Putting data security

on the top table:

How healthcare organisations can
manage information more safely

June 2013

When we conducted our latest annual global

CEO survey, we were startled to learn that
only 24% of healthcare CEOs worry about
being able to protect intellectual property
and customer data.1 This seems remarkable,
given that in the US alone there have been
571 security breaches affecting at least 500
patients since September 2009.2

governing the protection of personal data are

also becoming more stringent. Meanwhile,
the hackers are getting more numerous
and more creative, one highly experienced
healthcare CIO warns. Today, no healthcare
organisation can afford to rest on its laurels.

Healthcare CIOs are less sanguine about the

situation than CEOs, although even they
sometimes underestimate the risks: 42% of
those we polled in another recent study said
they had an information security strategy
and proactively executed it. But when we
probed more deeply, we found that fewer
than half had policies for safeguarding data
stored in clouds, mobile devices or social
media sites all increasingly important tools
for sharing and storing information.3

New ways of working together

One of the biggest changes taking place
concerns the way in which healthcare
providers get paid, as healthcare systems
almost everywhere struggle to contain
soaring costs. Under the US Affordable
Care Act of 2010, for example, all hospitals
serving Medicare patients with the most
common conditions are now paid for the
quality of the care, rather than the quantity
of services, they supply. This concept will
gradually be extended to other healthcare
providers.4

Structural and technological changes

are transforming the way in which the
healthcare industry operates. The rules

The British National Health Service has

adopted a similar approach. It launched a
major pay-for-performance initiative, known

Putting data security on the top table

as the Quality and Outcomes Framework, in 2004.5 And healthcare payers in other
countries, including the Philippines, Vietnam, Rwanda, Tanzania and Zambia, are
experimenting with their own variants.6
The shift from the traditional fee-for-service model to value-based purchasing has
huge implications for the healthcare industry. All providers will have to capture,
measure and report on vast quantities of outcomes data. Providers and payers
are also likely to become more integrated, with the development of bundled
reimbursement packages for specific conditions.
A second key change will reinforce this trend towards closer collaboration. Its
commonly recognised that pooling and mining massive amounts of data can
generate insights that cant be gleaned from analysing many smaller, separate data
sets. But unleashing the potential of big data entails sharing more information
more widely, both inside and outside the industry.
Disruptive devices
The healthcare sector is simultaneously becoming more digitised, as electronic
medical record systems replace the paper-based systems of old and disruptive
technologies such as the smartphone offer new ways of engaging with patients. By
2017, the number of handheld mobile devices in use is expected to top 8.6 billion.7
And the newest models can be configured to interface directly with a patients
medical record.
Digitally enfranchised patients can also draw on more than 10,000 fitness and
healthcare apps in the iTunes store, including exercise, dieting and diabetes apps,
blood pressure and heart rate monitors, and sleep and mood trackers. In fact,
several companies have even developed peripherals that can be plugged into a
smartphone to perform eye checks and electrocardiograms, although theyre not
yet available to the public at large.8
So more and more sophisticated mechanisms for capturing health data are
rapidly reaching the market, but many of them are unregulated. Very few health
apps are currently classified as medical devices requiring regulatory oversight,
for example, although that may soon change.9 And since most mobile devices are
more vulnerable than computers used over a home network, theyre creating new
security risks.

Putting data security on the top table

Take the case of wirelessly implanted defibrillators for controlling the heartbeat.
In the right hands, these are valuable medical aids. But researchers have
demonstrated that its possible to glean personal information by eavesdropping on
the signals these implants emit. Indeed, they can even be reprogrammed to deliver
a fatal jolt of electricity.10
Nor is it just the patient whos in danger. When a device interfaces directly with a
patients medical record, it exposes that record to viruses. And a virus can spread
from one record to another, until its corrupted a healthcare providers entire
electronic medical record system.

Mechanisms for capturing

health data are rapidly reaching
the market, but many of them
are unregulated.

