The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security
1. The Financial Impact of Breached Protected
Health Information – A Business Case for
Enhanced PHI Security
On Monday, March 5th, I was invited to a press conference in Washington, D.C. announcing the release of “The Financial
Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security,” published by the
American National Standards Institute (ANSI). The honorable Howard A. Schmidt, White House Cybersecurity Czar,
kicked off the event. Mr. Schmidt commented that “in the continuum of the cybersecurity issues we look at, (healthcare
security) is obviously critical as this is one that affects everyone.”
It was great to see the White House advocating the importance of healthcare IT security, right on the heels of the President
Obama’s February release of a new framework for protecting consumer data privacy “One thing should be clear, even
though we live in a world in which we share personal information more freely than in the past, we must reject the
conclusion that privacy is an outmoded value. It has been at the heart of our democracy from its inception, and we need it
now more than ever.”– President Barack Obama
Mr. Schmidt referenced the President’s clarion call and concluded: “Without security, you don’t have privacy.”
The report itself “The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI
Security” is a 67-page, glossy publication. Much like an annual report, it is attractively-designed, professionally-printed,
and includes: 13 tables as well as numerous charts and graphics. The project was a huge collaborative effort with 3 leads, 2
premium sponsors, and 10 partner sponsors. Credits were extended to 82 individuals and their respective organizations
on the full Project Team. Boxes full of reports were available at the National Press Club and Rayburn House Office
Building. Copies were distributed to the press, members of Congress, and their aides. The report is also downloadable
from ANSI at: http://webstore.ansi.org/phi/
The bulk of the report is a compilation of previously-published research, surveys, statistics, and news articles (as
evidenced by the 122 footnotes). While it breaks no new ground, it is a useful marketing communications piece that will
raise overall awareness of the IT security risks and challenges facing the healthcare industry.
At the end of the report, the authors suggest a new methodology for applying quantitative risk analysis to healthcare IT
security called “PHIve.” Its end-goal is to enable an organization to calculate how much they should invest to reduce the
risk of data breach. I am not a fan of this approach (see my upcoming presentation “In Praise of Qualitative Risk Analysis”
at NCHICA’s 8th Annual Academic Medical Center Conference, April 23-25 in Chapel Hill, N.C.) However, the first of
PHIve’s steps is: “Conduct a Risk Assessment – Assess the Risks, Vulnerabilities, and Applicable Safeguards.”
Sound familiar? It should. After all, it is a requirement of the HIPAA Security Rule. More recently, nearly identical
language regarding security risk analysis has been included in the core requirements of Stage 1 and Stage 2 “meaningful
use” for covered entities, eligible hospitals and eligible providers. Yet, at the Congressional lunch launch of The Financial
Impact of Breached Healthcare Data, Joy Pritts, HHS’ Privacy and Security Officer, lamented “it is quite telling that a
recent HIMSS survey found that 25% of respondents had not even conducted a security risk assessment. It’s been part of
the HIPAA Security Rule for what, the past 5 or 6 years?”
2. Redspin has conducted HIPAA Security Risk Analysis projects for dozens of hospitals over the past year enabling them to
attest to Stage 1 meaningful use as well as maintain their compliance with the HIPAA Security Rule. While the PHIve
quantitative risk methodology gets extremely elaborate, note that even that begins with a security risk assessment. It is a
logical starting point. And in our view, Redspin’s security assessments enable you to significantly reduce your risk before
making a single calculation. That’s invaluable, particularly with the increased attention on healthcare IT security at the
highest levels of the Federal government.
WEB PHONE EMAIL
WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM