Health Cyber Security

Accenture Point of View

2

Health cyber security “is the Wild

West…What’s in the news is just the tip

of the iceberg.”

Kevin Johnson

CEO, Secure Ideas

Source: “Hacker calls health security ‘Wild West’” - http://www.healthcareitnews.com/news/hacker-calls-health-security-wild-west

3Copyright © 2015 Accenture All rights reserved.

SITUATION OPPORTUNITYCOMPLICATION

4

SituationWhat is happening with health cyber security?

• Over the last five years, the number of data breaches has increased dramatically with an increase in frequency and number of impacted individuals.

• From 2010 to 2014, the number of health care data breaches impacting more than 500 individuals increased over 40%.

Copyright © 2015 Accenture All rights reserved.

2010 2015

Anthem78.8M

Cyber Attack

UCLA4.5MCyber Attack

CareFirst BCBS1.1MCyber Attack

AvMed Inc.1.2MTheft

BCBS TN1.0MTheft

GRM Services1.7MTheft

IBM1.9M

Unknown

Nemours Foundation

1.1MLoss

SAIC4.9MLoss

Advocate Health4.0MTheft

MT HHS1.1M

Cyber Attack

Community Health4.5MTheft

Xerox2.0M

UnauthorizedAccess

Premera11.1MCyber Attack

Health Care Data Breaches Impacting >1 Million Individuals Over the Last 5 Years

Sources: Accenture analysis based on data from the HHS Office for Civil Rights breach portal. Data accurate as of July 2015.

5

• Trends vary for how different health industry stakeholders are impacted by the increasing risk and crime related to health data security.

Copyright © 2015 Accenture All rights reserved.

SituationHow are different health organizations affected by data breaches?

Health PlansHealthcare Providers

Business Associates

Total Breaches

141 838 273

Individuals Impacted

~98 Million(w/o Anthem –

19.3M)~18 Million ~22 Million

Average Breach Size

~696,000(w/o Anthem –

138,000)~22,000 ~82,000

Health Care Data Breaches, January 2010 – July 2015Health Care Data Breaches – Key Points

• Anthem Breach Outlier: Accounted for ~80% of total individuals impacted by Health Plan breaches since 2010

• Health Plan Breaches: Occurred less frequently and impacted the most individuals on average (even excluding Anthem outlier)

• Healthcare Provider Breaches: Occurred most frequently and impacted the least individuals on average

• Business Associate Breaches: Impacted the largest total number of individuals (excluding Anthem outlier)

Sources: Accenture analysis based on data from the HHS Office for Civil Rights breach portal. Data accurate as of July 2015. Healthcare Clearing Houses and a small number of breaches without a designated covered entity type were excluded

from this analysis based on low reporting rate.

6

SituationWhy are health data breaches such a large risk?

• The monetary value of stolen health care data far surpasses other forms of personal information, making it a prime target for security threats.

Copyright © 2015 Accenture All rights reserved.

Medicare Number Black Market Value

$470

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

Credit Card Number Black Market Value(Few quarters or dollars)

$

Sources: “The black market for stolen health care data” -http://www.npr.org/blogs/alltechconsidered/2015/02/13/385901377/the-black-market-for-stolen-health-care-data

7

SituationHow do health data breaches impact victims?

• Individuals victimized by medical information and medical identity theft suffer a variety of problems related to the crime.

Copyright © 2015 Accenture All rights reserved.

TIMEVictims resolving crimes related to medical identity theft spend more than 200 hours on:

• Verifying that the correct personal health information remains in the record and false information is removed

• Ensuring that the criminal can no longer use the victim’s medical information fraudulently

• Dealing with medical invoices and claims

WELLBEING

Fraudulent use of personal medical and financial information can be difficult to detect and remedy. Medical identity theft can cause dangerous errors such as:

• Misdiagnosis

• Delayed medical treatment

• Interference with provision of the correct medical care

Additionally, 45% of victims say the crimes affected their reputation and were embarrassing due to disclosure of sensitive information.

