© Clearwater Compliance LLC | All Rights Reserved© Clearwater Compliance LLC | All Rights Reserved
July 25, 2019
CIO Virtual Cybersecurity SymposiumSession 3 | Module 6
Making the Case for Cyber Risk Management Investments
Baxter LeeChief Financial Officer, Clearwater
© Clearwater Compliance LLC | All Rights Reserved
2
1. Learn the potential repercussions of a data breach 2. Prepare to calculate the cost of a data breach specific for
your organization3. Understand how to present a compelling Return on
Investment (“ROI”) calculation for your Information Risk Management Program
4. Turn the breach cost into a compelling business plan to strengthen your security program
Making the Cast for Cyber Risk Management Investment
Module Duration = 50 Minutes
Learning Objectives Addressed in This Module:
Module 6 Overview
© Clearwater Compliance LLC | All Rights Reserved
3
Your Presenter:
Baxter LeeChief Financial Officer, Clearwater
• 17+ years in Finance, primarily in the healthcare sector• 10+ years of experience in banking, private equity and M&A• Former CFO for Entrada Health, successfully leading the company
through its sale to NextGen Healthcare (NASDAQ: NXGN)• BA, Business Administration - Washington & Lee University• MBA - Owen Graduate School of Management at Vanderbilt University• Passionate about helping healthcare organizations protect the highly
sensitive data that they are entrusted with on behalf of their patients
© Clearwater Compliance LLC | All Rights Reserved
4
Digital Transformation in Healthcare• Rapid adoption of new technology and information systems to support key
business initiatives such as value-based care, consumer engagement and data & analytics…
196% Annual Growth
10.2MIndividuals
2019 v 2018+170%
Dell EMC annual Global Data Protection Index, 2019https://www.hipaajournal.com/may-2019-healthcare-data-breach-report/
1.2 Breaches per Day
© Clearwater Compliance LLC | All Rights Reserved
5
Healthcare vs Other Industries
• The healthcare industry ranks 15th when compared to 17 major U.S. industries
• The healthcare industry is one of the lowest performing industries in terms of endpoint security
• 60% of the most common cybersecurity issues in healthcare relate to poor patching cadence
• Social engineering attacks continue to put patient data at risk
© Clearwater Compliance LLC | All Rights Reserved
6
2018 Breaches by Type of Entity and Source
Hacking, 45%
Insider-Error, 25%
Insider-Wrongdoing, 6%
Theft, 9%
Lost/Missing, 8%
Unknown, 7%
Breaches by Source
Healthcare Providers, 70%
BA/Vendors, 10%
Health Plans, 12%
Misc/Other, 8%
Breaches by Type of Entity
https://www.protenus.com/2019-breach-barometer
© Clearwater Compliance LLC | All Rights Reserved
7
Two-thirds of chief information security officers (CISOs) believe that their companies are more likely to fall victim to a cyber attack or will face a data breach this year• 66% - Data breach• 59% - Cyber attack • 54% - Inability to reduce employee negligence• 48% - Ransomware• 47% - Unsecured IoT devices• 42% - 3rd party data breach• 34% - Inadequate Budget• 25% - Malicious Insider
What are CISOs Worried About?
https://www.healthcare-informatics.com/news-item/cybersecurity/what-are-cisos-worried-about-2018-data-breaches-and-human-factor-survey
70% cited “lack of competent in-house staff” as the #1 concern
© Clearwater Compliance LLC | All Rights Reserved
8
$6,193
$23,505
$19,414
$28,683
$-
$5,000
$10,000
$15,000
$20,000
$25,000
$30,000
$35,000
2015 2016 2017 2018
OCR Penalties & Settlements by Year ($000s)
OCR Enforcement Actions are Increasing To date, OCR has settled or imposed civil money penalties in 66 cases
for a total of $107M
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.htmlhttps://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
• “2018 was a ‘banner’ year for enforcement.”- Roger Severino, Director, Office for Civil Rights (OCR) at the U.S.
