How much should a company handling Protected Health Information (PHI)[1] spend to protect itself from a data breach?  Businesses typically use quantitative methods such as Net Present Value, Internal Rate of Return and Payback Period to make investment decisions.  But investments to prevent breaches of PHI have until now relied on compliance arguments and subjective judgments.  Tools to quantify the probability and cost of potential breaches have not been available from nationally recognized sources.  A loss of data can have reputational, financial, legal, operational and clinical repercussions.  How likely are the various types of losses and how much should a company invest to prevent such losses?

Rick Kam, president and co-founder of ID Experts and Jim McCabe, senior director with the American National Standards Institute needed to find out.  They saw data breaches increasing along with other cyber risks across a range of industries.  ANSI, the Internet Security Alliance, and The Santa Fe Group/Shared Assessments Program Healthcare Working Group issued a report for CFOs[2] which argued that security was an enterprise wide not just a departmental issue.  They found that health care organizations were not keeping pace with security requirements and that there was no research on the at-risk value of PHI.  The literature and anecdotal evidence regarding business decision indicated that decisions were being made based on achieving compliance rather than based upon a quantitative business analysis.

Seeing this need, Rick and Jim and their respective organizations teamed up and initiated a project to delve into this issue and to determine the risks and costs associated with unintended release of PHI.  They decided to use ANSI’s standard approach where ANSI serves as a neutral forum and a project is organized and conducted utilizing a vast collective of interested parties and organizations as well as subject matter experts.  About 100 individuals worked on this project and there were six different working groups including a communications group to interact with the guardians of PHI, a finalization group to make sure that a report was created to document the Project findings and an advisory committee to provide directional input from a wide array of experts and organizations.

Rick and Jim observed that they had some surprises during the project. Initially, while formulating the scope of the project in 2010, they tried to keep things simple by simply collecting data on the incidence and costs of data breaches, identity theft and the disclosure of sensitive PHI.  They found information on the unintended disclosure of Social Security Numbers and credit card data, but very little on the unintended disclosure of clinical information.  This was a surprise, so they decided to hone in on which specific elements of PHI are the most sensitive.

During this process, they found that they needed to understand the role of “PHI Protectors.”  According to the Report, a PHI Protector is, “Any organization or person that creates, handles, transmits, or stores PHI, regardless of size or function, is a member of this health care ecosystem and is responsible for the safeguarding of the PHI entrusted to its care…”  At this point, Rick and Jim realized that supporting and providing tools for the individuals responsible for PHI Protection within each of these organizations had become the primary goal for the Project and the primary audience for the Project’s final Report.

They decided to conduct a survey of these individuals and they found that 54% didn’t feel that they had the resources needed to do their job.  They also felt that they did not have adequate executive support.  The project team realized that the PHI Protectors needed help preparing a business case to determine the level of investment that is appropriate for protecting PHI within their respective organizations.

The resulting report, released March 5th, contains many tools that will be useful for IT Directors, CIOs and CFOs in evaluating projects policies and software needed to better protect PHI.  Chapter 7 describes a 5-Step method for data breach costing.  Chapter 8 explains in detail, with examples, how to calculate the costs of a PHI breach using the PHI value estimator (PHIve).  The “Finale” ends the report with a reminder of the importance of preventing breaches.  “The health care ecosystem is trying to keep in step with today’s technology, reflected in its move to adopt electronic health records…..With the increase in nefarious intent as well as the rewards and opportunities to steal PHI, the likelihood of a data breach for most organizations is very high.”  This report is a must-read for any manager responsible for protecting an organization’s PHI and an important-read for senior executives of any organization which handles PHI during any phase of their business processes.

The report is available for free download at http://webstore.ansi.org/phi/


[1] http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html

[2] http://publicaa.ansi.org/sites/apdl/khdoc/Financial+Management+of+Cyber+Risk.pdf

Ed Daniels is a consultant, author and entrepreneur. Daniels is affiliated with Point-of-Care Partners, where he consults with healthcare providers, new business ventures, pharmaceutical manufacturers, health plans and nonprofit organizations.

“There’s very much a shift from using relatively outdated and basic legacy technology and processes, to healthcare using the bleeding edge. Healthcare is case studying innovation that is moving ahead of many other industries in the drive for efficiency, low cost and privacy. This is great news indeed as there is massive opportunity, but there are threats too.”

