47
Sponsored by ID Experts Presented by Dr. Larry Ponemon and Rick Kam May 17, 2016 Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data
Sponsored by ID ExpertsPresented by Dr. Larry Ponemon and Rick Kam
May 17, 2016
Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data
5/17/16 | slide 1
Presenters
Rick KamPresident & Co-founder
ID Experts
Dr. Larry PonemonChairman & Founder
Ponemon Institute
5/17/16 | slide 2
Ponemon Institute LLC
The Institute is dedicated to advancing responsible information management practices that positively affect privacy, data protection and information security in business and government.
The Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices oforganizations.
Ponemon Institute is a full member of CASRO (Council of American Survey Research organizations). Dr. Ponemon serves as CASRO’s chairman of Government & Public Affairs Committee of the Board.
The Institute has assembled more than 65+ leading multinational corporations called the RIM Council, which focuses the development and execution of ethical principles for the collection and use of personal data about people and households.
The majority of active participants are privacy or information security leaders.
5/17/16 | slide 3
Agenda
• Introductions
• Data from Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data
• Discussion of findings and key takeaways
• Q & A
5/17/16 | slide 4
Privacy and security of patient data in healthcare organizations and business
associates
5/17/16 | slide 5
Reasons why healthcare and business associates believe they have a target on their backs Two choices permitted
2%
10%
10%
54%
50%
42%
32%
3%
12%
14%
35%
41%
44%
51%
0% 10% 20% 30% 40% 50% 60%
Other
It is difficult to identify malicious insiders who work inhealthcare organizations
Patient information is more valuable to identity thievesand cyber attackers than other types of information
Healthcare employees are negligent in the handling ofpatient information
Healthcare organizations are not investing intechnologies to mitigate a data breach
Healthcare organizations are not hiring enough skilled ITsecurity practitioners
Healthcare organizations are not vigilant in ensuringtheir partners and other third parties protect patient
information
CE 2016 BA 2016
5/17/16 | slide 6
How have recent healthcare data breaches affected your security practices? Two choices permitted
3%
29%
60%
55%
53%
3%
26%
52%
58%
61%
0% 10% 20% 30% 40% 50% 60% 70%
Other
Hired more skilled IT security practitioners
Increased employee training
Increased our investment in technologies to mitigate adata breach
Became more vigilant in ensuring our partners and otherthird parties have necessary precautions in place to
safeguard patient information
CE 2016 BA 2016
5/17/16 | slide 7
Healthcare organizations’ perceptions about privacy and healthcare data protection Strongly agree and agree responses combined
33%
49%
53%
58%
37%
54%
57%
63%
0% 10% 20% 30% 40% 50% 60% 70%
Resources prevent or quickly detect unauthorizedpatient data access, loss or theft
Technologies effectively prevent or quickly detectunauthorized patient data access, loss or theft
Personnel has technical expertise to be able to identifyand resolve data breaches involving the unauthorized
access, loss or theft of patient data
Policies and procedures effectively prevent or quicklydetect unauthorized patient data access, loss or theft
CE 2016 CE 2015
5/17/16 | slide 8
Business associates’ perceptions about privacy and healthcare data protectionStrongly agree and agree responses combined
41%
46%
50%
50%
45%
51%
51%
53%
0% 10% 20% 30% 40% 50% 60%
Resources prevent or quickly detect unauthorizedpatient data access, loss or theft
Technologies effectively prevent or quickly detectunauthorized patient data access, loss or theft
Personnel has technical expertise to be able to identifyand resolve data breaches involving the unauthorized
access, loss or theft of patient data
Policies and procedures effectively prevent or quicklydetect unauthorized patient data access, loss or theft
BA 2016 BA 2015
5/17/16 | slide 9
Security threats healthcare organizations worry about most Three responses permitted
2%
6%
15%
15%
13%
19%
29%
26%
33%
32%
40%
70%
3%
9%
13%
15%
19%
21%
23%
24%
29%
30%
45%
69%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Other
Insecure medical devices
System failures
Process failures
Insecure mobile apps (eHealth)
Identity thieves
Employee-owned mobile devices or BYOD
Malicious insiders
Use of public cloud services
Mobile device insecurity
Cyber attackers
Employee negligence
CE 2016 CE 2015
5/17/16 | slide 10
What security threats worry business associates the most Three responses permitted
0%
5%
13%
15%
19%
19%
36%
19%
40%
35%
48%
51%
2%
6%
11%
12%
20%
23%
28%
28%
35%
36%
46%
53%
0% 10% 20% 30% 40% 50% 60%
Other
Identity thieves
Process failures
Insecure medical devices
Insecure mobile apps (eHealth)
System failures
Employee-owned mobile devices or BYOD
Malicious insiders
Mobile device insecurity
Cyber attackers
Use of public cloud services
Employee negligence
BA 2016 BA 2015
5/17/16 | slide 11
Cyber attacks organizations are most concerned about Two responses permitted
11%
13%
20%
29%
34%
45%
48%
8%
11%
16%
32%
41%
44%
48%
0% 10% 20% 30% 40% 50% 60%
Password attacks
Rogue software
Advanced Persistent Threats
Phishing
Malware
Ransomware
Denial of Service (DoS)
CE 2016 BA 2016
5/17/16 | slide 12
How often do you assess vulnerabilities to a data breach?