Department of Health and Human Services
• Nearly 500 organizations currently under investigation
• 90% of all ePHI fines related to insufficient Risk Analysis
• OCR enforcement activity is not slowing down!
$1,032
$1,808 $1,941
$2,608
$0
$500
$1,000
$1,500
$2,000
$2,500
$3,000
2015 2016 2017 2018
Average $/Settlement ($000s)
© Clearwater Compliance LLC | All Rights Reserved
9
Developing Your Business Plan…
What ….• Bad Thing Could Happen?• Vulnerabilities Exist? • Offsetting Controls or Safeguards Exist?• Is the Likelihood of that Bad Thing Happening?• Is the Potential Impact if the Bad Thing Happens?
© Clearwater Compliance LLC | All Rights Reserved
10
What is Risk?• Risk = Likelihood x Impact
© Clearwater Compliance LLC | All Rights Reserved
11
What do many breaches have in common?Any of the below can increase the likelihood of a breach…• Inadequate Policies & Procedures• Inadequate Workforce Training • Inadequate Sanctions for Non-Compliance• Inadequate Security Awareness• Inadequate Access Controls & Activity Monitoring• Inadequate Security & Privacy Governance• Inadequate Incidence Response & Mitigation Plans• Inadequate Risk Analysis & Risk Management Programs
© Clearwater Compliance LLC | All Rights Reserved
12
VulnerabilityAverage
Risk RatingIS Security Staffing Deficiencies 20.0Old or Outdated Equipment 17.8Unsupported Operating System 17.8Network Configuration Deficiencies 17.1Insecure Device Configuration 17.1Wireless Network Deficiencies 16.7Endpoint Leakage 16.7Weak Passwords 16.3Password Creation and Distribution Deficiencies 16.2Inadequate Device or Data Encryption 16.1
Top Vulnerabilities in Risk Ratings
© Clearwater Compliance LLC | All Rights Reserved
13
The Last Word on Sources of Likelihood
© Clearwater Compliance LLC | All Rights Reserved
14
Determining the Impact
© Clearwater Compliance LLC | All Rights Reserved
15
Ponemon Study: 2018 Cost of a Data Breach
https://healthitsecurity.com/news/healthcare-data-breach-costs-remain-highest-among-industries
© Clearwater Compliance LLC | All Rights Reserved
16
Average Cost of a Breach• Likelihood: Not if, but when…• Ponemon: 96% of all the healthcare providers who participated in the study say they
have had at least one data breach over a 24-month period
• Impact (main drivers):• Size of the breach• Time to identify and contain the breach• The vulnerability exploited
• Average size of a breach = 10,000 records # of records breached 10,000 Average cost/record 408$ Cost of a Breach 4,080,000$
© Clearwater Compliance LLC | All Rights Reserved
17
Direct vs Indirect Costs
Direct Costs
Indirect Costs
© Clearwater Compliance LLC | All Rights Reserved
18
Deloitte’s 2019 Future of Cyber Survey
https://deloitte.wsj.com/cio/2019/07/11/cyber-incidents-and-breaches-the-data-dilemma/?mod=djemCIO
© Clearwater Compliance LLC | All Rights Reserved
19
But What If…
BUT WHAT IF…..
Ponemon
# of records breached 10,000 Average cost/record 408$ Cost of a Breach 4,080,000$
Probabilized # of years between breaches 2 Average annual cost of a probable breach 2,040,000$
# of years between breaches 3 Annual cost of a breach 1,360,000$
Annual $ investment with breakeven ROI 680,000$
© Clearwater Compliance LLC | All Rights Reserved
20
Calculating the Financial Impact of a Breach
https://www.idexpertscorp.com/index.php/knowledge-center/single/ANSI-PHI-Project
Table of Contents
1. The Progression of the Health Care Ecosystem
2. The Evolution of Laws, Rules, and Regulations
3. PHI Data Breach Landscape
4. Threats and Vulnerabilities
5. Safeguards and Controls
6. Survey Findings: Current Practices and Attitudes
7. Data Breach Costing Framework
8. Calculating the Cost of a PHI Breach
9. Finale
10. Appendices
© Clearwater Compliance LLC | All Rights Reserved
21
Repercussions…
© Clearwater Compliance LLC | All Rights Reserved
22
Relevance Considerations• Type of Business (CE or BA)• Availability of Competitive Alternatives• Acceptability of Competitive Alternatives
Impact Considerations• Size of the Breach• Sensitivity of Data• Age of Affected Individuals• Income of Affected Individuals
Reputational Repercussions
© Clearwater Compliance LLC | All Rights Reserved
23
Abnormal Churn Rates
“The biggest financial consequence to organizations that experience a data breach is lost business. Following a data breach, organizations need to take steps to retain customers’ trust to reduce the long-term financial impact.”
