10 things all industries can learn from the revolution in ... · new business opportunities based...
Post on 24-Jul-2020
0 Views
Preview:
TRANSCRIPT
10 things all industries can learnfrom the revolution inhealthcareThursday, March 7, 2012
The future of privacy:
Thursday, March 7, 2012
Introductions
James H. Koenig, JD, CIPPLeader, Privacy Practice and Security Leader, HealthInformation Technology PracticeCo-Founder & Former General Counsel, InternationalAssociation of Privacy ProfessionalsZoe Strickland, CIPP
PwC 2
Zoe Strickland, CIPPChief Privacy Officer, UnitedHealth GroupBoard, International Association of Privacy Professionals
Kimberly S. Gray, Esq., CIPPChief Privacy Officer, Global, IMS HealthBoard, International Association of Privacy Professionals
Agenda
Section
1 Introduction: The data-sharing playground
2 The future of privacy and data protection: Ten developments youneed to plan for now
3 Conclusion/Q&A3 Conclusion/Q&A
Introduction: The data-sharing playground
Securing data and protecting privacy are critical as thehealth industry converges in a new data-sharing playground
PwCFooter Date
4
About our research
• Conducted 25 in-depth interviews with chiefprivacy officers (CPOs), chief informationsecurity officers (CISOs), and chiefinformation officers (CIOs), and otherexecutives of healthcare organizations.
PwC 5
• Commissioned online surveys in Spring 2011of more than 600 providers, health insurers,and pharmaceutical and life sciencescompanies on the privacy and securityimplications of the explosion of new datasources and uses in the healthcare industry
New Business Opportunities Based on Trends inHealthcare & Healthcare Information EconomyMedicine is becoming increasingly personalized as greater access to information moves the
industry towards a market of individualized treatment.
Convergence Consumerism
• New care delivery models to reducecost and improve quality and outcomes:
– Medical in-home visits andtreatment: Transform primary care,
• Personalized medicine: Facilitating amovement from the treatment of diseasetoward wellness and prevention
• mHealth: Using wireless and broadband
PwC 6
treatment: Transform primary care,driving physician visits into the home
– Accountable care organizations(ACOs): Develop a virtually-integrated,“connected” care model that coordinatescare across providers and with payors
• mHealth: Using wireless and broadbandtechnologies to provide health services orhealth information to “un-tether”healthcare and/or empower patients
Technology
• Genetics to allow personalized diagnostics and treatments• Advanced informatics to better understand effectiveness of drugs, tests and course of
treatments• Electronic health records and health information exchanges to facilitate access
to patient information and analyze data across a population of patients
Healthcare surprisingly will create many next generationprivacy innovations• Developments:
• Obama’s Stimulus Bill created $17.2 billion to stimulate the adoptionof electronic health records. With the advent of EHRs, expanded globalclinical trials, new care delivery models and the sharing of health data foroutcomes research, more people will have access to consolidated, larger, oftenshared honey pots of sensitive health information.• In 2009, as part of the American Recovery and Reinvestment Act (ARRA), $17.2
billion was designated to stimulate the implement the meaningful use ofelectronic health records (EHRs).
PwC 7
electronic health records (EHRs).• Physicians and hospitals who implement EHRs between 2011 and 2014 are
eligible for funds.• Heightened Risks with New Technology and Secondary Uses of Data.
New Health Information Economy will start pushing data mining techniques anduse of third party providers.
• Tactical/Practical Implications:• New innovative products/services from health that can be used by all
industries. Next generation technologies for minimum necessary access, glassbreak system and log monitoring, encryption and other areas that need to bedeveloped to satisfy requirements.
