Assessing Risk for Health Care IT Organizations

Assessing Risk for Health Care IT Organizations A Practical Overview and Approach A White Paper By Ken Ewers February 2007 Executive Summary Health care providers are adopting health care information technology (IT) to increase productivity, profitability, and the quality of patient care delivery. Adoption of health care IT will continue to expand around the globe, resulting in new challenges for the IT organization. Health care departments will demand that clinical and business systems be made resistant to interruption and unauthorized access. IT organizations must analyze vulnerabilities to threats, assess the potential impact of these threats to the organization, and implement appropriate loss control measures. This white paper provides an overview of the risk assessment process for health care IT organizations, and includes recommendations for improving the storage infrastructure resistance to and resiliency from threats. Contents Introd uctio n ........................................................................................................................................ 1 Risk M anag em ent ................................................................................................................................ 2 Risk M anag em ent Proc ess ................................................................................................................... 2 Key Success Factors ........................................................................................................................................................ 3 Identify Potential Threats and Vulnerabilities..................................................................................................................... 3 Evaluate the Exposure ...................................................................................................................................................... 4 Determine the Severity...................................................................................................................................................... 5 Determine Loss Control Techniques ................................................................................................................................ 6 Implement Processes and Solutions ................................................................................................................................ 7 Red ucing Ex posur e through Busi ness Co ntinui ty an d Dis aster R eco ver y Solutio ns ................................... 7 Sum mar y .......................................................................................................................................... 10 Ap p endi x A. H e alth C are IT Ex posur es— Exa mp le ................................................................................ 11 Ap p endi x B . Ev alu ating Loss Con trol T ech niq ues ................................................................................. 13 Assessing Risk for Health Care IT Organizations A Practical Overview and Approach A White Paper By Ken Ewers Introduction As countries continue to pass legislation to promote the “portability” of health records [such as the Health Insurance Portability and Accountability Act (HIPAA)], the adoption of secure electronic records is becoming a top concern. At stake is the desire to enable unencumbered access to information when and where it is needed, while ensuring that the information is protected. All too often, health care organizations fail to analyze the risks and subsequent consequences to patient health and the organization. The aftermath of hurricane Katrina provides an example of what can happen when patient and business information is not protected. Most hospitals in New Orleans and the surrounding areas failed to protect their patients’ information, resulting in hundreds of thousands of individuals now lacking historical medical records. The loss affected patient treatment and organization revenues. Hurricane Katrina—Lost Health Records Affect Cancer Treatments Cancer patients undergoing radiation therapy may receive treatments over several weeks. Treatment records for numerous patients were lost during Hurricane Katrina. The loss of treatment data prevented clinical staff from properly planning future radiation treatments. The future therapy could result in the delivery of too much or too little radiation—both increasing the risk of future cancer occurrence. In addition, treatment delays may also increase the risk of cancer recurrence.1 Health care IT organizations must identify the vulnerabilities to threats, estimate potential losses, and implement techniques to minimize the loss exposure to the organization. An increasing number of hospitals are conducting risk analysis that aligns business continuity and disaster recovery solutions with their clinical and business objectives. 