3%5%
41%43%
8%11%
14%
33%35%
7%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
Monthly Quarterly Annually No regular schedule Unsure
CE 2016 BA 2016
5/17/16 | slide 13
Percentage of security and privacy budget allocated to incident response for healthcare organizations
17%
60%
17%
6%
0%
11%
30%28%
25%
6%
0%
10%
20%
30%
40%
50%
60%
70%
Less than 10% 10% to 20% 21% to 30% 31% to 40% 41% to 50%
Security budget allocated to data breach response Privacy budget allocated to data breach response
5/17/16 | slide 14
Percentage of security and privacy budget allocated to incident response for business associates
23%
40%
31%
5%
1%
14%
38%
25%23%
0%0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
Less than 10% 10% to 20% 21% to 30% 31% to 40% 41% to 50%
Security budget allocated to data breach response Privacy budget allocated to data breach response
5/17/16 | slide 15
How has this percentage changed over the past 24 months?
30%
10%
52%
8%
32%
11%
50%
7%
0%
10%
20%
30%
40%
50%
60%
Increased Decreased Stayed the same Cannot determine
CE 2016 BA 2016
5/17/16 | slide 16
Which department is ultimately accountable for the data breach incident response?
1%
0%
4%
3%
7%
25%
19%
41%
2%
2%
5%
6%
9%
21%
25%
30%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Security
Other
Legal
Privacy Office
Risk Management
Information Security
Corporate Compliance
Information Technology
CE 2016 BA 2016
5/17/16 | slide 17
What type of third party providers do you hire?
0%
12%
15%
23%
20%
43%
67%
1%
16%
21%
27%
30%
48%
65%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Regulatory influencer/lobbyist
Public relations firm
Call center
Data breach resolution provider (i.e. notification,protection products)
Identity theft and/or credit monitoring provider
Forensic/IT security provider
Outside legal counsel
CE 2016 BA 2016
5/17/16 | slide 18
Data breaches in healthcare organizations and business associates
5/17/16 | slide 19
Has your organization suffered a data breach involving the loss or theft of patient data in the past 24 months?
45%
34%
10% 11%13%
15%
32%
39%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
Yes, more than 5 breaches Yes, 2 to 5 breaches Yes, 1 breach No
CE 2016 BA 2016
5/17/16 | slide 20
How confident are you that your organization has the ability to detect all patient data loss or theft?
18%
35%
30%
17%15%
30%
33%
22%
0%
5%
10%
15%
20%
25%
30%
35%
40%
Very confident Confident Little confidence No confidence
CE 2016 BA 2016
5/17/16 | slide 21
How the data breach was discovered (healthcare organizations)More than one response permitted
5%
6%
18%
23%
30%
44%
69%
5%
5%
16%
20%
31%
47%
74%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Loss prevention
Law enforcement
Legal complaint
Accidental
Patient complaint
Employee detected
Audit/assessment
CE 2016 CE 2015
5/17/16 | slide 22
What was the root cause of the healthcare organizations’ data breach? More than one response permitted
7%
12%
31%
40%
43%
39%
45%
8%
13%
29%
36%
39%
41%
50%
0% 10% 20% 30% 40% 50% 60%
Intentional non-malicious employee action
Malicious insider
Technical systems glitch
Unintentional employee action
Stolen computing device
Third-party snafu
Criminal attack
CE 2016 CE 2015
5/17/16 | slide 23
Patient data successfully targeted (healthcare organizations) More than one response permitted
2%
18%
18%
15%
20%
46%
55%
1%
11%
12%
16%
22%
45%
64%
0% 10% 20% 30% 40% 50% 60% 70%
Other
Prescription details
Scheduling details
Monthly statements
Payment details
Billing and insurance record
Medical file
CE 2016 CE 2015
5/17/16 | slide 24
How the data breach was discovered (business associates) More than one response permitted
12%
13%
17%
21%
33%
49%
60%
9%
14%
14%
22%
35%
50%
58%
0% 10% 20% 30% 40% 50% 60% 70%
Law enforcement
Loss prevention
Patient complaint
Legal complaint
Accidental
Audit/assessment
Employee detected
BA 2016 BA 2015
5/17/16 | slide 25
What was the root cause of the business associates’ data breach?More than one response permitted
6%
9%
24%
33%
41%
52%
55%
0% 10% 20% 30% 40% 50% 60%
Intentional non-malicious employee action
Malicious insider
Technical systems glitch
Stolen computing device
Criminal attack
Third-party snafu
Unintentional employee action
BA 2016
5/17/16 | slide 26
Patient data successfully targeted (business associates) More than one response permitted
3%
6%
6%
21%
23%
41%
55%
2%
4%
8%
23%
24%
45%
56%
0% 10% 20% 30% 40% 50% 60%
Other
Scheduling details
Monthly statements
Prescription details
Medical file
Payment details
Billing and insurance record
BA 2016 BA 2015
5/17/16 | slide 27
Harms patients actually suffer if their records are lost or stolen (healthcare organizations) More than one response permitted
79%
66%61%
7%
74%
65%59%
6%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Increased risk that personalhealth facts will be
disclosed
Increased risk of medicalidentity theft
Increased risk of financialidentity theft
None
CE 2016 CE 2015
5/17/16 | slide 28
What was the root cause of the medical identity theft?
