Putting data security at the top table

How healthcare organisations can manage information more safely

www.pwc.com/global-health

June 2013

PwC

Agenda

1. Findings from 16th annual CEO Survey

2. New ways of working together

3. Compliance and business risks

4. Increase in health hacking

5. Creating business value

6. What is stopping healthcare organisations from making their data more secure?

7. On the path to better data protection

2

PwC

16th annual CEO Survey

Key findings in the healthcare industry

PwC

4

24% of healthcare CEOs worry about their inability to protect intellectual property and customer data (versus 34% of the overall sample)

Source: PwC, ‘Dealing with disruption: How healthcare CEOs are creating resilient

organisations’ (February 2013).

Only

PwC

Yet healthcare respondents are confident in their security practices

5

42% of healthcare provider respondents say their organisation has a strategy in place and is proactive in executing it — exhibiting two distinctive attributes of a leader.

42%

26%

18%

14%

42%

24%

16% 17%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

We have an effective strategyin place and are proactive in

executing the plan

We are better at "getting thestrategy right" than we are at

executing the plan

We are better at "getting thingsdone" than we are at defining

an effective strategy

We do not have an effectivestrategy in place and are

typically in a reactive mode

2011 2012

Strategists

Firefighters Tacticians

Front-runners

Source: PwC, The Global State of Information Security® Survey 2013

PwC

A reality check on real leaders.

6

100%

6%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

All healthcare provider respondents

Healthcare provider leaders

But are they really leaders? We measured healthcare provider respondents’ self-appraisal against four key criteria to define leadership. To qualify, they must:

• Have an overall information security strategy

• Employ a CISO or equivalent who reports to the “top of the house” (e.g., to the CEO, CFO, COO, or legal counsel)

• Have measured and reviewed the effectiveness of security within the past year

• Understand exactly what type of security events have occurred in the past year

The result? Our analysis found that 6% of healthcare provider respondents rank as leaders.

Source: PwC, The Global State of Information Security® Survey 2013

PwC

Since September 2009, in the US alone, there were

7

Source: PwC, ‘Dealing with disruption: How healthcare CEOs are creating resilient

organisations’ (February 2013).

571security breaches

affecting 500 patients

PwC

Why should healthcare CEOs care about data security?

8

PwC

New ways of working together

PwC

10

Fee for service

Fee for outcomes

The shift from the traditional fee-for-service model to value-based purchasing has huge implications for the healthcare industry

PwC

• New Generation Sales Targeting/Segmentation Models • Customer “Pull” Strategies – Multi-Channel • Closed Loop Marketing and Medical Interaction • Key Opinion Leader Management (Compliance)

• Customer Data Integration and Master Data • Social and Mobile deployment/provisioning • E-Marketing CoE • PHRs/EHR Longitudinal Data • Remote monitoring / telemedicine

• Negative public opinion • Patients demand medical

information • Adverse Event Management

• Social Media Services • DTC Channel Optimisation • Text-Mining Services • Access to outcomes-based data

• “Buy the Pipeline” – Pipeline Optimsation • Form Dynamic Alliances - B2B Exchange Models • Externalisation of R&D • R&D efficiency and effectiveness • Intellectual property risks in emerging markets

• “Plug and Play” partners – Federated Identity • Research/External Collaboration • Clinical Data Exchange and Analytics • On-demand /high-volume computing • In Silica Trials

• Patient longitudinal data • Consumer Directed Health Plans (CDHPs) • Healthy Lifestyle Incentives • Access to outcomes-based data

• EHR for Data Standardisation • Data Exchange Services • Compliance and diagnostic information • Master data and data integration

• Multi-national electronic submission • Regulation of promotional content • State-level regulation • Reimbursement regulations • Device/drug efficacy and safety • Data “abstraction” layer • Unified, standards-based integration • Enterprise document/content

management - Business Trends

- Technology Trends

Key

Patients

Providers

Patients

Payers Regulators

Pharma:

R&D, Co-Market,

Manufacturing

Evolving healthcare ecosystems are increasingly dependent on information exchange

11

PwC

As with many industries, healthcare is struggling to keep pace with the adoption of cloud computing, social networking, mobility, and use of personal devices. These new technologies often are not included in overall security plans even though they are widely used. In a recent survey, for instance, we found that 88% of consumers use a personal mobile device for both personal and work purposes.1

Technology adoption is moving faster than security implementation.

