It always starts with getting the C-suite into the room to present them with an overview of what they can expect as deliverables from a Security Assessment and/or a Risk Analysis… then the question is asked “how much is this going to cost?” Here’s today’s big tip – Show ‘em the money – make it a Return on Security Investment (ROSI)!
Sadly, we actually hear “Who cares?”— At certain points, some CEOs have snorted (something along the lines of…) “I don’t care if someone knows my blood pressure is high” … or “that I had strep throat last winter”. Who cares?”
That’s when we pull out the stats on the misuse of unauthorized access and disclosures of protected health information (PHI):
- Physician ID numbers are used to fraudulently bill for services
- Medicare fraud estimate? $60B/year
- Patient ID information is lent to friends or relatives in need of services
- ~5% of clinical fraud: Free health care
- Majority of clinical fraud? Obtain prescription narcotics for illegitimate use
- Patient ID numbers are sold on the black market
- The value: Social Security number $1; Patient ID Information: $50/record
- Average Payout for regular ID theft $2,000; for defrauding a health care organization $20,000
- And then there’s “snooping”
- 28% of North American IT staff admit to snooping
- 35% of studied breaches involved snooping into medical records of co-workers and 27% involved viewing records of friends and relatives.
- And snooping on celebrities can bring in extra cash when sold to newspapers
Finally, if that’s not enough, there are people with “sensitive” health information that do not want employers, or bankers, or neighbors, or friends or family, to know about…. And those people are willing to sue, big dollars, should that information be impermissibly disclosed.
So, as to the answer to the question “Who cares?”– maybe not you, but don’t underestimate the passion of others.
With that question behind us, we move on…
As with most things in business, it all comes down to money, multiple priorities vying for the same investment dollars. And “Risk Management” initiatives typically fall below those associated with “Revenue Generation” , “Customer Retention” and “ Cost Containment”.
But what if a CEO approached this question “What is the value of PHI?” by determining the cost and impact on her business if PHI is lost? Instead of using the highly touted average cost of a breached record, which is not necessarily relevant to every organization, and involves a calculation not vetted by the organization’s CFO….
What if, instead, an organization could calculate, specifically for itself, the cost of a data breach and then develop the ROSI on initiatives that decrease the probability and/or the impact of a data breach.
That’s the premise of the recently published report “The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security”. The paper provides a five step methodology (called PHIve) for assessing the relevance and impact of 20 cost elements in 5 cost categories in the event of a breach, given vulnerabilities and safeguards for each asset (or “PHI home”) that handles PHI or ePHI. Examples, formulas and statistics provide an opportunity for an organization to calculate, specifically for itself, the estimated cost of a breach and how to use that information to build a solid rationale for an investment in strengthening their compliance program.
What’s the harm in giving it a try? Free…downloadable from http://webstore.ansi.org/phi
Your reputation depends on it!
Please avail yourself of any of these free resources which you may access now by clicking on the links below:
- Risk Analysis Buyer’s Guide
- Expert 2nd Opinion on Your HIPAA Risk Analysis
- Clearwater Compliance White Paper: Risky Business: How to Conduct a Bona Fide HIPAA Security Risk Analysis
- Clearwater Recorded Webinar event entitled How to Conduct a Bona Fide HIPAA Security Risk Analysis
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software DataSheet
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software Free Trial for qualified organizations
- More Risk Analysis Resources
Latest posts by Bob Chaput (see all)
- Making the case for comprehensive cyber-risk strategies: 10 startling facts that will spur C-suite action - August 8, 2016
- Building Capability and Capacity to Take on Healthcare’s Evolving Security Threats - August 5, 2016
- HIPAA Risk Analysis Tip – The Biggest Risk Management Surprises in the 2016 OCR Audit Protocol - April 11, 2016