New technologies such as cloud computing are compounding the challenge. Clouds
have a vital role to play in healthcare as a cost-effective means of storing, sharing
and analysing big data. Medical researchers are, for example, using the Amazon
cloud to crunch 200 terabytes of genetic data in search of new cures.11 But cloud
computing also brings new risks and data breaches head the list, according to the
Cloud Security Alliance.12
In short, the health ecosystem is becoming increasingly interconnected,
interdependent and integrated (see Figure 1). And thats a mixed blessing. On the
one hand, its paving the way for a much deeper understanding of disease and
the development of new treatments. On the other, its exposing all healthcare
providers, payers, patients and researchers to more cyber threats.

Figure 1 The health ecosystem is becoming increasingly interconnected

Physicians
practices
Social
media
sites

Hospitals

Patients
Genetic
testing
companies

Labs

Medical
research
centres

Healthcare
payers

Source: PwC
Putting data security on the top table

Moreover, recent research suggests that the industry is ill prepared to manage
them. A year-long study conducted by The Washington Post revealed so many
problems that one data security expert remarked: If our financial industry
regarded security the way the healthcare sector does, I would stuff my cash in a
mattress under my bed.13
Crackdown on compliance
Yet the healthcare sector like the financial services sector has to fulfil some
exacting regulatory requirements. And the rules governing the protection of
personal data are steadily getting tougher.
In January 2013, the US Department of Health and Social Security (HSS)
published a long-awaited modification of the Health Insurance Portability and
Accountability (HIPAA) Act of 1996. The Final HIPAA Rule, as its known, codifies
many of the interim requirements laid down under the Health Information
Technology for Economic and Clinical Health Act of 2009 and has some
significant implications.
Among other things, the new rule extends the privacy and security requirements
of HIPAA from covered entities to their business associates and subcontractors,
and increases the penalties for any violations. It also imposes new restrictions on
what covered entities can disclose, either for marketing and fundraising purposes
or for underwriting purposes.14
In addition, the rule gives patients several new rights, including the right to get
electronic access to their own records within 30 days of requesting it, and the
right to be notified of any suspected breaches affecting those records within 60
days of the breach being discovered. Lastly, it creates a new presumption that any
impermissible use or disclosure of protected health information is a reportable
breach, unless the organisation concerned can show there is little chance the data
has been compromised.15
Meanwhile, the member states of the European Union (EU) already have the
most extensive data protection laws in the world, and the European Commission
is currently revising them. In January 2012, it unveiled plans for a comprehensive
overhaul of the existing regulations, both to take account of technological
advances and to harmonise practice within all the member states.

Putting data security on the top table

The proposed reforms include creating a single set of rules, valid throughout the
EU, and making each national data protection authority a one-stop shop with
supervisory powers over any business operating in any member state. A company
will only have to report to the authority in the EU country where its based,
instead of having to inform the authorities in every country in which it trades (as
is now the case). But all serious breaches must be reported within 24 hours.16
Moreover, all EU citizens will be able to instigate a complaint through their own
national authorities, regardless of where a company is located or the data is
processed. They will also be able to get personal data deleted, if there are no good
grounds for keeping it. And any violation of the rules will attract a fine of up to 1
million or 2% of a companys global annual turnover.17
The new framework has yet to be approved by the relevant bodies, so its unlikely
to come into force before 2015. And, given the opposition from various quarters,
it may well be modified.18 But the fact that its a regulation as opposed to a
directive means it will be directly applicable to all EU member states without
requiring national legislation to implement it.19
Data protection is also rising up the agenda in Asia and Latin America. India,
Malaysia, South Korea and Taiwan recently passed new cyber security laws. And
the Chinese Ministry of Industry and Information Technology has published a
draft national standard, although whether Beijing plans to enshrine it in law isnt
yet clear.20
Eleven countries in Latin America have likewise enacted data privacy legislation.
These laws vary significantly from one country to another, but they all require
registration with a national data protection authority and impose cross-border
restrictions.21 So the safeguarding of personal data is becoming a hot topic
almost everywhere, and the penalties for leaking it are getting more punitive.
Impact of breaches to the business
Legal issues arent the only concern, though. The business risks are equally
important. In one recent survey of 80 US healthcare providers, the average
economic impact of a data breach was put at $2.4 million an increase of
$400,000 since 2010. Worse still, 39% of those that had experienced medical
identify theft said it resulted in inaccuracies in the patients medical record, while
26% said it affected the patients medical treatment. And 21% thought their
employee records were also at risk.22

