The adoption of electronic health records (EHRs) is making protected health information (PHI) more susceptible than ever to exposure, loss, or theft. What were once localized records are now transmitted across the healthcare ecosystem, from the front desk to the cloud, from healthcare plans to downstream subcontractors. Despite the increased risks of exposure, healthcare organizations lack the resources and, in some cases, the sense of urgency, at the boardroom level, that would make protecting PHI a high priority.

[Q&A: How a health 'data spill' could be more damaging than what BP did to the Gulf.]

On Monday the PHI Project —a collaboration of the American National Standards Institute (ANSI), via its Identity Theft Prevention and Identity Management Standards Panel (IDSP), in partnership with The Santa Fe Group/Shared Assessments Program Healthcare Working Group, and the Internet Security Alliance (ISA), and a cross-section of more than 100 health care industry leaders from over 70 organizations — released The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security*, which gives healthcare organizations a model and tools to evaluate the value of their PHI and proactively predict breach risks and their financial impact so that they can make a business case for the right PHI security investments.

The report presents “PHIve” — the PHI Value Estimator — a five-step method for assessing security threats and evaluating the “at risk” value of an organization’s PHI. This tool estimates overall potential data breach costs, and provides a methodology for determining an appropriate level of investment needed to strengthen privacy and security programs and reduce the probability of a breach occurrence.

Healthcare organizations can use these PHIve steps now to make a business case for protecting PHI:

1. Conduct a risk assessment including the risk events, vulnerabilities, and applicable safeguards for each “PHI home” in a healthcare organization. A PHI home is any organizational function or space (administrative, physical, or technical) and/or any application, network, database, or system (electronic) that creates, maintains, stores, transmits, or disposes of ePHI or PHI. Identifying the many PHI homes and their security readiness requires cross-functional discussion within the organization – discussion that helps to identify process and policy issues and security gaps, and that promotes awareness of PHI privacy issues.

2. Assign a “security readiness score” for each PHI home by determining the likelihood of a data breach. This scoring is essential in order to assess the level of exposure that exists based on an organizations overall security posture. The probability for a data breach is weighted from 1 to 5 on a security readiness score scale, 1 or 2 to be an acceptable score, and a score of 4 or 5 to be unacceptable.

3. Determine the potential breach costs relevant to an organization. Data breach costs are broken into five categories: reputational, financial, legal/regulatory, operational, and clinical. However, not all costs are relevant to each PHI home. For instance, a medical laboratory might not suffer the same reputation damage in case of a PHI breach or incur the same PR costs as a medical practice. Each PHI home that has an unacceptable security readiness score is assigned a “relevance factor” associated with the likelihood of a cost being incurred if a data breach occurred in that PHI home. Factors range from .05 for hardly relevant to 1.00 for an actual breach.

4. Determine the impact of a data breach. The impact is calculated by factoring the potential costs (consequence) against the likelihood of a breach (relevance) for each PHI home that has an unacceptable security readiness score.

• Relevance: This is the “relevance factor” associated with the cost category for the organization.
• Consequence: Calculate the potential cost of the cost category based on considerations for the organization. The medical laboratory cited in step 3 would not face the same reputational costs as a hospital or medical practice.
• Impact: Multiply the “relevance factor” with the “consequence” to determine the “adjusted cost.” For example: Loss of current customers (impact) = average revenue or margin per customer (relevance) x # of customers that might switch to a competitor (consequence)

5. Add the adjusted costs to project the financial impact of a data breach. To calculate a customized cost of a data breach, we total up all the adjusted costs for all PHI homes that have an unacceptable security readiness score to determine a total adjusted cost of a data breach to an organization. Then we calculate the adjusted total as a percentage of revenue, and use that percentage to determine the significance level of a data breach to an organization.

[Related: A glimpse inside the $234 billion world of medical fraud.]

Conclusion
Research shows that healthcare providers know they’re at risk, and they want to provide effective PHI security to protect their organizations and their patients. With the PHI Value Estimator, they now have the tools to make a compelling financial argument for augmented security and privacy investments.

This complimentary report, which includes the PHI Value Estimator (PHIve), is available for download at webstore.ansi.org/phi.

Rick Kam, CIPP, is president and co-founder of ID Experts. Rick is also chairing the “PHI Project,” a research effort to measure financial risk and implications of data breach in healthcare, led by the American National Standards Institute (ANSI), via its Identity Theft Prevention and Identity Management Standards Panel (IDSP), in partnership with the Shared Assessments Program and the Internet Security Alliance (ISA).