1 Paraphrased from interviews with radiation oncology clinical staff – January 2007 (K. Ewers) 1 Risk Management The goal of risk management is to reduce an entity’s accidental loss of corporate assets, personnel, revenue, and reputation. The health care organization will typically assign a corporate risk manager to complete the following: • Identify risks • Implement control measures for risks • Structure corporate insurance or self-insurance programs • Manage and mitigate actual incidents The corporate risk manager and the IT organization will focus on different exposures to threats. The IT department will focus on threats that may have an impact on its ability to deliver information services, subsequently affecting business, compliance, or patient care. The IT department may focus on: • Application availability and reliability • Technology infrastructure availability and reliability • Data integrity and security • Data management required by regulatory requirements Risk Management Process This section will provide a general framework for analyzing risks and evaluating loss control techniques. The framework consists of four steps: • Identify potential threats and vulnerabilities • Determine exposure • Evaluate and determine loss control techniques • Implement loss control measures 2 Figure 1. Risk Management Process Identify Potential Threats • Natural disasters • Infrastructure outages • System attacks • Accidental loss Implement Loss Control Measures • Implement • Test • Monitor Team • Executive Sponsor • Departments • Consultant Determine Exposure • Severity • Frequency • Annualized Loss Expectancy (ALE) Evaluate and Determine Loss Control Techniques • Avoidance • Loss prevention • Loss reduction • Contractual risk transfer • Insurance • Retain the risk An organization will take four steps in the Risk Management process. Key Success Factors Key success factors for an effective risk analysis program include: • Executive sponsor. An executive sponsor is able to support needed resources and prioritize project activities. • Team. A team will identify exposures throughout the entity. Then the identified exposures will be evaluated and prioritized per impact to the entity. This team will consist of key department heads, including Legal, Compliance, Finance, Risk Management, Security, Human Resources, and Operations. External consultants can provide valuable insight and experience to the risk analysis process. • Communication process. The cross-disciplinary communication results in an excellent enterprise-wide understanding of potential business threats. The results of the project should be shared with top-level executives. Identify Potential Threats and Vulnerabilities The first step in the risk assessment process is to identify risks that could either interrupt the delivery of “information services” to clinical and business departments, or have an impact on data integrity, availability, or security. Risks are identified by listing threats that may exploit a vulnerability of a system or the IT organization’s ability to provide services. For example, a data center located in a coastal area may be vulnerable to a hurricane; another data center located 1,000 miles from the nearest coast would not be vulnerable to a hurricane, and thus the threat of a hurricane is not identified. Types of threats may be categorized as: 3 • Environmental—such as a flood, fire, or power loss • Accidental—such as a misconfigured backup procedure or lost connectivity to the data center due to severed underground lines • Deliberate—such as a virus attack, personal information theft, or terrorism Appendix A lists incidents that have had major impacts on health care organizations. Although these incidents occurred in the United States, they represent threats that could have an impact on any health care organization throughout the world. The threats listed also include the subsequent vulnerabilities to the threat. For example, potential vulnerabilities to a hurricane may include the data center’s location, the ability to continue uninterrupted access to clinical systems, and the ability to fully recover from a disaster within an acceptable time frame. Evaluate the Exposure Two key factors, frequency and severity, are used to evaluate a threat’s potential exposure to the organization. • Frequency. The event frequency defines how often the event is likely to occur, based on current controls and protections, within a given time period such as a calendar year. • Severity. The severity is measured as the total financial impact of a realized threat, or an incident. For example, the severity resulting from an IT failure could include losses due to: – Potential patient malpractice – Regulatory/compliance failure – Data privacy/legal issues – Re-creation of damaged data and systems – Reduction in revenue stream – Reputation damage/negative press – Increased staffing costs – Interruption in technology services – Inability to deliver contracted services to third parties – Liability for lost records – The use of external IT experts, such as forensic IT specialists 4 Determine the Severity Vulnerabilities to a threat may result in losses incurred by several organization functions, such as: • Patient health/safety. Loss or corrupted data may delay or impact the patient treatment and safety. For example, unavailable treatment plans needed to administer radiation therapy will delay patient treatment, possibly reducing revenues and impacting patient health. • Regulatory. Failure to comply with various government regulations can result in financial and criminal penalties. • Legal. Facilities may face legal action spurred by various electronic record related events (for example, exposure of personal health information due to a lost