Putting data security on the top table

The damage to an organisations reputation may be immeasurable, then, since

patients take a dim view of having their privacy breached. And theyre likely to be
even less forgiving, if that results in the wrong clinical care. The more sensitive
the data, the greater the offence and medical data is often very sensitive indeed.
Health hacking on the rise
Its also very valuable. A stolen medical identity sells for about US$50, whereas a
stolen social security number only fetches a couple of dollars, which explains why
hackers are now targeting the healthcare industry so actively.23 Reliable figures
on the incidence of cyber attacks are difficult, if not impossible, to obtain. But the
experts weve talked to unanimously report that health hacking is on the rise and
the criminals are becoming more devious.
Whats more, medical theft may soon seem like a trivial problem, as our
understanding of biology advances. DNA is the original operating system, notes
global security expert Marc Goodman, and to hackers, its just another system
to be hacked. In the future, he predicts, biocriminals will easily be able to create
genetically modified versions of existing viruses and even develop personalised
bioweapons targeted at specific individuals.24
That said, hackers arent the sole or even, perhaps, the main threat. Hacking
accounts for only 48 of the 572 reported breaches in the US, whereas loss of
a portable electronic device or back-up tapes accounts for 78 breaches.25 So
negligence is a factor, too.
Disgruntled staff and lax suppliers can likewise cause problems. Our research
suggests that two-fifths of all cybercrimes are inside jobs perpetrated by
employees working alone or with external fraudsters.26 It also shows that most
healthcare providers dont require third parties to comply with their data privacy
policies and a company is only as strong as its weakest link.27
Cyber securitys strategic value
To sum up, the protection of personal data is becoming an ever-bigger challenge,
as the healthcare industry turns to new business models and technologies. The
regulations are concurrently hardening, and the criminals are coming out in
force. But good cyber security isnt just about blocking and tackling; its also
about creating business value (see Figure 2).
With strong data security measures in place, an organisation can adopt new
medical systems more rapidly and become more efficient. It can offer new mobile
healthcare services, such as remote surveillance or remote surgery. And it can

Putting data security on the top table

Figure 2: Good cyber security helps a business get bigger and better

Grow the business

Deploy services quickly

Improve user experience
Enter into new partnerships
Embrace mobile users

Improve efficiency

Automate security processes

Adopt cloud models
Increase virtualisationsecurely
Improve collaboration

Protect the business

Combat threats
Protect sensitive information
Govern solutions
Control access

Source: PwC

form new partnerships to make the most of the data it holds, be they partnerships
with pharmaceutical researchers to develop new medicines, partnerships with
healthcare providers to develop better treatment protocols or partnerships with
health insurers to get a better understanding of costs. The ability to manage and
share sensitive data safely isnt simply a legal requirement, then; its a source of
competitive advantage.
Inadequate budgets and other roadblocks
So whats stopping many healthcare providers and payers from making their data
more secure? Insufficient funding is one major obstacle. More than half of the
healthcare IT managers whom weve surveyed say their budgets are too small (see
Figure 3).28 Other evidence bears them out. Total IT spending as a percentage of
revenues or gross output is just 3.8% in the healthcare sector, compared with 7.3% in
financial services and 4.5% in education and social services.29
Figure 3: Lack of money, expertise and leadership are the biggest problems
2012
Insufficient capital expenditure

