News Stay informed about the latest enterprise technology news and product updates.

Report offers PHI security guidance, metrics for breach cost analysis

Without evidence, CIOs and CSOs struggle to prove to hospital leaders that cybersecurity is crucial against threats to PHI security. A multi-group report aims to give IT the ammo it needs.

Since 2009, the number of Americans affected by data breaches caused by lax protection of health information (PHI) security stands at more than 19 million -- roughly the population of the state of Florida.

More PHI security resources

How to interpret, apply federal PHI security guidance

How PHI encryption helps hospitals achieve safe harbor

Developing an enterprise encryption strategy to protect PHI

From the Health IT Exchange: How are you preventing health care data breaches?

In an industry based on trust, where a patient voluntarily disclosing personal information to a physician is the "core transaction," this "epidemic" of data breaches is eroding public trust in health care providers and their electronic health record (EHR) systems, said James Pyles, principal of Powers Pyles Sutter & Verville PC.

Pyles was one of eight speakers during a late February conference call announcing the release of the free report, The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security.

Published by the American National Standards Institute (ANSI), the Santa Fe Group and the Internet Security Alliance, the report is meant to help health care organizations of all sizes complete a PHI security cost and risk analysis, with the end goal of proving to executives and boards that the lack of cybersecurity is a threat to be taken seriously.

Weak technology protections underscores need for strong PHI security

The report and its PHI Value Estimator (see sidebar) come on the heels of the White House's Consumer Privacy Bill of Rights, which calls for transparent online privacy and security policies -- including the types of personal information companies collect -- and which, coupled with the pending Cybersecurity Act of 2012, dominated the discussion.

Taken together, the documents should show health care CIOs and CSOs that cybersecurity defense must be "much more sophisticated" than simply updating firewalls and rotating passwords, said Larry Clinton, president and CEO of the Internet Security Alliance.

The five-step PHI Value Estimator process

The Financial Impact of Breached Protected Health Information spells out a five-step process for determining the potential cost of a health care data breach.

  1. Conduct a security risk assessment for any application, network, database or other electronic system that stores or transmits PHI.
  2. Determine the likelihood of a data breach involving each so-called "PHI home" and give it a security readiness score.
  3. For each PHI home with an "unacceptable" security readiness score, apply a relevance factor.
  4. Calculate the impact of a breach. Relevance x consequence (potential cost) = impact.
  5. Add all adjusted costs to determine total cost of data breach.

"Defense is a generation behind the attackers," Clinton continued. "We need to educate and elevate the debate with respect to cybersecurity. If we can't make cybersecurity economically viable, then the solutions won't be sustainable."

Rick Kam, president and co-founder of ID Experts Corp., attributed the problem not to a lack of knowledge, technology or people but, rather, to a lack of focus, particularly in articulating a business case for PHI security.

That's the gap the report attempts to fill -- by identifying the 11 elements that threaten PHI security (see sidebar), by spelling out the safeguards necessary to protect PHI, and by helping organizations calculate the cost of a health care data breach. According to an ID Experts / Ponemon Institute survey cited in the report, that cost exceeds $2.2 million on average and is only going to grow over time.

PHI security threats range from people (malicious or otherwise) to vendors to HIPAA business associates to wireless medical devices. If nothing else, said Lynda Martel, director of privacy compliance communications for DriveSavers Inc., health care business leaders must understand that these PHI security risks can trigger a vulnerability that, if undetected and untreated, can threaten a human life.

The safeguards, meanwhile, define the compliance program that health care organizations of all sizes should have in place, Martel said -- policies that establish a culture of info security, procedures to ensure that those policies are followed and security technology to support those procedures.

Eleven PHI security threats

The Financial Impact of Breached Protected Health Information identifies 11 specific threats to PHI security.

The Financial Impact of Breached Protected Health Information identifies 11 specific threats to PHI security.

Human threats

  • Malicious insiders
  • Non-malicious insiders
  • Outsiders
  • State-sponsored cyber criminals

Evolving stakeholders

  • HIPAA business associates and subcontractors
  • Cloud service providers
  • Virtual physician's office


  • Lost, stolen media
  • Data dissemination
  • Mobile devices
  • Wireless medical devices

Calculating the cost of lax PHI security

The report concludes with an examination of its PHI Value Estimator, a five-step process for calculating the financial impact of a data breach. This represents the true value of the report, the experts said, as it helps organizations both quantify the cost of a breach -- including HIPAA compliance fines, legal settlements, mitigation and all associated operational and capital expenses -- as well as institutional repercussions that range from lost patients to inaccurate medical research data.

The end result is a color-coded threat scale that ranges from insignificant, or blue (less than 2% of annual revenue) to severe, or red (more than 6%).

Getting individual organizations to conduct such sophisticated analyses, though difficult, will be a "more sustainable" model than any government initiative, Clinton said.

The cybersecurity bills before Congress do go a step further than the HIPAA Privacy Rule and HIPAA Security Rule and actually outline security policies. But Clinton said the likelihood of the legislation going anywhere in an election year is small -- though the public will demand a response from Congress if the "unabated" data breach trend continues.

The legislative lull, then, should give providers a chance to show that they are taking PHI security seriously. Knowing the actual financial impact of a health care data breach, Clinton continued, will "get organizations to do things in the consumer's best interest because they realize it's in their own best interest."

Pyles agreed: "Industry has an opportunity here to show that it can preserve the public's trust."  

Let us know what you think about the story; email Brian Eastwood, Site Editor or contact @SearchHealthIT on Twitter.

Dig Deeper on Electronic medical records security and data loss prevention

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.