laptop). • Physical and intellectual property. Facilities may face costs to repair or replace property, such as systems destroyed by flooding, including a premium to expedite property repair or replacement. • Strategic/reputation. The facility’s reputation and revenue may be negatively affected due to a threat such as exposed personal health information. • Financial. Threats could cause business interruptions, resulting in lost revenues. Also, facilities may incur additional costs in personnel time, supplies, and equipment if procedures are reworked due to a loss of information. • Personnel. Employees may be negatively affected due to a threat. For example, a gas leak could cause several workers to become ill, reducing available workforce and causing additional personnel-related costs. The severity is determined by adding the potential losses for the above functions. For example, consider an example in which an outside individual hacks into health care computer systems, retrieving names, birth dates, addresses, and social security numbers of 500 employees and 3,000 patients. The severity may include the costs indicated in Table 1. Table 1. Sample Severity Calculation Function Legal Strategic/Public Relations Financial Total Loss (US$) $4,750,000 $300,000 $875,000 $5,925,000 Comments Legal fees ($250/hour at 5,000 hours = $1,250,000); judgment or settlement costs ($1,000 per patient or employee affected = $3,500,000) Advertising, notifications, “hotline” response service Credit monitoring service provided to employees and patients Note: These are examples of hard costs, and do not take into account lost opportunity costs. 5 Threat Exposure Analysis As the frequency and severity are determined for threats, a graph is prepared plotting the frequency against the severity, such as Figure 2. This risk map can help communicate risk exposures and provide focus to remediation research. Figure 2. Sample Risk Map More Frequent 100 User Inadvertent Error Application Crash 10 Destructive Hacker Attack 1 Rolling Blackouts Data Theft Stolen Laptop Frequency 0.1 Minor Interior Fire 0.01 Data Loss—Programmed Sabotage Data Loss Medium Degredation 0.001 River Flood Terrorist Attack 0.0001 Total Datacenter Loss—FIre Less Frequent 0.00001 $100 $1,000 $10,000 Severity $100,000 $1,000,000 $10,000,000 Determine Loss Control Techniques Based on the threat, one or more of the following loss control techniques can be implemented to reduce the organization’s exposure to threats: • Risk Avoidance. The organization may decide to avoid a particular business operation. • Loss Control. – Pre-loss Prevention. The organization may implement measures that reduce the risk. Storage disaster recovery and business continuity solutions are key pre-loss prevention techniques. Refer to the “Reducing Exposure through Business Continuity and Disaster Recovery Solutions” section in this paper for more information. – Post-loss Mitigation. The organization may reduce the loss when a threat is realized. For example, in the case of corrupted data caused by a virus attack, a prior “snapshot” of the data could be restored using “point-in-time” recovery solutions. • Contractual Risk Transfer. The organization may transfer the risk to the counterparty via contract provisions. • Financial Risk Transfer. The organization may transfer the risk to an insurance company. • Risk Retention. The organization may make a business decision to retain the risk. 6 An analysis of various loss control techniques can provide the recommended strategy, including “investments” and estimated reduced exposures. As the strategy is completed, the original risk map as indicated in Figure 2 can be updated to graphically represent the reduced exposure based on planned remediation techniques. Refer to Appendix B for additional information regarding the evaluation of loss control techniques. Implement Processes and Solutions Implement The risk analysis will provide a recommendation, including several techniques to control loss, such as technology changes, policy changes, contractual agreements, and new insurance policies. Steps of implementation will be competed by various departments. For example, the corporate risk manager might acquire an insurance policy to protect certain assets. Test The organization must regularly test the loss control measure employed. Responses such as “it should work” should cause concern. There are numerous incidents of failed mitigation solutions. For example, an organization may implement an automated backup solution, only to find later that the backup was not configured correctly, thus failing to successfully protect the information. Each policy and solution should be fully tested. Monitor Monitor the effectiveness of loss control measures, tracking historical versus actual losses. Also, monitor the environment for changes that would require updates to the risk plan, such as installation of new systems, changes in location, or the acquisition of another facility. Reducing Exposure through Business Continuity and Disaster Recovery Solutions As part of the risk analysis, application systems may be identified as potential vulnerabilities to a threat, such as a fire. An analysis of applications and associated data’s impact to the organization will provide the prioritized importance of the data as well as the maximum “unavailability” of