James Lyne, Sophos Director of Technology Strategy

Sophos’s Director of Technology Strategy James Lyne is excited to see advancements in technology in healthcare; advancements that are changing the way that doctors and healthcare professionals carry, utilize, and transport electronic information and files. With these changes, Sophos aims to provide the security necessary to fortify and protect healthcare organizations from malware and a myriad of other security threats. MedHealthWorld recently talked to Lyne and Senior Product Manager John Stringer to discuss how Sophos addresses these threats and does so comprehensively and succinctly.

Sophos specializes in providing comprehensive endpoint security, which includes detecting viruses, controlling unauthorized applications and devices, data encryption and the detection and identification of sensitive information (typically PHI) as it moves around or outside of the organization.

For an industry that is absolutely contingent upon maintaining the confidentiality of electronic records and information, solutions must protect from incoming threats, such as viruses and malware, but must also protect existing sensitive information from abuse, theft, or loss. Virus outbreaks and the loss of sensitive information can be detrimental to a healthcare institution’s public image and can increasingly result insignificant fines.

Stringer explains, “The simplest way to protect data stored on laptops used in service is to encrypt them. If the laptop is lost, then you might not get it back but at least the data on the laptop is secured, and the risk of data breech fines and negative public coverage is drastically reduced.”

Stringer sees three main drivers for the adoption of encryption and data loss prevention (DLP) functionality within healthcare: federal and state data protection legislation, HIPAA / HITECH legislation, and Payment Card Industry Data Security Standard (PCI DSS) compliance. Compliance will commonly require the use of multiple security technologies and protective barriers.

Stringer explains, “A very common use case we see within healthcare organizations is the combination of content monitoring DLP and encryption. For example, our customers are looking for protected healthcare information (PHI) in emails using the DLP functionality to identify PHI and then to automatically trigger the securing of that communication using file-based encryption. Our aim is to make that encryption process as transparent as possible, both in terms of identifying sensitive data and securing the data in transit. A legitimate recipient must be able to easily access the information they have been sent so put a lot of focus into making sure the whole process is as simple as possible.”

James Lyne concurs with this need for transparency in security. “We focus on simplicity. Everything that we do, we try to build to be brilliantly simple, accessible and easy to deploy. This is because I’ve seen, not just in healthcare but consistently across every company that I’ve talked to, that there is an increasing gap between required controls and those that can actually be deployed. Resource, cost and time mean that security teams can probably afford to buy six controls and then they deploy two. The result is that increasingly critical, mandatory technologies are not getting deployed. Complexity is at the core of this deficit – particular in times of economic challenge. We are focused on fixing that gap and making our technology adoptable and getting people running controls like DLP and mobile, as well as overall modernizing security within that effective budget. That’s the real headline differentiator, making it adoptable and making it simple.”

Stringer explains another example where security is designed to work with healthcare users, “Within our endpoint DLP solution, it is possible to prompt the user if they are detected moving sensitive data into an email, web browser or storage device. They can choose to either authorize or block the transfer. The decision is logged and reported back to the Sophos management console. This approach puts a sanity check in place which enables users to make an appropriate decision without impeding their day to day work and potentially generating IT help desk calls. Even if the data is authorized and transferred, say onto a removable storage device, we can still transparently encrypt and secure the data on the storage device. The technology works with the user.”

Lyne sees four indicators of a need for Sophos’ solutions and thus, four areas for opportunity. First, the industry is undergoing a massive phase of modernization and is moving from using older technologies to newer ones. Second, there is an increased focus on consolidation, shared services, cloud technology and Virtual Desktop Infrastructure (VDI) to centralizing information while making it more accessible and secure. Third, a mass of new devices and operating systems entering the market affect how healthcare organizations conduct business and access information. Finally, Lyne sees a massive evolution in the regulatory landscape around healthcare. “The data that healthcare organizations are dealing with is becoming a very political matter. Its very high profile and sensitive data, and we’ve got politicians and other organizations struggling to over regulate in this area to avoid embarrassment. I think it’s great that we’ve got such focus on protecting information, but it’s also quite dangerous if done wrong. The average life cycle of regulation occurs in years whereas technology and security problems tend to change in days. There is a careful balance that has to be walked.”

In the second part of our interview with Sophos, Lyne and Stringer will explain how Sophos is developing security solutions for tablets and WiFi devices and Lyne will share his visions for the future of healthcare information.

Click here for a case study detailing the success found by Connecticut’s Johnson Memorial Medical Center after they implemented Sophos’s IT security solutions.

© 2011 MedHealthWorld Suffusion theme by Sayontan Sinha
Freelance PHP Developer