https://healthitsecurity.com/news/healthcare-data-breach-costs-remain-highest-among-industries
© Clearwater Compliance LLC | All Rights Reserved
24
Sensitivity to Privacy Matters – Demographics Matter
% Age Groups Reporting High Health Privacy Sensitivity % Income Level Reporting High Health Privacy Sensitivity
http://www.laresinstitute.com/blog/study-on-privacy-demographics
© Clearwater Compliance LLC | All Rights Reserved
25
Cost of Replacing Staff
Not including advertising, administrative time, recruiting fees, and interview costshttps://www.recruiter.com/salaries/healthcare-professionals-salary.htmlhttp://www.businessknowhow.com/QandA/recruit.htm
Recruiters Charge 20-35% of Starting Salary
© Clearwater Compliance LLC | All Rights Reserved
26
Suggested FormulasLoss of Patients = (average revenue per patient) x (estimated # of patients lost) x (variable margin)
Loss of current customers = (average revenue per customer) x (estimated # of customers lost) x (variable margin)
Loss of new customers = (expected average revenue per customer) x (estimated # of new customers lost) x (variable margin)
Loss of strategic partners = (projected margin per partner) x (estimated # of partners lost)
Loss of staff = (average cost of recruiting and training new staff) x (estimated # of new staff replaced) + (average margin not being generated during transition)
© Clearwater Compliance LLC | All Rights Reserved
27
Relevance Considerations• Size of Breach• Complexity of Breach• Strength of Safeguards• Type of Company (public or private)• Breached Party (CE or BA)
Impact Considerations• Size of the Breach• Type of Breach (malicious vs. unintentional)• Further Disclosure• Type of Data (financial as well as health)
Financial Repercussions
© Clearwater Compliance LLC | All Rights Reserved
28
Elements of Notification CostsNotification to Affected Individuals
• Set Up of Contact Databases
• Message Development
• Legal Review
• Printing
• Postage
• Assembly
• Call Center Support
PR and/or IR Campaign
• Content Development
• Legal Review
• Advertising
• Inquiry Response Time
Notification to Media
• Identification of Media Groups
• Message Development
• Legal Review
• Inquiry Response Time
Notification to HHS
• Content Development
• Legal Review
• Inquiry Response Time
> 500 records
$50 per record
© Clearwater Compliance LLC | All Rights Reserved
29
Credit & Identity Theft Monitoring
http://www.nextadvisor.com/identity_theft_protection_services/compare.php
Wide Range:$10 - $30/month/ person
© Clearwater Compliance LLC | All Rights Reserved
30
Relevance Considerations• Size of Breach• Type of Business (public vs. private)• Strength of Compliance Program• History of Previous Breaches• Board Oversight• Accreditation Requirements
Impact Considerations• Size of the Breach• Type of Breach (malicious vs. unintentional)• Type of Data (financial as well as health)• Age of Affected Individuals• Income of Affected Individuals• Celebrity Status of Affected Individuals• Resident State of Affected Individuals
Legal & Regulatory Repercussions
© Clearwater Compliance LLC | All Rights Reserved
31
Fines and Settlement Agreements are Increasing
5
76
13
1011
0
2
4
6
8
10
12
14
2013 2014 2015 2016 2017 2018
# of Settlements
$748
$1,134 $1,032
$1,808 $1,941
$2,608
$-
$500
$1,000
$1,500
$2,000
$2,500
$3,000
2013 2014 2015 2016 2017 2018
Average $/Settlement ($000s)
Recent Significant Cases:• Touchstone Medical Imaging – $3.0M;
uncontrolled access to ePHI via the internet• Cottage Health – $3.0M; 2 violations of
unsecured ePHI accessible via the internet• Fresenius Medical - $3.5M; multiple breaches
across 5 locations• MD Anderson - $4.3M; theft of unencrypted
