1. The Health Sciences series presents:Privacy Breaches: How Protected is Your Patients Sensitive Health and Personal Data? Amry Junaideen, Principal, Deloitte & Touche LLP Rena Mears, Partner, Deloitte & Touche LLP Russ Rudish, Principal, Deloitte Consulting LLPDecember 16, 2008

2. Agenda Increased collaboration in the marketplace The challenge of protecting information Breach causes and effects Preventing a breach Finding the right solution Conclusion Copyright 2008 Deloitte Development LLC. All rights reserved. 3. Health care and information sharing Collaboration is vital for improving health care quality and meeting consumers needs. However, it involves a significant amount of information sharing. The protection of information is a critical ingredient for success Health Systems, Long Term Care,Ambulatory Care, Hospitals/ FacilitiesSuppliers Providers Patients Enable Deliver Services$ Pharmaceutical,FinancialBio-tech, Medical Deliver $CaredevicesPayment$ PayersRegulators protect publicRegulatorswelfare and ensure that healthcareservices and products are safe Patients, Private,and effective Government Copyright 2008 Deloitte Development LLC. All rights reserved.1 4. Challenge of protecting information The protection of information within an organization and among multiple organizations is not a simple matter for a myriad of reasons6. Clinical Trials Data1. Data Acquisition / Data Storage /4. Data Sharing / In- 5. Data Archival / 2. Data StorageTracking & Results Collection Destruction transitDestructionProviders store PHI andExpert opinion sharing, Patient Health Providers store PHI andProviders transmit PHIArchive and destroyupdate the patients and adverse event Inf ormation (PHI) isupdate the patients to either payer or thirdPHI per the retention medical records.reporting cross-border:collected at this stage. medical records.parties f or processing. policy. PII and IP consideration. Drug manufacturers Suppliers Equipment suppliersProvide eligibility,BillEvaluation ofReferral, Co-payReceivedPatient Insurance PayerAnd coverage Dependency Plan Bill pay Phone Mail Claim bill Collection Clinical info/Provider/Provider/ Appointment Front-office 1.Insurance Perform Order placed Medical PhysicianPhysicianProviderscheduling staff checks2.Patient Info services -lab, imaging, Charges,Generates aReceivethe patient in 3. Other formspharmacyCoded in HISBill/claim payment Personal visitAppointment Bill if self-payBill for extra services Receive Bill Concerned PatientBill Received ifPatientAboutWants to be Referral/Eligibility received Services are symptoms Checked inPaperworkNot covered 3. Data UsageBill pay Providers use PHI to Make BankProvide services to the payment patient .Copyright 2008 Deloitte Development LLC. All rights reserved.2 5. Data risk levelsAlthough ID Theft has the most severeimpact, other forms of enterprise data Dataleakage are far more likely and requiremanagement attention. The majority of datalosses internal or external are accidental Personally Identifiable InformationPII or other Generally Accessible Authorized Disclosure sensitive data(PII) Leakage of generallyaccessible PII and IT data occur mostcommonly Sensitive Data such as intellectualSensitive data, such as PII or Intellectual Unauthorized Property.Disclosureproperty and/or PII with a highercontextual value Subset of PII Single Fraud Internal or external use of PIIor CombinedFraud for fraudulent gainSpecific Subset ID Theft ID Theft The assuming of onesidentity to obtain credit for purchases. LOWMODERATE HIGH SEVERESpecific subset of PII or combination Level of Enterprise RiskPotential for Harm to the Consumer Copyright 2008 Deloitte Development LLC. All rights reserved. 3 6. Poll question #1 Do you share electronic medical records withbusiness partners that requires asset protectionmeasures such as encryption?Yes No Dont know Not applicableCopyright 2008 Deloitte Development LLC. All rights reserved. 7. The sophistication of attackers Organized rings of thieves have developed sophisticated methods for compromising value chain security and stealing sensitive data 80s 90s2000sDumpster Diving Hacking Phishing Simple techniques that Improved techniques for High-tech crime with the involved theft of information gathering personal emergence of professional,Techniques Required thief to manuallyinformationinternational gangs collect personal information Wide use of electronic Criminals target the booming Unorganized crime databases and internet e-commerce and financial growth lead to a loosely networks organized hacking community Mail Theft Stealing information from Data Theft/ Hacking/ Sifting through garbage for employers, banks and Keystroke loggersSchemes confidential informationgovernment agencies (HR , Pharming & Phishing Social Engineeringpayroll, bank, and SSA data) Theft of W-2 Information Hacking Counterfeit Tax Returns Fake W-2 Forms and Returns Instancesper year~300-400 ~80,000 ~9,900,000 Copyright 2008 Deloitte Development LLC. All rights reserved. 