New Hires 375,000$ Recruiting & Training Fees 37,500$

Cost of Reorganization -$ Fraudulent Claims Processed 375,000$ Delayed or Inaccurate Diagnosis -$

9,173,555$ 3.7%

MODERATE917$

OCR Fines, Penalties and CAPs

State Fines & Penalties

Class-Action Lawsuit

Cost of Hiring Additional IS Staff

3,274,000$

2,517,560$

2,594,495$

412,500$

375,000$

GRAND TOTAL COST OF DATA BREACH% OF TOTAL ANNUAL REVENUE

IMPACTCOST/RECORD

CLINICAL

REPUTATIONAL

FINANCIAL

Remediation

Notification

LEGAL/REGULATORY

OPERATIONAL

© Clearwater Compliance LLC | All Rights Reserved

39

Updated ROI…

But with an investment in recommended controls and safeguards…

# of years between breaches 3 Annual cost of a breach 1,360,000$

Annual $ investment with breakeven ROI 680,000$

Including Other Considerations

10,000 917$

9,173,555$

2 4,586,778$

Ponemon

# of records breached 10,000 Average cost/record 408$ Cost of a Breach 4,080,000$

Probabilized # of years between breaches 2 Average annual cost of a probable breach 2,040,000$

3 3,057,852$

1,528,926$

© Clearwater Compliance LLC | All Rights Reserved

40

Stronger Financials …Balance sheet, lower cost of

capital, competitve insurance rates

Lower Career Risk … Confidence, passion, energy, engagement, taking the right

risks

Higher Satisfaction … Patients, physicians, workforce members, board, investors, community

Increased Quality … Access to care, timely care, confidentiality, integrity & availability of information

Financials Satisfaction

People Quality

Fewer/No Breaches, Fewer/No Complaints, No Failed IRM-related Audits

Business Outcomes

© Clearwater Compliance LLC | All Rights Reserved

41

Module 6 Supplemental Resources

• The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security (ANSI) (PDF)

• Links to Supplemental Guidance from OCRo HIPAA Guidance Materialso OCR Resolution Agreementso OCR Complaint Datao OCR Breach Datao FACT SHEET: Ransomware and HIPAA

• HIPAA Privacy, Security and Breach Notification Audit Program

© Clearwater Compliance LLC | All Rights Reserved

42

Polling Question

Do you think this type of analysis will help you get the funds you need?

© Clearwater Compliance LLC | All Rights Reserved

43

Thank You & Questions

Baxter LeeBaxter.Lee@ClearwaterCompliance.com615-538-2151www.clearwatercompliance.com

© Clearwater Compliance | All Rights Reserved

Legal Disclaimer

Although the information provided by Clearwater Compliance may be helpful in informing customers and others who have an interest in data privacy and security issues, it does not constitute legal advice. This information may be based in part on current federal law and is subject to change based on changes in federal law or subsequent interpretative guidance. Where this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource and should not be relied upon as a substitute for competent legal advice specific to your circumstances. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED BY CLEARWATER IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.

Copyright Notice

All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.

*The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.

22018-1