0%
0%
3%
7%
13%
10%
17%
50%
1%
2%
3%
9%
11%
11%
15%
48%
0% 10% 20% 30% 40% 50% 60%
Technical system glitches/authentication failure
Unsure
Stolen computing device
Criminal attack
Malicious insider
Third-party snafu
Intentional non-malicious employee action
Unintentional employee action
CE 2016 CE 2015
5/17/16 | slide 29
Harms patients actually suffer if their records are lost or stolen (business associates) More than one response permitted
67%
46%
28%
18%
69%
44%
23%19%
0%
10%
20%
30%
40%
50%
60%
70%
80%
Increased risk that personalhealth facts will be
disclosed
Increased risk of financialidentity theft
Increased risk of medicalidentity theft
None
BA 2016 BA 2015
5/17/16 | slide 30
What was the root cause of the medical identity theft?
0%
0%
4%
9%
13%
22%
22%
30%
2%
1%
2%
8%
14%
20%
20%
33%
0% 5% 10% 15% 20% 25% 30% 35%
Unsure
Technical system glitches/authentication failure
Stolen computing device
Criminal attack
Third-party snafu
Unintentional employee action
Malicious insider
Intentional non-malicious employee action
BA 2016 BA 2015
5/17/16 | slide 31
Do you believe credit monitoring or medical identity theft protection should be provided?
56%
44%
52%48%
0%
10%
20%
30%
40%
50%
60%
Yes No
CE 2016 BA 2016
5/17/16 | slide 32
Data breach insurance for healthcare organizations and business associates
5/17/16 | slide 33
What types of incidents does your organization’s data breach insurance cover? More than one choice permitted
9%
6%
15%
19%
36%
52%
57%
9%
4%
16%
21%
35%
48%
56%
0% 10% 20% 30% 40% 50% 60%
Unsure
Other
Human error, mistakes and negligence
System or business process failures
Malicious or criminal insiders
Incidents affecting business partners, vendors or other third parties that have access to your company’s
information assets
External attacks by cyber criminals
CE 2016 BA 2016
5/17/16 | slide 34
What coverage does data breach insurance provide? More than one choice permitted
9%
8%
12%
8%
15%
23%
23%
28%
48%
49%
68%
73%
9%
5%
9%
11%
14%
21%
24%
24%
50%
56%
65%
71%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Unsure
Other
Communication costs to regulators
Brand damages
Revenue losses
Third-party liability
Employee productivity losses
Regulatory penalties and fines
Notification costs to data breach victims
Replacement of lost or damaged equipment
Forensics and investigative costs
Legal defense costs
CE 2016 BA 2016
5/17/16 | slide 35
What services does the cyber insurer provide?More than one choice permitted
3%
14%
36%
52%
49%
56%
63%
75%
79%
80%
2%
17%
37%
45%
55%
60%
64%
71%
74%
78%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Other
Assistance in reputation management activities
Advanced warnings about ongoing threats andvulnerabilities
Access to specialized technologies and tools
Assistance in the remediation of the incident
Access to cyber security forensic experts
Assistance in the notification of breach victims
Access to legal and regulatory experts
Identity protection services for breach victims
Credit-monitoring services for breach victims
CE 2016 BA 2016
5/17/16 | slide 36
How satisfied was your organization with the claim process and amount paid? 7+ on a scale of 1 = not satisfied to 10 = highly satisfied
79%
42%
72%
41%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Satisfaction with how the claim was handled Satisfaction with the amount paid
CE 2016 BA 2016
5/17/16 | slide 37
Key Takeaways
• Data breaches in healthcare remain consistently high in terms of volume, frequency, impact, and cost.
• Newest cyber threat for 2016 is ransomware.
• Healthcare industry is more vulnerable to data breach than other industries.