12

Source: PwC, The Global State of Information Security® Survey 2013 1 PwC, Consumer privacy: What are consumers willing to share? July 2012

21%

38% 35%

44%

28%

46% 45%

51%

0%

10%

20%

30%

40%

50%

60%

Cloud security strategy Mobile device security strategy Social media security strategy Security strategy for employeeuse of personal devices on the

enterprise2011 2012

PwC

Compliance and business risks

PwC

Information security is complex and companies must assume a state of compromise

Heavy focus on identity

management – right people,

right place, right access

Focus on enhanced layers of

security, adoption of incremental

security solutions

Focus on security technology

for the perimeter

Tech

no

log

y R

elian

ce/C

om

ple

xit

y

Time

“Resilient Cyber Security”

“Inclusion &

Exclusion Security”

“Layered

Security”

“Perimeter

Security”

Assumed state of compromise

2010+ 2000s 1990s 1980s

• Significant and evolving cyber threats unlike ever before

• Highly skilled/motivated, and yet patient adversaries, including nation states

• Increasing speed of business, digital transformation, and hyper connectivity

across supply chain and to customers

• Massive consumerisation of IT and reliance on mobile technologies

• Increasing regulatory compliance requirements (e.g., SEC Cyber Guidance)

• Unprecedented collaboration with patients, partners, payers and providers

Clie

nt/S

erv

er

Com

puting

Perv

asiv

e

Consum

erisation

14

PwC

Regulations governing the protection of personal data are getting tougher

• January 2013, HIPAA is modified to extend privacy and security requirements United States

• January 2012: unveiled plans for a single set of rules that takes into account technological advances and to harmonise practices among member states.

European Union

• India, Malaysia, South Korea and Taiwan recently passed new cyber security laws. China published a draft national standard, that is still to be enshrined.

Asia

• 11 countries in Latin America have enacted data privacy legislation Latin America

15

PwC

Regulation and safeguarding of information are the top challenges for healthcare organisations

16

Healthcare providers identified the top five security issues they face this year. Given increased global regulation and regulatory audits of patient data, it comes as no surprise that regulatory requirements top the list.

24%

27%

35%

35%

35%

0% 5% 10% 15% 20% 25% 30% 35% 40%

EHR/PHR access controlsand identity management

Encryption in storage and intransit

Identity theft and loss ofpatient/individual information

Monitoring of access andinformation use

Regulatory requirements

Source: PwC, The Global State of Information Security® Survey 2013

PwC

Business risk themes include loss of IP and the potential for inadequate care

Information Risk Themes

Loss of Patient

and Employee

Sensitive

Information

Loss of sensitive

Clinical Trial

Information and IP

Internet

Distributed Denial

of Service

(DDOS)

Stolen Corporate

Sensitive

Information (drug

pipeline/emails)

Integrity of

Manufacturing

operations

Brand Damage Competitive

Disadvantage

Non-Compliance

with Applicable Regulations

Loss of Market Share Financial Loss

Operational Impairment

Potential Impact

Activists Unintentional and Malicious Insider

Hacker, Thief and Sophisticated

Malware

Malicious Collaborator/

Partner Nation States

Threats

exploit vulnerabilities resulting in …

causing…

17

PwC

Increase in health hacking

PwC

Modern attacks are stealthy, persistent, and sophisticated

Phishing, Zero Day Attack,

Drive-by downloads

Malware Installed

Privilege Escalated

Multiple Systems Infected

Data Gathering

Sensitive Information

Stolen

Users fall victim to phishing,

removable media or drive-by

downloads containing Zero-day payload

Malware is covertly

installed on user’s

machine, malware

pulls additional malware

Attacker is able to

remotely control user’s

machine, where

attacker is able to elevate

privilege

Malware infection

spreads to other systems

or SCADA/PLC

devices; systems

become part of the

attacker command

and control apparatus

Sensitive data is prepared and staged for remote

transmission; User

credentials are harvested

Encryption used to

transmit sensitive

information to remote systems of attacker’s

choice

1 2 3 4 5 6

19

PwC

The most numerous category of reported security incidents – 50 or more per year – is the fastest growing among healthcare providers. The number of respondents that experienced 50 or more incidents in 2012 increased by 50% over the year before and 200% over 2010. One in five respondents do not know the number of incidents, an uncertainty that suggests ineffective security practices.

Reported security incidents are on the rise

20

23%

7% 4%

36%

31%

8% 8%

19%

31%

8%

12%

21%

0%

5%

10%

15%

20%

25%

30%

35%

40%

None 10-49 50 or more Do not know

2010 2011 2012

Source: PwC, The Global State of Information Security® Survey 2013

PwC

Security incidents attributed to current employees are at the highest level in years, as are those attributed to former workers. Also, more respondents point the finger at service providers/consultants/contractors this year.

