The PHI Project, an initiative by a group of health care leaders, has produced a report that explores the financial impact of data breaches and explains how to assess their risks.
the Obama administration provides incentives for meaningful
of electronic health records (EHRs), efforts by the health care
industry to secure patient data, or protected health information (PHI), have
lagged behind, according to a new report by the PHI Project, an initiative of
100 health care leaders, including providers and insurance companies, as well
as legal and security experts.
report, called "The Financial Impact of Breached Protected Health
Information: A Business Case for Enhanced PHI Security," recommends steps
that IT departments and compliance experts in health care organizations can
take to protect patient data.
PHI Project is co-administered by the American
National Standards Institute
(ANSI), a nonprofit organization focused on
standards for health data; consulting firm Santa Fe Working Group and its
Shared Assessments Program of financial firms; and the Internet Security
Alliance (ISA), a trade association that advocates using technology to bring
about public policy on cyber-security.
PHI Project announced the report on March 5 at a congressional briefing on
intended as an action guide to take immediate action to commit those resources
they need to prevent data breaches from occurring," Jim McCabe, senior
director with ANSI, told eWEEK.
, the PHI Project
recommends that health care companies use a PHI Value Estimator to assess their
risk of data breaches and determine the amount of investment required to
bolster their privacy and security.
security efforts outpaced by the push to adopt EHRs, the PHI Project looks to
fill the need for security research specific to health care organizations, said
Rick Kam, president and founder of ID Experts, which offers data-breach
it's been difficult to value PHI, the industry's underinvested in protecting
it," Kam told eWEEK
frequency and magnitude of health care breaches were accelerating rapidly
compared with any other industry."
report mentions 11 specific threats to health care data. The biggest threat
involves insider breaches, Kam noted. Other threats include lost or stolen
media, such a lost backup tape or stolen laptop.
devices present another major threat, the PHI Project reported. From Sept. 22,
2009, to May 8, 2011, mobile devices caused 116 breaches, leaving the
information of 1.9 million patients exposed, according to the Office for Civil
Rights (OCR) within the U.S. Department of Health and Human Services (HHS).
protect patient data, hospitals and other health care providers must implement
policies and procedures in addition to adopting security technology, said
report recommends use of a PHI Value Estimator, which consists of five steps to
calculate the cost of a data breach.
basically a five-step process by which an organization can look at all of the
potential ramifications of a data breach, from a financial, reputational,
legal, regulatory, even clinical standpoint," said McCabe. "It's a
deeper dive than we've seen before in terms of really getting those folks
entrusted with our information in the health care space to think about ways
that they can look at these risks, evaluate their vulnerabilities and make a
decision to invest."
first step includes assessing the risks, vulnerabilities and safeguards for a
"PHI home," which is the network, database or system that stores
patient information. In step 2, health care organizations should create a
"security readiness" score that measures the likelihood of a data
breach on a scale of 1 to 5 (ranging from 1 for virtually impossible to 5 for
possible and highly likely).
3 recommends that health care organizations determine a relevance factor for
breach cost categories, which include reputational, financial,
legal/regulatory, operational and clinical. Step 4 involves determining the
impact of data breaches, and step 5 entails calculating adjusted costs of
"PHI homes" with an "unacceptable security readiness" score.