• Patients are suffering the effects of data breaches; increased awareness of medical identity theft cases
5/17/16 | slide 38
Benchmark Methods
5/17/16 | slide 39
Methods
Benchmark sampling response CE BA
Organizations contacted 516 474
Organizations agreeing to participate 117 130
Organizations participating 91 84
Participation rate 18% 18%
The responses were completed over a four-week period concluding in April 2016. A total of 516 covered entities and 474 business associates were selected for participation and contacted by the researcher. One hundred and seventeen covered entities and 130 business associates agreed to complete the benchmark survey.
5/17/16 | slide 40
Type of covered entity Type of business associate
50%
37%
7%4% 2%
Private healthcare providerPublic healthcare providerHealth insurerGovernment agencyOther
32%
24%
18%
12%
11%3%
PharmaceuticalsIT services/cloud servicesData / claims processorTranscription or other medical related servicesMedical devices & productsOther
5/17/16 | slide 41
What best describes the covered entity’s role or the role of the supervisor?
16%
15%
14%
13%
8%
7%
6%
5%
5%3%
8% Chief information officer
Chief information security officer
HIPAA compliance leader
Chief compliance officer
General counsel
Chief privacy officer
Chief security officer
Chief medical information officer
Clinician
Chief finance officer
Other
5/17/16 | slide 42
What best describes the business associate’s role or the role of the supervisor?
25%
20%
14%
12%
7%
6%
5%3%
3% 2% 3%Chief compliance Officer
Chief information Security Officer
Chief information Officer
HIPAA Compliance Leader
Chief privacy Officer
General Counsel
Chief Risk Officer
Chief Security Officer
Chief Finance Officer
Chief Medical Officer
Other
5/17/16 | slide 43
What best describes your department or function?
What best describes your department or function?
7%2%
11%12%14%17%22%26%27%
33%39%
51%75%
95%
0% 20%40%60%80%100%
OtherPlanning
Risk managementHuman resources
FinanceMedical informatics
Medical staffPrivacy
LegalRecords management
SecurityPatient services
Information…Compliance
CE 2016
5%5%9%13%
19%20%
29%36%37%39%40%
88%92%
0% 20%40%60%80%100%
OtherManufacturing
FinanceHuman resourcesRisk management
Internal auditPrivacy
Customer servicesRecords management
SecurityLegal
Information…Compliance
BA 2016
5/17/16 | slide 44
Limitations
The presented findings are based on self-reported benchmark survey returns. Usable returns from 175 organizations – or about 18 percent of those organizations initially contacted – were collected and used in the above-mentioned analysis. It is always possible those organizations that chose not to participate are substantially different in terms of data protection andcompliance activities.
Because our sampling frame is a proprietary list of organizations known to the researcher, the quality of our results is influenced by the accuracy of contact information and the degree to which the list is representative of the population of allcovered entities and business associates in the United States. While it is our belief that our sample is representative, we do acknowledge that results may be biased in two important respects:
• Survey results are skewed to larger-sized healthcare organizations, excluding the plethora of very small provider organizations including local clinics and medical practitioners.
• Our contact methods targeted individuals who are presently in the data protection, security, privacy or compliance fields. Hence, it is possible that contacting other individuals in these same organizations would have resulted in different findings.
To keep the survey concise and focused, we omitted other normatively important variables from the analyses. Omitted variables might explain survey findings, especially differences between covered entities and business associates as well as organizational size. The quality of survey research is based on the integrity of confidential responses received from respondents. While certain checks and balances have been incorporated into our survey methods, there is always the possibility that certain respondents did not provide accurate or complete responses to our benchmark instrument. We fully acknowledge that our sample size is small and, hence, the ability to generalize findings about organizational size, organizational type, and program maturity is limited. Great care should be exercised before attempting to generalize these findings to the population of all health care providers. Finally, we compare the 2016 results to benchmark studies completed in 2015, 2013, 2012, 2011 and 2010. While these six samples were approximately matched based on organizational size, type and regional location, we can only infer trends from between-sample differences.
5/17/16 | slide 45
ID Experts Webinar Series
At ID Experts, we protect millions of consumers with our identity protection software and services and have a 100 percent success record for identity recovery. We are trusted by thousands of organizations to manage cyber and other risks with our data breach response services. We are the largest provider of identity protection products to the federal government. We serve customers in healthcare, government, insurance, financial services, and higher education. ID Experts actively contributes to the cyber risk community through organizations including NHCAA, HCCA, MIFA, and IAPP. Visit www2.idexpertscorp.com.
If you are having a breach now, call 866-726-4271
5/17/16 | slide 46
Questions?
Download a copy of the Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data here:
http://www2.idexpertscorp.com/ponemon2016
Ponemon Institute800.887.3118
ID Experts866.726.4271