4 8. Recent data breach trends Numerous data breaches have been reported leading to a heightened awareness of this topic at the senior levels within an organizationData breaches are common across sectors; medical and health care facilitiescontributed to 14.9% of the 449 security breaches in 2008** *From a survey conducted by HIMSS Analytics and Kroll Fraud Solutions** Data until 8/22/2008 from Identity Theft Resource Centre Copyright 2008 Deloitte Development LLC. All rights reserved.5 9. Increased regulatory mandates Organizations must consider increased regulatory mandates that provide specific requirements for data protection in the US and abroadCalifornia Breach Notification Law, S&P HIPAA European Commissions on Enterprise Risk Management (ERM) Directive on Data Protection2008ICD 10 bill1996199820072009 2011 California Identity Theft Red HIPPAlegislation Flags, AB 1298Massachusetts RegulationsLaw presentCalifornia Massachusetts LawUser increasing BreachNotificationexpectations requirements Law Healthfor data on theprotection are protection of Scienceshigh sensitiveIdentity Industry information Theft StandardRed Flags& PoorsRegulationsOn ERMInternational Regulations Copyright 2008 Deloitte Development LLC. All rights reserved. 6 10. Breach causes and effects How do these breaches occur?Causes Effects Data is not treated as a strategic Data assets are not inventoriedassetor classified Reactive rather than Use and sharing of data is notprogrammatic approachunderstood Governance, process and Data risk is incorrectlytechnologies are not aligned identified or evaluated Data is not inventoried and Policies, processes andmapped technologies are not aligned Failure to adopt adequate Controls do not adequatelyprocess and technology controlsprotect data assets Training is inadequate or non- Organization and stakeholdersexistent unable to respond to threat Copyright 2008 Deloitte Development LLC. All rights reserved. 7 11. What are the risks A breach impacts many aspects of the business including putting assets at risk, increasing number of breaches, rising costs, and decline in shareholder value Risks Regulatory Financial OperationalIT Legal RiskBrand Risk RiskRiskRisk Risk Litigation or Failure to Heightened Excessive Excessive Virus attacks/lawsuits from comply with mediapost breach internalhacking andpatients, due the complex scrutiny related costs resourceloss of data consumption in-flight Impactto loss ofand surrounding Loss ofpatient relativelyleakage of due to time patient Wrongfulsensitive new customer information spent dealing access toinformation regulations sensitivecan impactwith sensitiveinformationbreaches Failure to Failure to patient informationconduct Meeting new relationships/ Post M&Ameet 3rd retention Theft duringparty compliancedemands of Integration physicalauditsthe Ineffectiverequirements transportationconsumer capitaldriven health managementcare marketCopyright 2008 Deloitte Development LLC. All rights reserved. 8 12. Cost of a breach The total average cost of a data breach grew to $197 per record compromised. The average total cost per reporting was more than $6.3 million per breach and ranged from $225,000 to almost $35 million Deloittes 2007 Privacy and Data Protection Survey included 827 participants in North America* Over 85% of respondents reported at least one breachand over 63% reported multiple breaches requiringnotification Resource allocation associated with notification activitiesalone appeared to be a significant hidden cost*19.9% of privacy professionals were from Health Sciences *12% of security professionals were from Health Sciences Copyright 2008 Deloitte Development LLC. All rights reserved.9 13. Poll question #2 In the past year, how many privacy and data breachincidents at your organization are you aware haveoccurred?Never 1-5 6-10 10-20 More than 20 Not applicable/Dont know Copyright 2008 Deloitte Development LLC. All rights reserved. 