skip to Main Content
Talk to a Security Expert Now: (800) 721-9177

The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security

On Monday, March 5th, I was invited to a press conference in Washington, D.C. announcing the release of “The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security,” published by the American National Standards Institute (ANSI). The honorable Howard A. Schmidt, White House Cybersecurity Czar, kicked off the event. Mr. Schmidt commented that “in the continuum of the cybersecurity issues we look at, (healthcare security) is obviously critical as this is one that affects everyone.”

It was great to see the White House advocating the importance of healthcare IT security, right on the heels of the President Obama’s February release of a   new framework for protecting consumer data privacy

“One thing should be clear, even though we live in a world in which we share personal information more freely than in the past, we must reject the conclusion that privacy is an outmoded value. It has been at the heart of our democracy from its inception, and we need it now more than ever.”

– President Barack Obama

Mr. Schmidt referenced the President’s clarion call and concluded: “Without security, you don’t have privacy.”

The report itself “The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security” is a 67-page, glossy publication. Much like an annual report, it is attractively-designed, professionally-printed, and includes: 13 tables as well as numerous charts and graphics. The project was a huge collaborative effort with 3 leads, 2 premium sponsors, and 10 partner sponsors. Credits were extended to 82 individuals and their respective organizations on the full Project Team. Boxes full of reports were available at the National Press Club and Rayburn House Office Building. Copies were distributed to the press, members of Congress, and their aides. The report is also downloadable from ANSI at:

The bulk of the report is a compilation of previously-published research, surveys, statistics, and news articles (as evidenced by the 122 footnotes). While it breaks no new ground, it is a useful marketing communications piece that will raise overall awareness of the IT security risks and challenges facing the healthcare industry.

At the end of the report, the authors suggest a new methodology for applying quantitative risk analysis to healthcare IT security called “PHIve.” Its end-goal is to enable an organization to calculate how much they should invest to reduce the risk of data breach. I am not a fan of this approach (see my upcoming presentation “In Praise of Qualitative Risk Analysis” at NCHICA’s 8th Annual Academic Medical Center Conference, April 23-25 in Chapel Hill, N.C.) However, the first of PHIve’s steps is:  “Conduct a Risk Assessment – Assess the Risks, Vulnerabilities, and Applicable Safeguards.”

Sound familiar? It should. After all, it is a requirement of the HIPAA Security Rule.  More recently, nearly identical language regarding security risk analysis has been included in the core requirements of Stage 1 and Stage 2 “meaningful use” for covered entities, eligible hospitals and eligible providers. Yet, at the Congressional lunch launch of The Financial Impact of Breached Healthcare Data, Joy Pritts, HHS’ Privacy and Security Officer, lamented “it is quite telling that a recent HIMSS survey found that 25% of respondents had not even conducted a security risk assessment.  It’s been part of the HIPAA Security Rule for what, the past 5 or 6 years?”

Redspin has conducted HIPAA Security Risk Analysis projects for dozens of hospitals over the past year enabling them to attest to Stage 1 meaningful use as well as maintain their compliance with the HIPAA Security Rule. While the PHIve quantitative risk methodology gets extremely elaborate, note that even that begins with a security risk assessment. It is a logical starting point. And in our view, Redspin’s security assessments enable you to significantly reduce your risk before making a single calculation. That’s invaluable, particularly with the increased attention on healthcare IT security at the highest levels of the Federal government.


This Post Has One Comment

  1. ANSI ePHI paper: A cooauthors comment.

    ANSI would not let me put in my leading edge stuff because they wanted a defensible paper.

    Still, you will not find a whole lot of free papers showing defensible estimates of how many breached Medical or Credit Cards one could expect in a release. It a small detail in the spreadsheet computations one may not normally find.

    All the work on frequency of breach as a function of organizationally controllable factors had to be clipped because I would be a cutting edge single source.

    I have a lot of follow up material in terms of estimating the expected impacts of repeating, probability based failures of sensitive data and do have calibrated information from medical clients to back it up.

    My favorite is using the rule of thumb, found in the paper that 3/8 of the client base shows up in a single year. So from the at risk records we can estimate the revenue of a Hospital or Medical Clinic. That comes from me.

    Nearly every one who reviewed it knows its roughly true but is afraid to admit it.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top