the data, or recovery time. The business continuity metrics of the current implementation must be defined and evaluated against business and clinical objectives. • The Recovery Point Objective (RPO) is the maximum allowable data loss. In the Figure 3, the RPO is one day. • The Recovery Time Objective (RTO) is the time from the event occurrence to the point in time the system is operational. In the Figure 3 scenario, the RTO is two weeks. • The Full Operational Recovery (FOR) identifies the point in time that all historical data is restored. In this scenario, several months are needed to fully restore the large volume of information from tape—assuming all tapes are 100 percent error free. Figure 3 shows a sample timeline, including an unplanned event that disrupts information technology services. 7 Figure 3. Business Continuity Scenario Backup Backup Unplanned Event (Fire) Replacement System Operational Data Recovery Complete RPO Tues. 11pm Wed. 11pm Thurs. 6pm RTO Thurs. +2 Weeks FOR +Several Months Lost Data RPO = Recovery Point Objective RTO = Recovery Time Objective FOR = Full Operational Recovery Emergency Mode Operation Resumption of Services Restoration of Historical data A fire disrupts operations, and in this sample business continuity scenario it takes several months for complete data recovery. The analysis will result in two factors, recovery time and data importance. These two factors are defined for each application, and will help determine the appropriate application’s business continuity solution as illustrated in Figure 4. For example, an organization may accept the lost access to the company’s internal Web-based training system for a few days, but the clinical staff may require immediate availability to the electronic medical record (EMR) solution. Figure 4. Determining the Appropriate Business Continuity Solution Cost versus Value of Data Remote Disk Copy with Extended Server Clustering Synchronous Remote Disk Copy Asynchronous Remote Disk Copy Cost Remote Database Logging Electronic Tape Vaulting Tape Backup (Tapes Transported Offsite) Value of Data Days Hours Minutes Immediate Recovery-time Objective Application RTOs and RPOs dictate the cost of data protection. Implementing the right set of storage and data protection solutions is essential to supporting a health care organization’s unique needs. But IT organizations need not—and should not—go it alone. The two compelling reasons for IT organizations to partner with a recognized expert are to help maximize their overall investment to date, while minimizing the risk to their business, and to take advantage of the best options available to them in light of evolving technology. 8 Hitachi Brings Expertise in Business Continuity and Disaster Recovery Hitachi Data Systems provides industry-leading storage solutions, including data archiving and data protection solutions, to meet the needs of the largest hospital facilities as well as the most demanding smaller clinics. Solutions from Hitachi Data Systems provide superior reliability, performance, and availability required by the most challenging environments. Data protection solutions include: Figure 5. Hitachi Data Systems Business Continuity Framework Se r ver Clusters E de d ten x Server Clu ste r s Server, HBA, Switch Path Failover Nondisruptive Backup Remote Disk Replication • Synchronous • Asynchronous Multisite Replication Tape Vault Storage Point-in-time Copies Storage Point-in-time Copies Re du t es Sin ndancy Elimina re gle Po int of Failu Disa ste overy Plan r Rec ges ned Outa Local Site (High Availability) Remote Site (Disaster Protection) Hitachi Data Systems business continuity solutions incorporate backup and recovery, in-system replication, and data replication software. • Backup and recovery solutions. A full spectrum of backup and recovery solutions provides assurance that data is recoverable if lost or corrupted. Solutions include disk-to-disk SAN-based data protection, virtual tape library (VTL) functionality, and data migration solutions. • In-system replication software. This software provides high-speed, nondisruptive replication for any Hitachi storage system or pool of storage virtualized by the industry-leading storage solutions—such as the Hitachi TagmaStore® Universal Storage Platform. The solution can create a consistent point-in-time (PiT) copy of an entire system, database, or any related sets of volumes. This copy can then be used for remote replication to another storage system anywhere in the world. • Data replication solutions. Remote data replication offers the fastest recovery time following an outage and the lowest risk of data loss. Replication eliminates the time-consuming, manual, and error-prone multi-step recovery process required by traditional tape-based backup. It also provides a variety of productivity benefits through secondary, or parallel, access to data, without affecting regular production workloads. Remote data replication increases data availability by: 9 – Automating procedures to reduce the duration of planned events, such as system maintenance, application testing and development, and data backups – Allowing nondisruptive backup of current production data with no impact to the production application – Speeding failover and data restoration in the event of an outage by replacing slow and labor-intensive