Photo here

HIE DATA BREACH THREAT AND PREVENTION

Rick Kam – President/Co-Founder

April 5, 2011

SESSION OBJECTIVES

» Better understanding of the risks associated with protecting patient information

» “Take Away” one or two best practices to prevent data breaches

April 5, 2011 2HIE Data Breach Threat and Prevention

AGENDA

April 5, 2011 3

» Emerging business risk» Causes of “data breaches”» Best practices in protecting patient

Information

HIE Data Breach Threat and Prevention

EMERGING BUSINESS RISK

» Electronic health records and HIE implementation

» 52% of large hospitals last year had a data breach incident*

» Over 250,000 medical identity theft cases** exceeding $600 million in fraud*** in 2008

April 5, 2011 4

* HIMSS Analytics, November, 2009: Evaluating HITECH’s Impact on Healthcare Privacy and Security** FTC Website* ** World Privacy Forum

HIE Data Breach Threat and Prevention

HITECH ACT RAISES COMPLIANCE BAR

» Stringent new breach notification law• Increased penalties range from $25K to$1.5M• 12-month audit compliance requirement• All forms of “unsecured” PHI including paper• 60 day notification requirement• New guidelines for letter content and address

verification• Maintain and report log of breaches to HHS• Breaches over 500 records require posting to

“prominent media outlets” and trigger an OCR investigation

April 5, 2011 5HIE Data Breach Threat and Prevention

2010 BENCHMARK STUDY BY PONEMON INSTITUTE

Benchmark sampling response Freq.Total healthcare organizations contacts made 457Total healthcare organizations recruited 99Total healthcare organizations participating 67Total healthcare organizations providing incomplete responses 2Final benchmark sample 65

HIE Data Breach Threat and Prevention April 5, 2011

NATURE OF THE DATA LOSS

HIE Data Breach Threat and Prevention April 5, 2011

HOW BREACH WAS DISCOVERED

HIE Data Breach Threat and Prevention April 5, 2011

IMPACT OF THE BREACH

HIE Data Breach Threat and Prevention April 5, 2011

LIFETIME ECONOMIC VALUE OF A LOST PATIENT

HIE Data Breach Threat and Prevention April 5, 2011

ECONOMIC IMPACT OF A BREACH

HIE Data Breach Threat and Prevention April 5, 2011

PROCESS FOR PREVENTING BREACHES

HIE Data Breach Threat and Prevention April 5, 2011

BEST PRACTICES

» Protecting patient information• Prevention• Preparedness• Remediation• Compliance

13HIE Data Breach Threat and Prevention April 5, 2011

BREACH BEST PRACTICES PREVENTION

» Assess data breach risks• Security/privacy• Focus on people/processes• Adopt data loss prevention and

encryption technologies

14HIE Data Breach Threat and Prevention April 5, 2011

BREACH BEST PRACTICES PREPAREDNESS

» Data breach incidents are a way of life in healthcare, be prepared:• Comprehensive incident response plan (IRP)• Retain breach remediation partner• Obtain HITECH-compliant Incident Risk Assessment

tool• Data breach or cyber liability insurance

April 5, 2011 15HIE Data Breach Threat and Prevention

BREACH BEST PRACTICES REMEDIATION

» Key to positive outcome is handling every stage of a response properly;• Incident risk assessment• Formal patient notification• Patient monitoring/protection offering• Identity theft restoration

April 5, 2011 16HIE Data Breach Threat and Prevention

BREACH BEST PRACTICES COMPLIANCE

» Ensure compliance with HITECH and state laws• HITECH mandates patient, HHS and media notification• State laws have their own mandates for patients in their

jurisdiction• Typically state Attorneys General also require notification• ALL are required

April 5, 2011 17HIE Data Breach Threat and Prevention

QUESTIONS

» Rick Kam» PH: 971-242-4705» Email: rick.kam@idexpertscorp.com

April 5, 2011 18HIE Data Breach Threat and Prevention