Threats from insiders – including current and former employees – are increasing

21

32%

17%

6% 6%

36%

18%

6% 6%

36%

23%

12%

6%

39%

24%

11% 9%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

Current employees Former employees Partners / suppliers Service providers / consultants/ contractors

2009 2010 2011 2012

Source: PwC, The Global State of Information Security® Survey 2013

PwC

Creating business value

PwC

Cyber Security is not just about blocking and tackling; it is also about creating business value

23

• Deploy services quickly • Improve user experience • Expand partner eco-systems • Embrace mobile users

Grow the business

• Automate security processes • Adopt cloud models • Expand virtualisation–securely • Improve collaboration

Improve efficiency

• Combat threats • Protect sensitive information • Govern solutions • Control access

Protect the business

PwC

What is stopping healthcare organisations from making their data more secure?

PwC

A lack of adequate funding, both capital and operating, was cited by 53% of healthcare provider respondents as the primary roadblocks to effective security. One in five respondents say top leadership – the CEO, President, or Board – is an impediment to improved security.

Inadequate budget and other roadblocks

25

2012

Insufficient capital expenditure 27%

Insufficient operating expenditure 26%

Absence or shortage of in-house technical expertise 24%

Leadership – CEO, president, board or equivalent 20%

Lack of actionable vision or understanding 19%

Leadership – CIO or equivalent 10%

Leadership – CISO, CSO or equivalent 10%

Source: PwC, The Global State of Information Security® Survey 2013

PwC

On the path to better data protection

PwC

How to be an Information Security Leader

1 IT Audit: Assess your current IT system for strengths and

weaknesses

Security is Strategic: Have an overall information security

strategy that includes employee user access and patch management policies, and have a process in place to review and prioritise information risks.

2

3 Manage Security Portfolio: Assess security

investments as a portfolio consisting of a) Keep-the-lights-on (KLO) , b) Strategic and, c) optional creating initiatives

PwC

How to be an Information Security Leader – con’t

Security is Everyone’s Business: Elevate information

security from an IT only to an enterprise-wide topic with commitment from business and operations. Communicate your data security policy to all employees and stakeholders

5

28

Risk Based: Understand the types and impact of security events

that have occurred in the past year; measure and review the effectiveness of security every year

6

4 Board-Level Visibility: The “top of the house” keeps

information security on the agenda and has visibility into the state of information security

PwC

For more information, please contact:

29

India Dr. Rana Mehta +91 124 330 6006 rana.mehta@in.pwc.com Italy Andrea Fortuna +2 66 720 547 andrea.fortuna@it.pwc.com Japan Yasushi Tabuchi +81 80 3710 4138 yasushi.tabuchi@jp.pwc.com Mexico José Alarcón +52 55 5263 6028 jose.alarcon@mx.pwc.com Netherlands Otto Vermeulen +31 (0) 887926374 otto.vermeulen@nl.pwc.com

Australia Klaus Boehncke +61 2 8266 0626 klaus.boehncke@au.pwc.com Canada William Falk +1 416 687 8486 william.f.falk@ca.pwc.com China/HK Mark Gilbraith +86 21 2323 2898 mark.gilbraith@cn.pwc.com Germany Robert Paffen +49 89 5790 6025 robert.paffen@de.pwc.com Finland Karita Reijonsaari +358 (0) 9 22800 karita.reijonsaari@fi.pwc.com

Cokky Hilhorst t+31 (0) 8879 27384 cokky.hilhorst@nl.pwc.com Sweden Jon Arwidson +46 (0) 10 213 3102 jon.arwidson@se.pwc.com Switzerland Axel Timm +41 (0) 58 792 2722 axel.timm@ch.pwc.com South Africa Diederik Fouche +27 11 797 4291 diederik.fouche@za.pwc.com United States Daniel Garrett +1 267 330 8202 daniel.garrett@us.pwc.com

Peter Harries +1 213 356 6760 peter.harries@us.pwc.com United Kingdom Sunil Patel +44 (0)207 212 3484 sunil.k.patel@uk.pwc.com

PwC

© 2013 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of

which is a separate legal entity. Please see www.pwc.com/structure for further details.

This content is for general information purposes only, and should not be used as a substitute for consultation with

professional advisors. PwC helps organisations and individuals create the value they’re looking for. We’re a network

of firms in 158 countries with more than 180,000 people who are committed to delivering quality in assurance, tax

and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com.