27%

Insufficient operating expenditure

26%

Absence of shortage of in-house technical expertise

24%

LeadershipCEO, president, board or equivalent

20%

Lack of actionable vision or understanding

19%

LeadershipCIO or equivalent

10%

LeadershipCISO, CSO or equivalent

10%

Source: PwC
Putting data security on the top table

Lack of in-house technical expertise is another hurdle. Many healthcare

organisations employ relatively few IT people, which means they have to rely on
third parties. But thats like asking the man who sells you a wrench to service
your vehicle, one healthcare CIO notes. Most vendors cant see the big picture or
help an organisation formulate the right strategy, he explains.
The most serious problems arguably arise when executive management is the
roadblock, though. This is mostly because top managers without any experience
of IT dont really understand the risks theyre running. And given a choice
between spending limited funds on data security or more obvious measures for
stimulating growth, they opt for the latter.
Stepping stones on the path to better data protection
The first task for the healthcare CIO who wants to beef up an organisations
cyber security is to assess the threats, review every IT system, assess its strengths
and weaknesses and prioritise measures. No business can eliminate all risk, so
it makes sense to focus on the biggest sources of danger: the data thats most
valuable and the people with the most privileged access.
Ranking risks in order of severity shows an organisation where to start. It also
allows it to manage its security investments as a portfolio, by separating measures
that are needed to keep the lights on from those that are strategic and those that
are optional, value-creating extras.
This process usually highlights several common problems. In our experience, one
frequent error is forgetting to terminate an employees access to a particular part
of the system when the employee moves to another department. But its quite easy
to automate such changes with identity and access management software. Its
also a good idea to classify and tag all data, encrypt the most sensitive data and
give those with access to it stronger passwords.
Patch management is another common trouble spot. All systems need periodic
upgrades to fix bugs or security issues, and improve their performance. But
getting the downtime needed to install a patch isnt always easy, and some
patches could cause a system-wide crash. So its essential to have a clear patch
management policy and ensure the board can make educated decisions about
which patches to delay implementing.

Putting data security on the top table

The next step is to make sure the board is onside with the data security strategy
and, here, the internal compliance and assurance department can be a very useful
ally. The compliance team can help to get data protection on the management
agenda by reinforcing the CIOs arguments and explaining why requests for more
money are fuelled by legitimate concerns, not the desire for new gadgets.
Cyber security isnt just the boards concern, though; its everybodys business.
That means its vital to communicate the importance of preserving confidential
data to every employee in the organisation and show them how they can help.
Its also imperative to test and audit an organisations systems regularly, both
to measure how secure they are and to assess the impact of any attacks. In fact,
we recommend completing a full audit at least once a year. The worst risks
arent the ones a company knows about, theyre the ones it doesnt even know it
doesnt know about. And some breaches are so subtle that nobody realises theyre
happening, cautions one healthcare CIO.
Lastly, its advisable for any company with a global footprint to adopt the data
security standards of the country with the strictest regulations. That way, it can
be assured of meeting the required standards wherever it operates. And, where it
exceeds the standards, its efforts certainly wont be wasted; it will simply be in a
stronger position to capitalise on the benefits really robust data protection brings.

How to be an information
security leader
1. Assess your current IT systems
for strengths and weaknesses.
2. Prioritise the risks, focusing on
the data thats most valuable.
3. Assess your employee user
access policy.
4. Have a clear patch management
policy that ensures seamless
implementation.
5. Engage your board of directors
as partners to help secure
appropriate funding and
resources.
6. Communicate your data
security policy to all employees
and stakeholders.
7. Audit your IT systems at least
once a year.

One obvious benefit is a reputation for taking data protection seriously; patients
want to know their private details will stay private. But the ability to move fast,
partner speedily and effectively with other participants in the health ecosystem
and pre-empt the competition are also major strategic advantages. So, when it
comes to cyber security, the right thing is also the smart thing.

Putting data security on the top table

Notes
PwC, Dealing with disruption: How
healthcare CEOs are creating resilient
organisations (February 2013).