14. Data as an asset Treating data as an asset helps prevent breaches and enables collaborative information sharingSome day, on the corporate balance sheet, there will be anentry which reads, Information; for in most cases, theinformation is more valuable than the hardware whichprocesses it. Grace Murray Hopper, USN (Ret) Copyright 2008 Deloitte Development LLC. All rights reserved.10 15. Understand the data lifecycle The intrinsic and contextual value of data and associated ownership risk vary throughout the data life cycle and throughout the value chain Creation Preservation Classification AcquisitionStorageDestructionGovernance Archival Use Indefinite DispositionArchive Sharing Copyright 2008 Deloitte Development LLC. All rights reserved.11 16. Data types and data flow Sensitive data such as customer information, financial data, and intellectual property moves horizontally across organizational boundaries, including vertical business processes (e.g., order fulfillment process). Organizations often do not have a good understanding of the movement, proliferation, and evolution of their data Health careDevelopProcure Manufacture Order IndustryProducts MaterialsProducts Management MarketingStart StartStart Start Start EndEndEndEnd End Copyright 2008 Deloitte Development LLC. All rights reserved.12 17. Compliance vs. risk-based approach Risk-based strategies go beyond compliance mandates to provide a more holistic approach towards managing and protecting data assets. A risk-based approach enables organizations to be adaptive to changing regulatory and business environments COMPLIANCE-BASED RISK-BASED STRATEGYSTRATEGY Detailed Regulatory Specific Brand Binary CompetitiveCompliance-based strategies are: Advantages of the risk-based approach: Reactionary Free organization from reactionary cycles Comparatively inefficient Allocate scarce resources efficiently and according to specific threat levels Deliver value as quickly as possible Provides efficiency and focus to successfully address compliance requirements from a risk-based perspectiveCopyright 2008 Deloitte Development LLC. All rights reserved. 13 18. Avoid the disconnect A disconnect between corporate policies, actual operational practices, and technology infrastructure reduces the ability to successfully implement changes into the business environment DPStrategyPolicies Structured frameworkDisconnectProcesses Disconnect Technology Copyright 2008 Deloitte Development LLC. All rights reserved.14 19. Poll question #3 Which of the following have you most recentlyimplemented in your organization as it relates to yourprivacy program? Process for corporate governance to establish accountability and manage enterprise privacy risk A framework to assess risk in business processes as they relate to PII Procedures to implement privacy policies within operational processes, including designing and implementing measurable controls An enterprise-wide privacy & data protection training program Process to stay current and assess new legal regulations and legislative developments None Copyright 2008 Deloitte Development LLC. All rights reserved. 20. Protect data across its lifecycle Organizations need an enterprise level solution which includes data governance strategies, organizational policies and procedures, and controls to identify, monitor, and protect data through its lifecycleEnterprise Data LifecycleBusiness ProcessRisk Based Approach Management Segmentation andcommitment least privileges Policies, guidelines,GOVERNANCE and procedures Contracts and enforcementsIDENTITY ASSET Training & Awareness RISK Data Review and monitoringIdentity ROLE FacilitiesManagement CREDENTIALProcesses CLASSIFICATIONINFRASTRUCTURE Asset type definition Physical security Asset inventory End-to-end security Risk assessment Defense in depth Asset classification Enabling technology Process reengineering Copyright 2008 Deloitte Development LLC. All rights reserved. 15 21. Consider all environments Organizations should take a practical and business focused view and addresses data breach risks across seven control environmentsData in Use and Data in Motionassociated with privileged and Data in Use and Data inother users accessing database Motion via email, webcontaining sensitive datatraffic, IM, blogs, etc71 TransactionData at Rest inand Activity Communicationsrepositories (databases, MonitoringData at Rest inemail stores,repositoriesfile systems, etc) Third (databases, email6PartySensitive Database 2 stores, file systems,Data etc)Developer Limiting access to Access toMobile Data in Use and production data andProduction MediaData at Rest on3 controlling the movement 5Archival and mobile computing of data from production toDisposal devices such as development and test4laptops, PDAs, Data management infrastructure for etcmigrating data to storage or disposing Copyright 2008 Deloitte Development LLC. All rights reserved. 16 22. Create a business process flow and data flow mapping A companys risk assessment should consider the data lifecycle for each of its business processesClinical / BioHospitalUniversities Third Party FinanceMedicalInfrastructure CustomerSystem/ OperationalActivityBusiness DivisionsThird Party Vendor Copyright 2008 Deloitte Development LLC. All rights reserved. 