Report Urges Health Care To Assess Financial Impact Of Data Breaches

March 5, 2012

By Brian T. Horowitz

As the Obama administration provides incentives for meaningful use of electronic health records (EHRs), efforts by the health care industry to secure patient data, or protected health information (PHI), have lagged behind, according to a new report by the PHI Project, an initiative of 100 health care leaders, including providers and insurance companies, as well as legal and security experts.

To view the original article please click here.

The report, called “The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security,” recommends steps that IT departments and compliance experts in health care organizations can take to protect patient data.

The PHI Project is co-administered by the American National Standards Institute (ANSI), a nonprofit organization focused on standards for health data; consulting firm Santa Fe Working Group and its Shared Assessments Program of financial firms; and the Internet Security Alliance (ISA), a trade association that advocates using technology to bring about public policy on cyber-security.

The PHI Project announced the report on March 5 at a congressional briefing on Capitol Hill.

“It’s intended as an action guide to take immediate action to commit those resources they need to prevent data breaches from occurring,” Jim McCabe, senior director with ANSI, told eWEEK.

In the report, the PHI Project recommends that health care companies use a PHI Value Estimator to assess their risk of data breaches and determine the amount of investment required to bolster their privacy and security.

With security efforts outpaced by the push to adopt EHRs, the PHI Project looks to fill the need for security research specific to health care organizations, said Rick Kam, president and founder of ID Experts, which offers data-breach recovery tools.

“Because it’s been difficult to value PHI, the industry’s underinvested in protecting it,” Kam told eWEEK. “The frequency and magnitude of health care breaches were accelerating rapidly compared with any other industry.”

The report mentions 11 specific threats to health care data. The biggest threat involves insider breaches, Kam noted. Other threats include lost or stolen media, such a lost backup tape or stolen laptop.

Mobile devices present another major threat, the PHI Project reported. From Sept. 22, 2009, to May 8, 2011, mobile devices caused 116 breaches, leaving the information of 1.9 million patients exposed, according to the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS).

To protect patient data, hospitals and other health care providers must implement policies and procedures in addition to adopting security technology, said ANSI’s McCabe.

The report recommends use of a PHI Value Estimator, which consists of five steps to calculate the cost of a data breach.

“It’s basically a five-step process by which an organization can look at all of the potential ramifications of a data breach, from a financial, reputational, legal, regulatory, even clinical standpoint,” said McCabe. “It’s a deeper dive than we’ve seen before in terms of really getting those folks entrusted with our information in the health care space to think about ways that they can look at these risks, evaluate their vulnerabilities and make a decision to invest.”

The first step includes assessing the risks, vulnerabilities and safeguards for a “PHI home,” which is the network, database or system that stores patient information. In step 2, health care organizations should create a “security readiness” score that measures the likelihood of a data breach on a scale of 1 to 5 (ranging from 1 for virtually impossible to 5 for possible and highly likely).

Step 3 recommends that health care organizations determine a relevance factor for breach cost categories, which include reputational, financial, legal/regulatory, operational and clinical. Step 4 involves determining the impact of data breaches, and step 5 entails calculating adjusted costs of “PHI homes” with an “unacceptable security readiness” score.