U.S. Department of Health & Human

Services, Breaches Affecting 500 or
More Individuals, http://www.hhs.
gov/ocr/privacy/hipaa/administrative/
breachnotificationrule/breachtool.
html(accessed 12 April 2013).
2

PwC, Changing the game:

Healthcare providers: findings from
The Global State of Information
Security Survey 2013 (September
2012).
3

PwC Health Research Institute,

Implications of the US Supreme Court
ruling on healthcare, (August 2012
update).
4

UK Health & Social Care Information

Centre, Quality and Outcomes
Framework, http://www.hscic.gov.uk/
services/qof/
5

S. Witter, A. Fretheim, F. L. Kessy &

A. K. Lindahl, Paying for performance
to improve the delivery of health
interventions in low- and middleincome countries, Cochrane Database
of Systematic Reviews, Issue 2 (2012).
6

10

Putting data security on the top table

Cisco, Cisco Visual Networking

Index: Global Mobile Data Traffic
Forecast Update, 2012-2017 (6
February 2013).
7

Dr Jody Rank, How Connected

Health, Public-Private Cooperation,
And Big Data Can Revolutionize
Health Care, Forbes (6 July 2012),
http://www.forbes.com/sites/
benkerschberg/2012/07/06/howconnected-health-public-privatecooperation-and-big-data-canrevolutionize-health-care/

The US Food and Drug

Administration proposes to regulate
a small subset of mobile medical
apps that are capable of affecting
the performance or functionality of
currently regulated medical devices,
and is now devising guidelines. The
European Union already operates
a system under which standalone
software can be registered as a
medical device with a CE mark, but
it has yet to clarify precisely which
kinds of standalone software must be
registered.
9

Barnaby J. Feder, A Heart Device

Is Found Vulnerable to Hacker
Attacks, The New York Times (12
March 2008), http://www.nytimes.
com/2008/03/12/business/12heartweb.html?_r=0
10

Brian T. Horowitz, Amazon Cloud

to Ease 1000 Genomes Project
Disease Research, eweek (31 March
2012), http://www.eweek.com/c/a/
Health-Care-IT/Amazon-Cloud-toEase-1000-Genomes-Project-DiseaseResearch-649156/

11

Ted Samson, 9 top threats to

cloud computing security, InfoWorld
(25 February 2013), http://www.
infoworld.com/t/cloud-security/9top-threats-cloud-computingsecurity-213428
12

Robert O Harrow, Jr., Healthcare sector vulnerable to hackers,

researchers say, The Washington
Post (26 December 2012), http://
www.washingtonpost.com/
investigations/health-care-sectorvulnerable-to-hackers-researcherss
ay/2012/12/25/72933598-3e50-11e2ae43-cf491b837f7b_print.html
13

PwC, How to Respond to the Final

Omnibus HIPAA Rule: 10 things you
need to know (March 2013).
14

15

Ibid.

European Commission press

release, Commission proposes
a comprehensive reform of data
protection rules to increase users
control of their data and to cut costs for
businesses (25 January 2012), http://
europa.eu/rapid/press-release_IP-1246_en.htm?locale=en
16

17

Ibid.

Warwick Ashford, UK calls for

opt-out of online right to be forgotten,
ComputerWeekly.com (5 April 2013),
http://www.computerweekly.com/
news/2240180878/UK-calls-for-optout-of-online-right-to-be-forgotten
18

Essential guide: EU Data Protection

Regulation, ComputerWeekly.com,
http://www.computerweekly.com/
guides/Essential-guide-What-the-EUData-Protection-Regulation-changesmean-to-you
19

20

Freshfields Bruckhaus Deringer,

New wave of data privacy regulations
in Asia (May 2012), http://m.
freshfields.com/uploadedFiles/
SiteWide/Knowledge/33207.pdf

Marc Goodman: A vision of crimes

in the future, TED Talks (June 2012),
http://www.ted.com/talks/marc_
goodman_a_vision_of_crimes_in_the_
future.html#1128409

21

Cynthia Rich, Marian Waldmann

Agarwal & Miriam Wugmeister,
Privacy in Latin America, Bureau of
National Affairs, Privacy & Security
Law Report, 12 PVLR 12 (7 January
2013).