$FINANCES

Medical identity theft victims are not usually protected from health cyber crimes and pay an average of $13,500 in out-of-pocket expenses for:

Incorrect medical bills paid unwittingly

Reimbursement to insurers for healthcare services obtained fraudulently

Legal costs to unravel the cyber crime and remedy negative implications

Sources: Ponemon Fifth Annual Study on Medical Identity Theft - http://medidfraud.org/2014-fifth-annual-study-on-medical-identity-theft/

8

SituationWhat is the projected financial impact to patients?

• Over the next five years, patients will suffer ~$56 billion in out-of-pocket costs due to medical identity theft resulting from healthcare provider data breaches.

Copyright © 2015 Accenture All rights reserved.

3.47

4.13

4.93

5.87

7.00

0.87 1.031.23

1.471.75

0.56 0.67 0.80 0.951.14

0

1

2

3

4

5

6

7

8

1 2 3 4 5

Mill

ion

s

Projected Patients Impacted and Victimized by Medical Identity Theft due to Healthcare Provider Breaches,

2015-2019Patients Impacted Patients Victimized Patients Paying OOP

2015 2016 2017 2018 2019

Patient OOP Costs:$56 Billion

Accenture projects that 25% of patients impacted by healthcare provider data breaches between

2015 and 2019—more than 6 million people—will subsequently become

victims of medical identity theft. Sixteen percent of impacted

patients—more than 4 million people— will be victimized and pay out-of-pocket costs totaling almost $56 billion over the next 5 years.

Source: “The $300 Billion Attack: The Revenue Risk and Human Impact of Healthcare Provider Cyber Security Inaction.” Accenture. July 2015. Projections are original Accenture analysis utilizing data from the Ponemon Fifth Annual Study on

Medical Identity Theft (http://medidfraud.org/2014-fifth-annual-study-on-medical-identity-theft/), the Ponemon Fourth Annual Benchmark Study on Patient Privacy and Data Security (http://www.ponemon.org/blog/fourth-annual-benchmark-study-on-

patient-privacy-and-data-security), and the HHS Office for Civil Rights breach database.

9

SituationWhat is the projected financial impact to patients?

• Over the next five years, healthcare providers are at risk of losing over $300 billion in cumulative lifetime patient revenue due to data breaches.

Copyright © 2015 Accenture All rights reserved.

Provider Revenue Risk:$305 Billion

Almost half of patients say they would find a different provider if they were informed their medical records were stolen. Taking into account the estimated lifetime economic value of a patient, Accenture analysis shows that healthcare providers are at risk of losing $305 billion in cumulative lifetime patient revenue due to the projected data breaches occurring

over the next five years.

2015 2016 2017 2018 2019

$90

$80

$70

$60

$50

$40

$30

$20

$10

$0

Bill

ion

s

Lifetime Patient Revenue At Risk Related to Projected Healthcare Provider Data Breaches

Estimated cumulative lifetime patient revenue loss 2015 to 2019 ~$305 billion

Source: “The $300 Billion Attack: The Revenue Risk and Human Impact of Healthcare Provider Cyber Security Inaction.” Accenture. July 2015. Projections are original Accenture analysis utilizing data from the Ponemon Fifth Annual Study on

Medical Identity Theft (http://medidfraud.org/2014-fifth-annual-study-on-medical-identity-theft/), the Ponemon Fourth Annual Benchmark Study on Patient Privacy and Data Security (http://www.ponemon.org/blog/fourth-annual-benchmark-study-

on-patient-privacy-and-data-security), and the HHS Office for Civil Rights breach database.

10

ComplicationWhat are key challenges to improving health cyber security?

• The healthcare industry faces unique challenges and must address how stakeholders can catch up with other industries.

Copyright © 2015 Accenture All rights reserved.