Personalized Medicine & Care Delivery OpportunitiesMedicine is increasingly personalized as greater access to information moves the industry towards a
market of individualized treatment and more cost-effective care. This trend creates patient, physician,hospital-facing and infrastructure businesses opportunities. With incentive funds, many focus onEHRs and care delivery
• New targeted therapeutics• Personal Health Records
Personalized
Predictive
• Customized preventive drug design
• Molecular diagnostics• Genomic sequencing
PwC 88
Preventative
Participatory
• Customized preventive drug design• Services/programs for wellness/compliance• Nutritional/functional foods
• Enhance access to care in rural communitiesand for special conditions
• Telemedicine/Telemetry• mHealth home and mobile-based
monitoring and treatment
Other• Informatics and EHR products/services• Radiology image management• Physician office infrastructure/services
Note: Bolded areas above indicate areas ofpotential TWC business cases
Picture sources: GlowCap , LifeSource , Partners and VitalHub Websites
- Nearly 75% of healthcare organizations said theyare using or intend to use some form of secondary data
- Less than half of healthcare organizations have addressed theprivacy/security implications of secondary data
78%
68% 68%74%
PwC 9
Source: PwC Health Research Institute privacy and security survey, 2011
Providers Health Insurers Pharma/LS Total
43%
57% 50% 47%Pursuing or will pursuesecondary data
Addressed or addressingprivacy and securityimplications
Healthcare organizations are concerned aboutneeding more granular EHR access controls
Providers Health insurers Pharma/LS
EHR/PHR access controlsand identity management(81%)
EHR/PHR access controlsand identity management(58%)
Document retentioncompliance (56%)
Encryption in storage and Encryption in storage and Encryption in storage and
Top 3 security issues by health sector
PwC 10
Source: PwC Health Research Institute privacy and security survey, 2011
Encryption in storage andin transit (57%)
Encryption in storage andin transit (52%)
Encryption in storage andin transit (42%)
Required software upgrades(28%)
Alternative identifiers andinformation masking (34%)
End-user access controlsand identity management(41%)
New innovative products/services from health that can be used by allindustries. Next generation technologies for minimum necessary access, glassbreak system and log monitoring, encryption and other areas that need to bedeveloped to satisfy requirements.
10 things all industries can learn from therevolution in healthcare
PwCFooter Date
11
10 things all industries can learn from therevolution in healthcare
Developments around data, security and new technologies1. De-identification strategies improving the best privacy and security protection!2. Access controls and moving beyond role-based access to “Minimum Necessary”3. Monitoring and watching the sea of data4. Encryption and the standards to keep you out of trouble5. mHealth and new broadband solutions
PwC 12
Developments around key program building blocks and risks6. Breach notification, enforcements and the drive to improve training and
sanctions7. Paper protection and the drive to address old risks in new wrappers8. Data sharing and vendors/BAs – high risk, setting standards and new
approaches9. Annual assessment and the case for having a 3-year roadmap/plan10. The case for integrated frameworks
#1: De-identification strategies improving the best privacyand security protection!
• Healthcare Trend/Development• Laws Including HIPAA/HITECH Now Define Personal Information by
Data Elements.• US state breach laws, EU, Japan, PCI and others• HIPAA has a Safe Harbor for PHI using 18 data elements• Statistical de-identification option
• Broader Implications:
PwC 13
• Broader Implications:› Big Idea. Laws and big companies are using data elements and a new approach
to manage data at the element level, not the application/system level.› Conduct Data Element Inventories to know scope of your program (and
where it does not apply). Required for FTC and other enforcements.› Statistical De-Identification. Already used by new technologies in cable,
mobile and other interactive technologies.› Data Rationalization and Elimination Projects. To minimize risk,
compliance obligation and costs, these initiatives are springing up. Better toeliminate, than to spend ongoing funds to maintain, unneeded regulated data.
