In its August 18, 2014 8-K filing to the U.S. Securities and Exchange Commission, Community Health Systems “confirmed that its computer network was the target of an external, criminal cyber attack that the Company believes occurred in April and June, 2014. The Company and its forensic expert believe the attacker was an “Advanced Persistent Threat” group originating from China who used highly sophisticated malware and technology to attack the Company’s systems.”
As news and rumors spread of the data breach this week, I could not help but consider the costs being incurred and the liability risks building around this case. Not to mention organizational distraction costs, simply from the perspective of Board and Senior Management time, costs will add up into the millions very rapidly.
For most organizations, Boards and senior executives have little or no sense at all as to what these costs might include or even into what categories they may fall. At the same time, CIOs and CISOs struggle to justify the next budget dollar to appropriately manage these information risks. To be sure, the very first step in any program to protect an organization’s assets is to identify all the possible ways in which sensitive information may be exposed – complete a bona fide risk analysis.
Simultaneously, organizations must understand what harm or loss may occur. The American National Standards Institute, in cooperation with industry experts, published a report in 2012 entitled “The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security”. The report helps organizations consider reputational, financial, legal, regulatory, operational and clinical repercussions.
While the report was focused on the healthcare industry, the principles and the cost-modeling approach applies to the assessment of the liability risks associated with any form of sensitive data. Mary Chaput, MBA, HCISPP, CIPP/US, CIPM, who received special thanks for many hours spent editing the document and synthesizing the various inputs into a coherent report, also refined the Excel model to assist organizations in completing a “cost of a data breach” analysis pertinent to their own organization. You may contact us at firstname.lastname@example.org for a copy of this Excel model.
In an upcoming white paper, we will introduce the Clearwater Information Risk Management Capability Advancement Model™ and self-assessment tool for immediate adoption to assist organizations in building an efficient and effective risk management program best suited to their unique needs. Register now to receive your copy!
Privacy, Security and Compliance Risk Management Resources Available to You
Clearwater Compliance offers best-in-class HIPAA-HITECH Privacy, Security and Breach Notification software and services. Our years of direct front-line, real-world experience with deep privacy and security skill-sets will help you assess and implement the required people, process and technology controls cost-effectively.
Please avail yourself of any of these free resources which you may access now by clicking on the links below:
- Risk Analysis Buyer’s Guide
- Clearwater Compliance White Paper: Risky Business: How to Conduct a Bona Fide HIPAA Security Risk Analysis
- Clearwater Recorded Webinar event entitled How to Conduct a Bona Fide HIPAA Security Risk Analysis
- Clearwater HIPAA Security Risk Analysis™ software DataSheet
- Clearwater HIPAA Security Risk Analysis™ software Free Trial for qualified organizations
- AboutHIPAA.com Risk Analysis Resources
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis Tip – What Level of Detail is Adequate? - April 29, 2017
- HIPAA Risk Analysis Tip – How Comprehensive Must Your HIPAA Security Risk Analysis Be? - April 25, 2017
- HIPAA Risk Analysis Tip – Does OCR really use the “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”? - April 23, 2017