laptop and loss of unencrypted thumb drives• Anthem - $16M; Impermissible disclosure of
ePHI due to cyberattack
© Clearwater Compliance LLC | All Rights Reserved
32
State AG Settlements in 2018-2019
• Business Associates have been responsible for 9 of the Breaches (41%) and $7.0M (36%) of the settlement amounts
• After 3 settlement agreements totaling ~$2.7MM, Aetna has filed a lawsuit against its BA for breach
© Clearwater Compliance LLC | All Rights Reserved
33
Class Action Lawsuits $1,000-$2,500 per• St. Joseph Health System - $7.5MM Settlement + $7.5MM attorney fees• State of Texas – 3.5 MM state employees • Stanford Hospital & Clinic - 20,000 patients• Sutter Health Hit With $1B Class-Action Lawsuit • TRICARE Health Management Sued for $4.9B• AvMed Health sued over 'one of the largest medical breaches in history'• Emory Healthcare Faces Class-Action Suit Over Data Breach• Landmark $115 million settlement reached in Anthem data breach suit...• CHS reaches $3.1M settlement with 4.5M patients affected by data breach
http://www.mainjustice.com/2013/09/05/settlement-reached-in-healthcare-data-breach-lawsuit/
© Clearwater Compliance LLC | All Rights Reserved
34
Operational Repercussions
Relevance Considerations• Sufficiency of Current Resources• Level of Change in Procedures Required• Level of Oversight of Compliance Program
Impact Considerations• Type of Breach (malicious vs. unintentional)• # of Additional Resources Needed• Level of Disruption of Organizational Changes
© Clearwater Compliance LLC | All Rights Reserved
35
Top Reasons for Cyber Workforce shortage• Business Conditions• Can’t find Qualified Personnel• Requirements not Understood• No Clear Career Path• Retainment Issues
“The issue isn’t distribution of cyber resources – it’s that there just aren’t enough of them out there”
68% of cyber security experts in North America say they don’t have the professionals they need
on their security teams
And then there may be the need to add Cyber Security Talent
By Focal Point InsightsFebruary 22, 2018
© Clearwater Compliance LLC | All Rights Reserved
36
Clinical Repercussions
Relevance Considerations• Type of Data (financial vs medical)• Likelihood of Compromise• Involvement in Research
Impact Considerations• Type of Breach (malicious vs. unintentional)• Age and income of affective individuals• Type of Research
http://www.ponemon.org/local/upload/file/Third_Annual_Survey_on_Medical_Identity_Theft_FINAL.pdf
© Clearwater Compliance LLC | All Rights Reserved
37
Clinical Repercussions on the Patient
Confidentiality Integrity Availability• Identity Theft
• Reputational Damage
• Relationship Damage
• Employment Damage
• Financial Damage
• Anxiety
• Depression
• Incorrect Diagnosis
• Incorrect Treatment
• Incorrect Prescriptions
• Incorrect Billing Charges
• Contaminated Clinical Trial
• Identity Theft
• Reputational Damage
• Death
• Delayed Admittance
• Delayed Diagnosis
• Delayed Surgery
• Delayed Prescriptions
• Delayed Discharge
• Diagnosis Errors
• Treatment Errors
• Death
What if there is a Compromise of the …
Affects Patient Safety, Satisfaction and Quality of Care
© Clearwater Compliance LLC | All Rights Reserved
38
Putting it all together…
Insignificant <2% of RevenueMinor 2% of RevenueModerate 4% of RevenueMajor 6% of RevenueSevere >6% of Revenue
Total Impact Scoring
Annual Revenues 250,000,000$ # of records breached 10,000
COST CATEGORY COST IMPACT COST SUB-CATEGORY COST TOTAL COSTLoss of Current Patients/Customers 2,625,000$ Loss of New Business 225,000$ Loss of Strategic Partners 31,500$ Loss of Staff 392,500$
