This entry is part 5 of 9 in the series CEO-to-CEO

In its August 18, 2014 8-K filing to the U.S. Securities and Exchange Commission, Community Health Systems “confirmed that its computer network was the target of an external, criminal cyber attack that the Company believes occurred in April and June, 2014. The Company and its forensic expert believe the Community Health Systems data breach - risk management?attacker was an “Advanced Persistent Threat” group originating from China who used highly sophisticated malware and technology to attack the Company’s systems.”

As news and rumors spread of the data breach this week, I could not help but consider the costs being incurred and the liability risks building around this case.  Not to mention organizational distraction costs, simply from the perspective of Board and Senior Management time, costs will add up into the millions very rapidly.

For most organizations, Boards and senior executives have little or no sense at all as to what these costs might include or even into what categories they may fall.  At the same time, CIOs and CISOs struggle to justify the next budget dollar to appropriately manage these information risks.  To be sure, the very first step in any program to protect an organization’s assets is to identify all the possible ways in which sensitive information may be exposed – complete a bona fide risk analysis.

Simultaneously, organizations must understand what harm or loss may occur.  The American National Standards Institute, in cooperation with industry experts, published a report in 2012 entitled “The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security”.  The report helps organizations consider reputational, financial, legal, regulatory, operational and clinical repercussions.

While the report was focused on the healthcare industry, the principles and the cost-modeling approach applies to the assessment of the liability risks associated with any form of sensitive data.  Mary Chaput, MBA, HCISPP, CIPP/US, CIPM, who received special thanks for many hours spent editing the document and synthesizing the various inputs into a coherent report, also refined the Excel model to assist organizations in completing a “cost of a data breach” analysis pertinent to their own organization.  You may contact us at for a copy of this Excel model.

In an upcoming white paper, we will introduce the Clearwater Information Risk Management Capability Advancement Model™ and self-assessment tool for immediate adoption to assist organizations in building an efficient and effective risk management program best suited to their unique needs.   Register now to receive your copy!

Privacy, Security and Compliance Risk Management Resources Available to You

Clearwater Compliance offers best-in-class HIPAA-HITECH Privacy, Security and Breach Notification software and services. Our years of direct front-line, real-world experience with deep privacy and security skill-sets will help you assess and implement the required people, process and technology controls cost-effectively.

Please avail yourself of any of these free resources which you may access now by clicking on the links below:

Series Navigation<< CEO-to-CEO – Data Breach Creates Board & C-Suite Risk Management TurmoilCEO-to-CEO: Don’t Let Them Checklist Their Way to Security >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.