#2: Access controls and moving beyond role-based access to“Minimum Necessary”
• Healthcare Trend/Development• “Minimum Necessary” and “Legitimate Business Purpose.” Laws and
breaches driving work in this area.• EHRs. Under one of the 9 Office of the National Coordinator (ONC) Meaningful Use
requirements, EHR systems must be able to:• Assign a unique name and/or number for identifying and tracking
user identity and establish controls that permit only authorized usersto access electronic health information. §170.302(o)
PwC 14
to access electronic health information. §170.302(o)
• Broader Implications:› Data Element Access Rationalization. New efforts to move beyond role-
based access to more granular controls and authorizations.› New Technologies. Custom and more mass-market access and identity
management solutions.
#3: Monitoring and watching the sea of data
• Healthcare Trend/Development• EHRs. Under one of the 9 Office of the National Coordinator (ONC) Meaningful Use
requirements, EHR systems must be able to:1. Record actions. Actions related to electronic health information must be
recorded. §170.210(b):
• “The date, time, patient identification, and user identification must berecorded when electronic health information is created, modified, accessed,or deleted; and an indication of which action(s) occurred and by whom mustalso be recorded.” §170.210(b)
PwC 15
also be recorded.” §170.210(b)
2. Generate audit log. Enable a user to generate an audit log for a specific timeperiod and to sort entries in the audit log according to any of the elementsspecified above. §170.302(r)
• Broader Implications:› New Glass Break Monitoring Controls. New solutions are being developed
for monitoring not just transactions, changes and deletions, but also for justaccessing and viewing data.
› Predictive Science. New algorithms are being developed to better identifywrongful activity.
#4: Encryption and the standards to keep you out of trouble• Healthcare Trend/Development
• The design of new US laws allow encryption to help companies avoid liability.• Examples: (i) MA 201, (ii) PCI Laws in MN and WA and (iii) exception from
most state breach laws.• HIPAA Encryption. HIPAA Security Rule states that a covered entity
implement a mechanism to encrypt ePHI whenever deemed appropriate.• Encryption of EHRs and HIEs. To meet Meaningful Use requirements, EHRs
must encrypt electronic health records and information shared in a healthinformation exchange.
PwC 16
• Encryption &the HITECH Breach Notification Provision. For data to beconsidered "secure" and not subject to the HITECH breach provision, HHS setencryption standards.
• Broader Implications:• Use of NIST Encryption Standards. Since US healthcare law applies to both
healthcare and human resources benefits data, many companies are adoptingencryption that complies with NIST specifications as the highest denominator
• See National Institute for Standards and Technology (NIST) Special Publication (SP) 800-111,Guide to Storage Encryption Technologies for End User Devices, for data at rest, and FederalInformation Processing Standard (FIPS) 140-2, NIST SP 800-52, Guidelines for the Selectionand Use of Transport Layer Security Implementations, SP 800-77, Guide to IPsec VPNs, or SP800-113, Guide to SSL VPNs, for data in motion.
#5: mHealth and new broadband solutions• Healthcare Trend/Development
• Less than half of healthcare organizations have addressed or are addressingthe privacy/security implications of mobile devices.
50%
43%
45%
Providers
Healthinsurers
Total
PwC 17
• Broader Implications:• Limit information flow. Companies are starting to ensure that policies
are in place to secure devices and to limit the information stored on localdrives, a particular concern with mobile.
• Mobile Access Enhancements. Companies are working on easier, butmore sophisticated mobile device access, moving away from generic log-ons.
Source: PwC Health Research Institute privacy and security survey, 2011
36%
50%
Pharma/LS
Providers
#6: Breach notification, enforcements and the drive toimprove training and sanctions
• Healthcare Trend/Development• HITECH Breach Notification. New features:
• OCR notification and web site reporting.• Desk reviews of organizations that have breaches.• Major enforcements, including fines and corrective action plans with education
and sanctions.
• Broader Implications:
PwC 18
• Broader Implications:• New Incident Response Plans address privacy. Breach response plans can
influence whether action is brought. Existing technical incident response planscan satisfy new privacy requirements with 2 fixes:• Add potential unauthorized disclosure or access of personal information to list
of events to be investigated and managed under plan and• Add a breach notification process for personal information security breaches
• Training and Sanctions. Focus on people and culture. Move beyond constantretraining or informal responses.
