Formula Helps Health-Care Industry Estimate Cost Of A Data Breach

March 5, 2012

Puget Sound Business Journal by Emily Parkhurst , Staff Writer

In an effort to encourage executives of health care companies to take the threat of cybersecurity breaches seriously, President Barack Obama’s Cybersecurity Coordinator Howard Schmidt on Monday announced a way for companies to evaluate the financial risk of data breach.

“When it comes to cybersecurity, we all have a role,” Schmidt said while presenting a report called the PHI cybersecurity report.

The report focuses on the costs of a patient’s protected health care information (PHI) getting into the wrong hands. It offers companies a five-step formula for evaluating the potential financial impact of such a breach. The formula evaluates factors including a company’s potential readiness to respond to a breach; the types of data and how they’re stored; the likelihood of a breach; the potential damage from bad press; and loss of customer trust.

Schmidt said the formula would help health-care companies move more quickly to protect their patients’ electronic records by providing IT professionals a way to estimate the financial impact of a breach and to convince executives to invest in security infrastructure.

To view the original article please click here.

“Cybersecurity is not an IT issue, it’s an enterprise-wide issue,” said Larry Clinton, president and CEO of the Internet Security Alliance, a trade organization.

If companies are still thinking about cybersecurity as hackers trying to disrupt day-to-day operations, Clinton said, their thought process is antiquated. “There’s an advanced persistent threat. These aren’t hackers, they’re pros. It’s organized crime – often, but not always, state supported,” Clinton said.

According to the report, health-care organizations have had an average of four data-breach incidents in the past two years. And a Ponemon Institute survey of 72 health-care providers found that 96 percent had at least one breach in the past two years.

“Increasingly we’re outsourcing. Particularly with the cloud, we’re outsourcing the whole IT sector,” said Catherine Allen, chairman and CEO of the strategic consulting firm, The Santa Fe Group.

Allen said that the “price on the street” of personal medical records is approximately $50 per record, whereas, the price of a social security number is only $1, giving criminals a strong motivation to target medical records.

“The health-care sector has a number of challenges,” she said, including a lack of general awareness of the issue, a lack of sophistication among many smaller providers, and an incomplete understanding of the impact that mobile and cloud-based IT would have on security.

Allen said the PHI risk-assessment formula could be used as an education and awareness tool to help IT professionals “build a case” for increasing cybersecurity infrastructure.

The report listed the top three breaches in terms of the number of people involved, all of which were a result of gaps at third-party companies, not the health-care providers themselves.

The examples included a case from October 2011, when the health information for 4 million patients was compromised because a health-care contractor, Sacramento-based Sutter Physicians Services, lost a computer. The names, addresses, dates of birth, medical records and insurance information for the patients was exposed, and 11 lawsuits have been filed over the incident. The Sacramento Business Journal has estimated the lawsuits could cost the company upwards of $4.25 billion, not including attorney fees and court costs.

Emily Parkhurst covers technology for TechFlash and the Puget Sound Business Journal.