U.S. Department of Health & Human

Services, Breaches Affecting 500 or
More Individuals, http://www.hhs.
gov/ocr/privacy/hipaa/administrative/
breachnotificationrule/breachtool.
html (accessed 12 April 2013).

Ponemon Institute, Third Annual

Benchmark Study on Patient Privacy &
Data Security (December 2012).

PwC, Cybercrime: protecting

against the growing threat (November
2011), http://www.pwc.com/en_GX/
gx/economic-crime-survey/assets/
GECS_GLOBAL_REPORT.pdf

22

Robin Erb, Data breaches put

patients at risk for identity theft, USA
Today (12 February 2012), http://
usatoday30.usatoday.com/news/
health/story/health/story/2012-02-12/
Data-breaches-put-patients-at-risk-foridentity-theft/53065576/1

23

24

25

26

PwC, Changing the game:

Healthcare providers: findings from
The Global State of Information
Security Survey 2013 (September
2012).
27

28

Ibid.

Deutsche Bank, IT in banks: What

does it cost? (20 December 2012), p. 2.
29

For more information, please visit www.pwc.com/global-health

Contacts:

Australia
Klaus Boehncke
+61 2 8266 0626
klaus.boehncke@au.pwc.com

Japan
Yasushi Tabuchi
+81 80 3710 4138
yasushi.tabuchi@jp.pwc.com

United States
Daniel Garrett
+1 267 330 8202
daniel.garrett@us.pwc.com

Canada
William Falk
+1 416 687 8486
william.f.falk@ca.pwc.com

Mexico
Jos Alarcn
+52 55 5263 6028
jose.alarcon@mx.pwc.com

Peter Harries
+1 213 356 6760
peter.harries@us.pwc.com

China/HK
Mark Gilbraith
+86 21 2323 2898
mark.gilbraith@cn.pwc.com

Netherlands
Otto Vermeulen
+31 (0) 887926374
otto.vermeulen@nl.pwc.com

Germany
Robert Paffen
+49 89 5790 6025
robert.paffen@de.pwc.com

Cokky Hilhorst
+31 (0) 8879 27384
cokky.hilhorst@nl.pwc.com

Finland
Karita Reijonsaari
+358 (0) 9 22800
karita.reijonsaari@fi.pwc.com
India
Dr. Rana Mehta
+91 124 330 6006
rana.mehta@in.pwc.com
Italy
Andrea Fortuna
+2 66 720 547
andrea.fortuna@it.pwc.com

Sweden
Jon Arwidson
+46 (0) 10 213 3102
jon.arwidson@se.pwc.com
Switzerland
Axel Timm
+41 (0) 58 792 2722
axel.timm@ch.pwc.com

James H. Koenig
+1 267 330 1537
james.h.koenig@us.pwc.com
Nalneesh Gaur
+1 214 649 1261
nalneesh.gaur@us.pwc.com
Mick Coady
+1 713 356 4366
mick.coady@us.pwc.com
United Kingdom
Sunil Patel
+44 (0) 207 212 3484
sunil.k.patel@uk.pwc.com

South Africa
Diederik Fouche
+27 11 797 4291
diederik.fouche@za.pwc.com

2013 PwC. All rights reserved. PwC refers to the network of member firms of PricewaterhouseCoopers International Limited (PwCIL), or, as the context requires,
individual member firms of the PwC network. Each member firm is a separate legal entity and does not act as agent of PwCIL or any other member firm. PwCIL
does not provide any services to clients. PwCIL is not responsible or liable for the acts or omissions of any of its member firms nor can it control the exercise of their
professional judgment or bind them in any way. No member firm is responsible or liable for the acts or omissions of any other member firm nor can it control the
exercise of another member firms professional judgment or bind another member firm or PwCIL in any way. NY-13-0708