Poor DiligenceLack of awareness of security breaches during and following attack

Partner WeaknessesVendor and partner security weaknesses impact all

Outdated SecurityHealthcare organizations tend to have fewer defenses and dated protection – e.g. on premise servers are less secure than cloud solutions

Inaccurate PerceptionsBelief that smaller organizations are immune from attack is misleading –everyone is at risk

Rich Data At RiskStolen health information is worth 10 times more than credit cards on the black market due to the personal identity data

Compliance Is Not EnoughImpacted organizations and the industry overall demonstrate slow response to rapidly increasing vulnerability

Sources: “Hacker calls health security ‘Wild West’” - http://www.healthcareitnews.com/news/hacker-calls-health-security-wild-west, “Why health hacks are worse than credit card hacks” - http://fortune.com/2015/02/05/why-health-hacks-are-worse-than-

credit-card-hacks/?xid=yahoo_fortune, “8 reactions to the Anthem hack from health IT leaders and cybersecurity experts” - http://www.beckershospitalreview.com/healthcare-information-technology/8-reactions-to-the-anthem-hack-from-health-it-leaders-

and-cybersecurity-experts.html

11

OpportunityHow can organizations approach addressing cyber security?

• Health organizations must move to active defense and prioritize improvements of their cyber security in order to thwart breach events and malicious attacks.

Copyright © 2015 Accenture All rights reserved.

Embrace the cloud and other emerging

technologies to boost IT agility and reach customers faster,

capitalize on efficiency and cost benefits and do so within risk tolerances

Become agile

Determine where the organization currently

stands and the level of resources required to support meaningful

transformation

Assess security capability, identify opportunities

Develop end-to-enddelivery and sourcing

Plan a delivery and operational strategy for

each of the security services they offer to

make a clear-eyed assessment of internal

competencies for designing, building and

deploying elements of a cyber-security program

Manage complexity and integrate the enterprise

Evolve the security program vision: establish an end-to-end enterprise

security program and integrate it with existing enterprise architecture

processes to reduce complexity levels and

produce outcomes valued by the business

Source: Accenture. “Intelligent Security: Defending the Digital Business.” August 2014.

Adapt to handle new threats to the enterprise

by developing threat-centered operations by

developing a deep understanding of

adversaries, their goals and techniques

Accelerate toward security intelligence

12

OpportunityAccenture Thought Leadership

Copyright © 2015 Accenture All rights reserved.

The Cyber Security Leap: From Laggard to Leader

Security Implications of the Accenture Technology

Vision 2014

The $300 Billion Attack: The Revenue Risk and Human

Impact of Healthcare ProviderCyber Security Inaction

Intelligent Security: Defending the Digital

Business

13

Glossary of Terms

• Lifetime patient revenue: Total economic value or total patient revenue over the lifetime of an individual patient.

• Cumulative lifetime patient revenue: Total lifetime patient revenue for a group of patients.

• Medical information theft: The crime of stealing patient personal information (including clinical and/or financial information).

• Medical identity theft: The crime of fraudulently using an individual’s name and personal identity to receive medical services, prescription drugs and/or goods, including attempts to commit fraudulent billing.

• Impacted patients: Patients who have their personal information stolen in a data breach (as reported to the U.S. Department of Health and Human Services Office for Civil Rights for breaches impacting 500 or more people).

• Victimized patients or medical identity theft victims: Patients who have their personal information stolen in a data breach and whose information is subsequently used in a fraudulent manner.

*Security breaches impacting more than 500 people must be reported by healthcare organizations to the U.S. Department of Health and Human Services Office for Civil Rights.

14

For more information:

Brian KalisAccenture Health & Public Services 612-387-3858brian.p.kalis@accenture.com

Janessa NickellAccenture Strategy650-862-1747janessa.nickell@accenture.com

Join the conversation:

@AccentureHealth@AccentureStrat