tapebased restores with continuously available online backups – Allowing secondary sites to take over primary processing to eliminate scheduled downtime – Enabling frequent, nondisruptive disaster recovery testing with an online copy of current and accurate production data; two basic variations of remote data replication are available—synchronous and asynchronous Just as Hitachi medical products such as Open MR provide the imaging solutions for the radiology department, Hitachi Data Systems is recognized for providing IT organizations with fast, reliable, scalable, and secure storage solutions. For more information, please visit www.hds.com/solutions/health_care. Additional assistance is available by contacting Hitachi Data Systems at 1-888-234-5601 in the United States, or on the Web at: www.hitachileads.com/contactsales.aspx Summary Health care IT organizations are continually challenged to implement new applications, support compliance of evolving regulations, and manage increasing amounts of information—all with tight fiscal controls. Failure to protect their data and technology infrastructure may have dire consequences to patient care, organization reputation, and financial strength. Risk analysis provides a framework to guide an organization, defining the appropriate strategies for protecting their physical and intellectual assets against potential threats. Hitachi Data Systems provides services and solutions that incorporate the industry's best people, products, tools, and methodologies to maximize an IT organization’s return on investments as well as meeting storage systems availability and business continuity objectives. Please visit www.hds.com/solutions/health_care for more information. 10 Appendix A. Health Care IT Exposures—Example Sources for this information include The Privacy Rights Clearinghouse2, news articles, and interviews. Threat Flood Date 6/1/01 Affected Individuals 50,000 Example of Actual IT Loss Incidents3 50,000 medical records for one medical facility were destroyed in flooding caused by tropical storm Allison. The estimated cost to restore these records is $2.7 million (funds also include some funding to help protect against possible future loss). Medical records for approximately one million Louisiana and Mississippi residents were destroyed during Hurricane Katrina. Records for Department of Veterans Affairs patients were electronic and transferred to Houston and available within hours. The hospital's two outside power lines failed, resulting in surgery postponements, and rerouting some incoming patients to other hospitals. Key information systems were unavailable, requiring patient information to be taken by hand. A fire destroyed the main PACS system and corrupted some tapes. Data restoration cost over one million dollars. A software upgrade destroyed the PACS database, including metadata and indexes needed to retrieve PACS studies. Access to the PACS studies was lost. Hurricane 8/1/05 1,000,000 Power Outage Fire Upgrade Backup Failure Tape Failure Fraud 6/19/02 2006 6/16/06 8/11/06 9/8/06 6,000 1,100 A solution to backup PACS data was configured incorrectly, resulting in failed tape backups. Attempts to restore the primary system from tape failed. A hospital tested various tape backup solutions to protect data from 130 Windows servers and found at least 10 percent of data was lost due to bad restores from tape. A former employee downloaded patient files onto his laptop computer. Files included patient names and personal information. A clinic employee stole personal information from electronic files and sold it to her cousin, who used it to file fraudulent Medicare claims totaling more than $2.8 million. Information included patient names and personal information. An employee stole the names, birth dates, and Social Security numbers from up to 1,110 patients who were hospitalized or had day-surgeries. She used information from three patients to open multiple credit accounts. The "infection" caused $250,000 in damage, and resulted in administrative systems such as records management, patient admissions, and billing being forced offline. One patient procedure was rescheduled. 242,000 Overseas hackers broke into hospital computers. Private patient data (including Social Security numbers, billing, and banking information) was exposed. A computer administrator believing he may lose his job had installed an electronic "logic bomb" in the systems of one of the largest U.S. prescription drug management companies. The code would have deleted critical patient information if it had been triggered. 7,000 10 computers containing Medicare and Medicaid billing information and records of employees and physicians from 1996-2006 were stolen from one of the company's regional offices. Some patient personal information was exposed. Two computers were stolen. This compromised personal patient data, including treatment information. 