17 23. Organizational risk viewSet PolicyDeploy ControlsDLPEncryption DAMData RedactionArchive DR Branch OfficesWANData warehouseBack upBusiness AnalyticstapeCustomers Partners WWWCustomer PortalProduction Data Disk storage OutsourcedWANDevelopment Remote EmployeesStagingBack upEnterprisediskVPN e-mailFile Server Enforce and Monitor ControlsCopyright 2008 Deloitte Development LLC. All rights reserved.18 24. Determine solution set to meet critical risks Implementing solutions involves more than technology, it requires a view of policy management, process and procedure development, technology evaluation and planning, technology implementation, ongoing operational management, leakage reporting and integration into incident response, training and awarenessData Management and Protection Solution Types Data Discovery Data ArchivingDatabase Activity Data Destruction Discovery and Services such asMonitoring Enforcement of dataclassification of data retention, distribution, Monitoring of user andsecurity policiesfrom disparate sources and security of tapesadministrator activity,addressing disposal of (email, file-shares, web)focused at databases information media Data RedactionEndpoint ProtectionData Leak Prevention EncryptionProtection of sensitive Workstation, laptop and Solutions to identify and Tools to provide datadata via de-identifying,other mobile deviceprevent accidental encryption across thesanitizing, masking, or protection such as data disclosures of sensitiveenterprise including keyobfuscating monitoring, full disk data at the edge of the management andencryption, local media networkrecovery encryption Copyright 2008 Deloitte Development LLC. All rights reserved. 19 25. Poll question #4 Which of the following privacy and data protectiontechnologies have you already implemented? Governance Solutions (Data inventory, data classification, Digital rights management) Preventive Solutions (Data leak prevention, Identity and access management, Segregation of duties, database security /scanning, Encryption (data at rest), Encryption (data in motion)) Monitoring Solutions (Content monitoring, audit logging and monitoring, intrusion detection and prevention, fraud discovery and monitoring) More than one Miscellaneous/ None of the above Not applicableCopyright 2008 Deloitte Development LLC. All rights reserved. 26. Conclusion Strategic collaboration with business partners, frequent reporting of databreaches, and increased regulatory mandates have brought to theforefront the need for privacy and data protection capabilities throughoutthe entire value chain Security breaches can result in a number of business issues includingreputation and revenue loss, as well as legal exposure A data protection solution requires avoiding the disconnect Engaging the business to define the sensitive data to protect Updating risk management policies Tuning business processes Raising user awareness Integrating key technologies to provide policy enforcement throughout thedata life cycle and the seven control environments Copyright 2008 Deloitte Development LLC. All rights reserved.20 27. Questions & Answers 28. Join us January 22nd at 2 PM EST as our Health Sciences series presents: Eye of the Storm Improving Financial Performance in the Credit Crunch 29. Thank you for joiningtodays webcast. To request CPE credit,click the link below. Copyright 2008 Deloitte Development LLC. All rights reserved. 30. Contact information Amry Junaideen, Principal, Deloitte & Touche LLPajunaideen@deloitte.comPh: 203-708-4195 Rena Mears, Partner, Deloitte & Touche LLPrenamears@deloitte.comPh: 415-783-5662 Russ Rudish, Principal, Deloitte Consulting LLPrrudish@deloitte.comPh: 212-313-1820 Copyright 2008 Deloitte Development LLC. All rights reserved. 31. This presentation contains general information only and is based on theexperiences and research of Deloitte practitioners. Deloitte is not, by means of thispresentation, rendering business, financial, investment, or other professionaladvice or services. This presentation is not a substitute for such professionaladvice or services, nor should it be used as a basis for any decision or action thatmay affect your business. Before making any decision or taking any action thatmay affect your business, you should consult a qualified professional advisor.Deloitte, its affiliates, and related entities shall not be responsible for any losssustained by any person who relies on this presentation. Copyright 2008 Deloitte Development LLC. All rights reserved. 32. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network of memberfirms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for adetailed description of the legal structure of Deloitte Touche Tohmatsu and its member firms. Please seewww.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and itssubsidiaries. Copyright 2008 Deloitte Development LLC. All rights reserved. 33. A member firm of Deloitte Touche Tohmatsu Copyright 2008 Deloitte Development LLC. All rights reserved.