It always starts with getting the C-suite into the room to present them with an overview of what they can expect as deliverables from a Security Assessment and/or a Risk Analysis… then the question is asked “how much is this going to cost?”  Here’s today’s big tip – Show ‘em the money – make it a Return on Security Investment (ROSI)! 

Sadly, we actually hear “Who cares?”— At certain points, some CEOs have snorted (something along the lines of…) “I don’t care if someone knows my blood pressure is high” … or “that I had strep throat last winter”.  Who cares?”

That’s when we pull out the stats on the misuse of unauthorized access and disclosures of protected health information (PHI):

  • Physician ID numbers are used to fraudulently bill for services
    • Medicare fraud estimate? $60B/year
  • Patient ID information is lent to friends or relatives in need of services
    • ~5% of clinical fraud: Free health care
    • Majority of clinical fraud? Obtain prescription narcotics for illegitimate use
  • Patient ID numbers are sold on the black market
    • The value: Social Security number $1; Patient ID Information: $50/record
    • Average Payout for regular ID theft $2,000; for defrauding a health care organization $20,000
  • And then there’s “snooping”
    • 28% of North American IT staff admit to snooping
    • 35% of studied breaches involved snooping into medical records of co-workers and 27% involved viewing records of friends and relatives.
    • And snooping on celebrities can bring in extra cash when sold to newspapers

Finally, if that’s not enough, there are people with “sensitive” health information that do not want employers, or bankers, or neighbors, or friends or family, to know about…. And those people are willing to sue, big dollars, should that information be impermissibly disclosed.

So, as to the answer to the question “Who cares?”– maybe not you, but don’t underestimate the passion of others.

With that question behind us, we move on…

As with most things in business, it all comes down to money, multiple priorities vying for the same investment dollars.  And “Risk Management” initiatives typically fall below those associated with “Revenue Generation” , “Customer Retention” and “ Cost Containment”.

But what if a CEO approached this question “What is the value of PHI?” by determining the cost and impact on her business if PHI is lost? Instead of using the highly touted average cost of a breached record, which is not necessarily relevant to every organization, and involves a calculation not vetted by the organization’s CFO….

What if, instead, an organization could calculate, specifically for itself, the cost of a data breach and then develop the ROSI on initiatives that decrease the probability and/or the impact of a data breach.

That’s the premise of the recently published report “The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security”.  The paper provides a five step methodology (called PHIve) for assessing the relevance and impact of 20 cost elements in 5 cost categories in the event of a breach, given vulnerabilities and safeguards for each asset (or “PHI home”) that handles PHI or ePHI.  Examples, formulas and statistics provide an opportunity for an organization to calculate, specifically for itself, the estimated cost of a breach and how to use that information to build a solid rationale for an investment in strengthening their compliance program.

What’s the harm in giving it a try? Free…downloadable from

Your reputation depends on it!

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.

Please avail yourself of any of these free resources which you may access now by clicking on the links below:

Series Navigation<< HIPAA Security Risk Analysis Tips – NIST UpdatesHIPAA Security Risk Analysis Tips – Understanding the Importance of Conducting a Comprehensive Risk Analysis >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.