Detection/Escalation Cost 200,000$ Credit & ID Theft Monitoring 1,320,000$ Mitigation Costs 113,240$ Lost Productivity 300,000$ Customer Notification 229,000$ Media Notification 60,360$ Attorney Fees 69,960$
Cyber Liability Insurance New Policy or Deductible 225,000$ Change in Vendor (if BA-related) RFP and Other Transition Costs -$
Civil Monetary Penalty or Settlement -$ OCR Corrective Action Plan 575,250$ State Fines 95,000$ OCR Corrective Action Plan 25,000$ Settlement Costs 1,363,396$ Attorney Fees 235,849$ Insurance Dedcutible 300,000$ Cost of New Hires 375,000$ Recruiting & Training Fees 37,500$
Cost of Reorganization -$ Fraudulent Claims Processed 375,000$ Delayed or Inaccurate Diagnosis -$
9,173,555$ 3.7%
MODERATE917$
OCR Fines, Penalties and CAPs
State Fines & Penalties
Class-Action Lawsuit
Cost of Hiring Additional IS Staff
3,274,000$
2,517,560$
2,594,495$
412,500$
375,000$
GRAND TOTAL COST OF DATA BREACH% OF TOTAL ANNUAL REVENUE
IMPACTCOST/RECORD
CLINICAL
REPUTATIONAL
FINANCIAL
Remediation
Notification
LEGAL/REGULATORY
OPERATIONAL
© Clearwater Compliance LLC | All Rights Reserved
39
Updated ROI…
But with an investment in recommended controls and safeguards…
# of years between breaches 3 Annual cost of a breach 1,360,000$
Annual $ investment with breakeven ROI 680,000$
Including Other Considerations
10,000 917$
9,173,555$
2 4,586,778$
Ponemon
# of records breached 10,000 Average cost/record 408$ Cost of a Breach 4,080,000$
Probabilized # of years between breaches 2 Average annual cost of a probable breach 2,040,000$
3 3,057,852$
1,528,926$
© Clearwater Compliance LLC | All Rights Reserved
40
Stronger Financials …Balance sheet, lower cost of
capital, competitve insurance rates
Lower Career Risk … Confidence, passion, energy, engagement, taking the right
risks
Higher Satisfaction … Patients, physicians, workforce members, board, investors, community
Increased Quality … Access to care, timely care, confidentiality, integrity & availability of information
Financials Satisfaction
People Quality
Fewer/No Breaches, Fewer/No Complaints, No Failed IRM-related Audits
Business Outcomes
© Clearwater Compliance LLC | All Rights Reserved
41
Module 6 Supplemental Resources
• The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security (ANSI) (PDF)
• Links to Supplemental Guidance from OCRo HIPAA Guidance Materialso OCR Resolution Agreementso OCR Complaint Datao OCR Breach Datao FACT SHEET: Ransomware and HIPAA
• HIPAA Privacy, Security and Breach Notification Audit Program
© Clearwater Compliance LLC | All Rights Reserved
42
Polling Question
Do you think this type of analysis will help you get the funds you need?
© Clearwater Compliance LLC | All Rights Reserved
43
Thank You & Questions
Baxter LeeBaxter.Lee@ClearwaterCompliance.com615-538-2151www.clearwatercompliance.com
© Clearwater Compliance | All Rights Reserved
Legal Disclaimer
Although the information provided by Clearwater Compliance may be helpful in informing customers and others who have an interest in data privacy and security issues, it does not constitute legal advice. This information may be based in part on current federal law and is subject to change based on changes in federal law or subsequent interpretative guidance. Where this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource and should not be relied upon as a substitute for competent legal advice specific to your circumstances. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED BY CLEARWATER IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.
Copyright Notice
All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.
*The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
22018-1