• Share
  • Email
  • Embed
  • Like
  • Private Content
The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security
 

The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security

on

  • 344 views

On Monday, March 5th, I was invited to a press conference in Washington, D.C. announcing the release of...

On Monday, March 5th, I was invited to a press conference in Washington, D.C. announcing the release of...

Statistics

Views

Total Views
344
Views on SlideShare
344
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security Document Transcript

    • The Financial Impact of Breached ProtectedHealth Information – A Business Case forEnhanced PHI SecurityOn Monday, March 5th, I was invited to a press conference in Washington, D.C. announcing the release of “The FinancialImpact of Breached Protected Health Information – A Business Case for Enhanced PHI Security,” published by theAmerican National Standards Institute (ANSI). The honorable Howard A. Schmidt, White House Cybersecurity Czar,kicked off the event. Mr. Schmidt commented that “in the continuum of the cybersecurity issues we look at, (healthcaresecurity) is obviously critical as this is one that affects everyone.”It was great to see the White House advocating the importance of healthcare IT security, right on the heels of the PresidentObama’s February release of a new framework for protecting consumer data privacy “One thing should be clear, eventhough we live in a world in which we share personal information more freely than in the past, we must reject theconclusion that privacy is an outmoded value. It has been at the heart of our democracy from its inception, and we need itnow more than ever.”– President Barack ObamaMr. Schmidt referenced the President’s clarion call and concluded: “Without security, you don’t have privacy.”The report itself “The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHISecurity” is a 67-page, glossy publication. Much like an annual report, it is attractively-designed, professionally-printed,and includes: 13 tables as well as numerous charts and graphics. The project was a huge collaborative effort with 3 leads, 2premium sponsors, and 10 partner sponsors. Credits were extended to 82 individuals and their respective organizationson the full Project Team. Boxes full of reports were available at the National Press Club and Rayburn House OfficeBuilding. Copies were distributed to the press, members of Congress, and their aides. The report is also downloadablefrom ANSI at: http://webstore.ansi.org/phi/The bulk of the report is a compilation of previously-published research, surveys, statistics, and news articles (asevidenced by the 122 footnotes). While it breaks no new ground, it is a useful marketing communications piece that willraise overall awareness of the IT security risks and challenges facing the healthcare industry.At the end of the report, the authors suggest a new methodology for applying quantitative risk analysis to healthcare ITsecurity called “PHIve.” Its end-goal is to enable an organization to calculate how much they should invest to reduce therisk of data breach. I am not a fan of this approach (see my upcoming presentation “In Praise of Qualitative Risk Analysis”at NCHICA’s 8th Annual Academic Medical Center Conference, April 23-25 in Chapel Hill, N.C.) However, the first ofPHIve’s steps is: “Conduct a Risk Assessment – Assess the Risks, Vulnerabilities, and Applicable Safeguards.”Sound familiar? It should. After all, it is a requirement of the HIPAA Security Rule. More recently, nearly identicallanguage regarding security risk analysis has been included in the core requirements of Stage 1 and Stage 2 “meaningfuluse” for covered entities, eligible hospitals and eligible providers. Yet, at the Congressional lunch launch of The FinancialImpact of Breached Healthcare Data, Joy Pritts, HHS’ Privacy and Security Officer, lamented “it is quite telling that arecent HIMSS survey found that 25% of respondents had not even conducted a security risk assessment. It’s been part ofthe HIPAA Security Rule for what, the past 5 or 6 years?”
    • Redspin has conducted HIPAA Security Risk Analysis projects for dozens of hospitals over the past year enabling them toattest to Stage 1 meaningful use as well as maintain their compliance with the HIPAA Security Rule. While the PHIvequantitative risk methodology gets extremely elaborate, note that even that begins with a security risk assessment. It is alogical starting point. And in our view, Redspin’s security assessments enable you to significantly reduce your risk beforemaking a single calculation. That’s invaluable, particularly with the increased attention on healthcare IT security at thehighest levels of the Federal government. WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM