How much should a company handling Protected Health Information (PHI) spend to protect itself from a data breach? Businesses typically use quantitative methods such as Net Present Value, Internal Rate of Return and Payback Period to make investment decisions. But investments to prevent breaches of PHI have until now relied on compliance arguments and subjective judgments. Tools to quantify the probability and cost of potential breaches have not been available from nationally recognized sources. A loss of data can have reputational, financial, legal, operational and clinical repercussions. How likely are the various types of losses and how much should a company invest to prevent such losses?
Rick Kam, president and co-founder of ID Experts and Jim McCabe, senior director with the American National Standards Institute needed to find out. They saw data breaches increasing along with other cyber risks across a range of industries. ANSI, the Internet Security Alliance, and The Santa Fe Group/Shared Assessments Program Healthcare Working Group issued a report for CFOs which argued that security was an enterprise wide not just a departmental issue. They found that health care organizations were not keeping pace with security requirements and that there was no research on the at-risk value of PHI. The literature and anecdotal evidence regarding business decision indicated that decisions were being made based on achieving compliance rather than based upon a quantitative business analysis.
Seeing this need, Rick and Jim and their respective organizations teamed up and initiated a project to delve into this issue and to determine the risks and costs associated with unintended release of PHI. They decided to use ANSI’s standard approach where ANSI serves as a neutral forum and a project is organized and conducted utilizing a vast collective of interested parties and organizations as well as subject matter experts. About 100 individuals worked on this project and there were six different working groups including a communications group to interact with the guardians of PHI, a finalization group to make sure that a report was created to document the Project findings and an advisory committee to provide directional input from a wide array of experts and organizations.
Rick and Jim observed that they had some surprises during the project. Initially, while formulating the scope of the project in 2010, they tried to keep things simple by simply collecting data on the incidence and costs of data breaches, identity theft and the disclosure of sensitive PHI. They found information on the unintended disclosure of Social Security Numbers and credit card data, but very little on the unintended disclosure of clinical information. This was a surprise, so they decided to hone in on which specific elements of PHI are the most sensitive.
During this process, they found that they needed to understand the role of “PHI Protectors.” According to the Report, a PHI Protector is, “Any organization or person that creates, handles, transmits, or stores PHI, regardless of size or function, is a member of this health care ecosystem and is responsible for the safeguarding of the PHI entrusted to its care…” At this point, Rick and Jim realized that supporting and providing tools for the individuals responsible for PHI Protection within each of these organizations had become the primary goal for the Project and the primary audience for the Project’s final Report.
They decided to conduct a survey of these individuals and they found that 54% didn’t feel that they had the resources needed to do their job. They also felt that they did not have adequate executive support. The project team realized that the PHI Protectors needed help preparing a business case to determine the level of investment that is appropriate for protecting PHI within their respective organizations.
The resulting report, released March 5th, contains many tools that will be useful for IT Directors, CIOs and CFOs in evaluating projects policies and software needed to better protect PHI. Chapter 7 describes a 5-Step method for data breach costing. Chapter 8 explains in detail, with examples, how to calculate the costs of a PHI breach using the PHI value estimator (PHIve). The “Finale” ends the report with a reminder of the importance of preventing breaches. “The health care ecosystem is trying to keep in step with today’s technology, reflected in its move to adopt electronic health records…..With the increase in nefarious intent as well as the rewards and opportunities to steal PHI, the likelihood of a data breach for most organizations is very high.” This report is a must-read for any manager responsible for protecting an organization’s PHI and an important-read for senior executives of any organization which handles PHI during any phase of their business processes.
The report is available for free download at http://webstore.ansi.org/phi/
Ed Daniels is a consultant, author and entrepreneur. Daniels is affiliated with Point-of-Care Partners, where he consults with healthcare providers, new business ventures, pharmaceutical manufacturers, health plans and nonprofit organizations.