More than 70% of respondents said recent breachenforcement actions have forced them to focusmore on privacy and security
Loss
The
ft
Una
utho
rize
dac
cess
/dis
clos
ure
Hac
king
/IT
inci
dent
Unk
now
nPwC 19
Source: U.S. Department of Health and Human Services Office for Civil Rights, accessed June 27, 2011,http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html.
14% 66% 10% 9% 1%
Loss
The
ft
Una
utho
rize
dac
cess
/dis
clos
ure
Hac
king
/IT
inci
dent
Unk
now
n
Electronic 73%
209 incidents and 10,122,893individuals affected
Paper 23%
67 incidents and 356,235individuals affected
Unknown 4%
12 incidents and 507,710individuals affected
54% of healthcare organizations have experienceda privacy/security issue in the last two years
50%
60%
70%
Within the last two years, have you experienced any of the following?Please select all that apply.
PwC 2020
0%
10%
20%
30%
40%
Improper useof PHI by aninternal party
Patientsseekingservices
under others'names
Improper filetransfer
containingPHRI
Transfer ofPHI to an
unauthorizedparty
Securitybreach of
PHI
Improper useof PHI by an
externalparty
Financial IDtheft
Do not know
Total Health insurers Providers Pharma/LS
#7: Paper protection and the drive to address old risks innew wrappers
• Healthcare Trend/Development• Most Laws Applied to Only Electronic. Many breach notification laws apply
only to electronic-based information.• New Laws Cover Paper Too. HITECH breach notification covers paper,
although HIPAA security does not.• OCR/FTC Enforcements Highlight the Point. Multi-million dollar fines for
enforcements that involved paper handling/dumpster diving.
PwC 21
• Broader Implications:• Integration of Physical and Technical Security. Increasingly a trend.• New Focus on Paper. Many companies have been starting records destruction
and green initiatives to reduce paper (and costs).• ID Theft Risk Too. With almost 2/3rd of identity theft cases involving paper,
new risk focus on paper in addition to just compliance.• Cost Savings. Also, costs reduction possibilities has increased the popularity of
initiatives in this area.
#8: Data sharing and vendors/BAs – high risk, settingstandards and new approaches
• Healthcare Trend/Development• Many breaches have been committed by BAs.
• Of the 11 million people affected by data breachessince 2009, 55% were affected by breachesinvolving business associates
• 33% of all companies received a vendor breach ormishandling notice last year
• Only 38% performed a pre-contract assessment
Third Parties Behind MostImproper Disclosures
PwC 22
• Only 38% performed a pre-contract assessment• More vendor risk with outsourcing and cloud
computing.• Risks for and Scrutiny of Business Associates
Grows Under HITECH. HITECH requires BAscomply with HIPAA Privacy and Security Rules.
• Enhanced Privacy & Security ArePrerequisites for Existing & New BusinessModels. Needed to meet regulatory and businesspartner expectations and to access the new dataflows and sharing in the new health informationeconomy.
Organizations are sharing, but few have identifiedrestrictions or have agreements in place
19%
17%
17%
16%
22%
25%
Implemented process for managing patient consent
Have an audit process in place
If you are currently sharing data externally, which of the following activities has yourorganization completed? Please select all that apply.
PwC 23
Source: PwC Health Research Institute privacy and security survey, 2011
22%
25%
14%
19%
19%
26%
10%
20%
33%
43%
34%
16%
Executed data-sharing agreements with all participants
Identified restrictions on the sharing/use of data (e.g.,contractual, policy, legal)
Developed access management policies related to familymembers
Determined data exchange requirements for particularlysensitive data (e.g., behavioral health, substance abuse) Pharma/LS
Providers
Health insurers
#8: Data sharing and vendors/BAs – high risk, settingstandards and new approaches (cont.)