10/25/06 1,100 Hack 10/16/06 10/26/06 Sabotage 12/20/06 Stolen Computer 8/17/06 9/18/06 100 2 3 Used with permission of the Privacy Rights Clearinghouse, www.privacyrights.org. All monetary amounts in chart are in US dollars 11 Threat Stolen Laptop Stolen Media Date 2006 Affected Individuals 1,599,695 Example of Actual IT Loss Incidents3 Several laptops from multiple health care organizations were stolen throughout 2006, exposing personal information for over one million individuals. The majority of laptops were stolen while off premises (for example, left in an employee's car). A data tape disappeared from a health care facility containing information on legal cases involving 16,500 U.S. veterans, including veterans' Social Security numbers, dates of birth and legal documents. A USB "jump drive" storing personal hospital employee information disappeared from a locked office. Residents who participated in a scientific study were notified that a flash drive containing their personal information was discovered missing, and likely stolen, from a facility office. Multiple companies (including health care insurance companies) lost personnel and systems (including some primary data centers). The attack resulted in disruption in services, including delayed collections and payments. A local TV reporter found that "dozens" of pharmacies disposed of customer records in unsecured garbage bins. Investigators found boxes of private medical records at an illegal dumping site, apparently dumped by a contractor who was hired to remodel the physician's house. 5/5/06 16,500 9/23/06 8/4/05 Terrorism 9/11/01 4,150 4,000 Disposal 9/22/06 9/23/06 1 11/1/06 6,000 A jury awarded punitive damages based upon a physician's alteration, falsification, and destruction of medical records. An out-dated laptop containing personal information for employees of the health care company was sold or donated by a large health care company to a resale shop, and subsequently purchased for $20. As part of a wrongful death suit, a physician was sued for allegedly destroying the deceased's medical records. A contractor working for the health care organization sent names and personal information of current and former employees, vendors, and contractors to his home computer in violation of company policies, potentially exposing personal information. An e-mail containing the personal information of approximately 150 students intended for one employee was inadvertently sent to all students of the college of health sciences. A contractor working for a medical billing records company misplaced CDs containing the personal information of patients, employees, physicians, and board members of hospitals. The records were not encrypted even though the hospital's and records company’s policies require encryption. A computer tape with personal information for about 10,000 employees, including names, addresses, and Social Security numbers was reported missing. A memory stick containing patient personal information was found July 18 by a local citizen on the ground at the county fairgrounds near the hospital's information booth. Patient data was exposed online via the computers of an e-prescription provider. A programming error on the hospital's Web site exposed personal information. 7/30/03 E-mail 2/16/06 1 27,000 11/17/06 Lost Media 7/28/06 150 266,200 8/18/06 9/15/06 Web 7/25/06 8/29/06 10,000 295 23,000 73 12 Appendix B. Evaluating Loss Control Techniques As discussed earlier in this white paper, several methods exist to help organizations evaluate loss control 4 technique alternatives. Appendix B provides an overview of one method used to analyze these techniques . Terms used in this section include: • Frequency—the likeliness a threat will occur, based on current controls and protections, within a given time period, such as a calendar year. For example, one hacking intrusion every eight years = yearly frequency of 1/8 = 0.125. • Single Loss Expectancy (SLE)—the expected total loss of a single realized threat, or incident. Also referred to as severity. For example, the SLE of a power interruption lasting 30 minutes may be $15,000. Table 2. Evaluation Threats Threat Data Exposure Due to Hacking Data Loss Due to Laptop Theft Computer Theft w/Critical Data Power Outage >12 Hours Virus Attach PACS System Failure —1 Day Network / Internet Outage—1 Day Technology Migration Failure Total Severity SLE (000’s) $6,000 $4,000 $3,000 $250 $200 $20 $200 $300 Frequency (Yearly) 0.125 0.4 0.2 0.8 1.4 0.4 1.7 1 ALE (000’s) $750 $1,600 $600 $200 $280 $8 $340 $300 $4,078 • Annualized Loss Expectancy (ALE)—the annualized expected total loss of a realized threat(s). The Annualized Loss Expectancy is calculated as ALE = SLE * Frequency. For example, if the SLE of a power interruption is $15,000, and the frequency is twice a year, or frequency = 2, the ALE = $15,000 * 2 = $30,000. • Mitigated ALE—the reduced annualized expected loss based on implementing a mitigation technique. Say the frequency in the above example is reduced from 2 to .5 and the SLE remains the same; the Mitigated ALE = $15,000 * .5 = $7,500. • Return on Investment (ROI)—indicates the cumulative net benefit divided by the investment; ROI = (Original ALE - Loss Control Option ALE) / Annual Investment. • Loss Control Techniques—actions that reduce the organization’s exposure to a threat by either reducing the severity or the frequency. For example, implementing virus protection software is a “pre-loss prevention” technique that will reduce the frequency a system will be vulnerable to a virus threat. Effects of loss control techniques on potential exposures are indicated in the following table: 4 All monetary amounts in Appendix B are in US dollars. 13 Table 3. Effects of Loss Control Techniques Loss Control Technique Risk Avoidance Loss Control • • Pre-loss Prevention Post-loss Mitigation Reduce Severity (SLE) Reduce Frequency ✔ ✔ ✔ ✔ ✔ Contractual Risk Transfer Financial Risk Transfer Risk Retention The first step to evaluating loss control techniques is to identify the threats with the largest potential exposure to the organization, based on either a single incident or an incident that can occur multiple times in one year. • The threats with the highest severity (SLE), independent of the frequency, should be included in the evaluation of loss control measures. Remember, the probability of a hurricane with Katrina’s impact to New Orleans may have been low, but it only took one occurrence. • Threats resulting in lower severity may not at first glance be a cause for concern. However, threats occurring multiple times a year may result in a substantial exposure to the organization. The annualized loss expectancy (ALE) can be calculated to identify threats with the greatest annualized exposure. Calculating the ALE for all threats will provide the total yearly ALE as indicated in Table 4, and is helpful in evaluating the net results of the various loss control techniques options. As the threats with the highest exposures have been determined, the analysis can focus on mitigation strategies and return on investment (ROI) for these threats. The analysis for each threat will include one or more loss control techniques, each with reduced severity or frequency. Table 5 provides an example ROI calculation. The ROI is calculated using the following steps: 1. Determine the option’s yearly investment. For example, a technology solution may cost $500,000 over five years to reduce the data centers vulnerabilities to a hurricane: the yearly Loss Control Investment is = $500,000 / 5 = $100,000. 2. Determine the mitigated frequency and severity (SLE) based on the loss control option. For example, the technology solution will reduce the frequency from .0333 to .005, and have no impact on the SLE of $8,000,000. 3. Determine the mitigated ALE, calculated using the mitigated SLE and mitigated frequency based on the loss control option. For example, the mitigated ALE for the technology solution is $40,000 = (.005 * $8,000,000). 4. Determine the loss control option’s ROI, calculated as: – ROI = (Original ALE - Mitigated ALE) / Annual Investment – For example, Option “A” ROI l - Technology – ROI = ($267,000 - $40,000) / $100,000 = 227% ROI 14 Table 4. Example ROI Determination Yearly Loss Control Investment Threat Severity SLE (000's) $8,000 Frequency (Yearly) ALE Option A (000's) Technology (000's) $267 $100 Option B Insurance (000's) $120 Loss Control Option Frequency / Severity Frequency Option A Option B SLE(000's) Option A Option B ALE(000's) Option A Option B Loss Control ROI Option A Option B Hurricane -> Data Center Destruction— No Alternate Site 0.0333 0.005 0.0333 8,000 1000 40 33.3333 227% 194% There are several methods that can be used to evaluate loss control techniques. The key is to gather all of the information from the various departments, and perform a standardized analysis. The resulting analysis can then be presented to key stakeholders to determine the amount of risk the organization is willing to accept, and to approve investments needed to mitigate risks the organization is unwilling to accept. 15 Hitachi Data Systems Corporation Corporate Headquarters 750 Central Expressway, Santa Clara, California 95050-2627 USA Contact Information: 1 408 970 1000 www.hds.com / info@hds.com Asia Pacific and Americas 750 Central Expressway, Santa Clara, California 95050-2627 USA Contact Information: 1 408 970 1000 info@hds.com Europe Headquarters Sefton Park, Stoke Poges, Buckinghamshire SL2 4HD United Kingdom Contact Information: + 44 (0) 1753 618000 info.uk@hds.com Hitachi is a registered trademark of Hitachi, Ltd., and/or its affiliates in the United States and/or other countries. Hitachi Data Systems is registered with the U.S. Patent and Trademark Office as a trademark and service mark of Hitachi, Ltd. The Hitachi Data Systems logotype is a trademark and service mark of Hitachi, Ltd. TagmaStore is a registered trademark of Hitachi Data Systems Corporation. All other trademarks, service marks, company names, and logos are properties of their respective owners. Notice: This document is for informational purposes only, and does not set forth any warranty, express or implied, concerning any equipment or service offered or to be offered by Hitachi Data Systems. This document describes some capabilities that are conditioned on a maintenance contract with Hitachi Data Systems being in effect, and that may be configuration-dependent, and features that may not be currently available. Contact your local Hitachi Data Systems sales office for information on feature and product availability. Hitachi Data Systems sells and licenses its products subject to certain terms and conditions, including limited warranties. To see a copy of these terms and conditions prior to purchase or license, please go to http://www.hds.com/products_services/support/warranty.html or call your local sales representative to obtain a printed copy. If you purchase or license the product, you are deemed to have accepted these terms and conditions. © Hitachi Data Systems Corporation 2007. All Rights Reserved. WHP-244-00 LKD February 2007