Vendor Privacy & Security Analysis
100.0%
• Broader Implications:• Contract. Enhanced contractual safeguards with specific security controls schedule• Vendor Assessments. Vendor Assessments (and risk scoring)
• Example Online Surveys and Scoring Models: Many develop scoring models,automate data collection & compliance reporting processes for speed and savings.
PwC 24
Vendor A
Vendor B
Vendor F
Vendor G
Vendor H
Vendor C
Vendor DVendor E Vendor I
50.0%
55.0%
60.0%
65.0%
70.0%
75.0%
80.0%
85.0%
90.0%
95.0%
100.0%
50.0% 55.0% 60.0% 65.0% 70.0% 75.0% 80.0% 85.0% 90.0% 95.0% 100.0%
Controls Index
Sen
siti
vity
Ind
ex
Vendor A Vendor B Vendor C Vendor D Vendor E Vendor F Vendor G Vendor H Vendor I
#9: Annual assessment and the case for having a 3-yearroadmap/plan
• Healthcare Trend/Development• Meaningful Use Certification. An organization
must “conduct an accurate and thorough assessment ofthe potential risks and vulnerabilities to theconfidentiality, integrity, and availability of [ePHI]created or maintained by certified [EHR].
• Remediation Plan. Organizations must “[i]mplementsecurity updates and correct identified security
Providers that will applyfor “meaningful use”
incentives in 2011.
50%
PwC 25
security updates and correct identified securitydeficiencies as part of its risk management process.”
• Use of a Comprehensive Assessment and 3-YearPlan. There have been cases where these documentsconvinced OCR and/or a state attorney general towithhold any enforcement if they stayed on plan andreported back.
• Broader Implications:• Have a Plan. Develop a plan of (i) key privacy
program initiatives and (ii) program-related elatedinitiatives owned by others (e.g., encryption, records,SSN removal, others).
50%Providers that have
completed theprerequisite security
assessment that includescriteria for access control,
identity management,and encryption.
19%
#10: The case forintegrated frameworks
• Many companiesoperate in verticalsilos withdifferentframeworks.
• Clients often askfor one-off
An
Privacy• US - Fair Information
Practices (e.g., HIPAA,GLBA)
• Global - Organization ofEconomic Cooperation &Development (e.g., EU DataProtection Directive)
• APEC Framework
RiskRegulatoryTechnical Standards
Technical Standards• ISO 27001 and 27002• •NIST 800-53 and FIPS• COBIT• PCI DSS• HITRUST• Others
PwC 26
for one-offassessments ofGLBA, HIPAA,HITECH, PCI, IDTheft, SecurityBreach Laws,Marketing Laws,EU DPD or otherglobal law
• The trend is tosearch for commonrequirements andpoints of leverage.
AnIntegratedApproach
Risk• COSO II• SOX• Basel II
Compliance• Federal Sentencing
Guidelines(7 Principles of an EffectiveCompliance Program)
Technical Standards• HIPAA & HITECH• MA 201, NV & PCI Laws• FTC GLBA 501(b)
Safeguards Rule• Italian DBA/Other EU laws• FTC, CMS & DPA cases
Organizations that have integrated approaches toprivacy and security have experienced benefits
Response to survey questionIntegrated approaches to a
great extent All others
Health insurers were more likely to have integrated their approach to privacyand security to a great extent
PwC 27
Source: PwC Health Research Institute privacy and security survey, 2011
The security of my organization's data hasincreased compared to last year. 66% 49%
Compared to last year, my organization'sprivacy/security staffing has increased. 48% 31%
Average reported number of privacy/securityissues per respondent in last two years. 1.14 1.22
Conclusion / Q&A
PwCFooter Date
28
Questions or Presentation Copies
James KoenigLeader, Privacy Practice; andSecurity Leader, Health InformationTechnology Practicejames.h.koenig@us.pwc.com610-246-4426
PwC 29
top related