7 keys to understanding the financial impact of breached PHI
The recently released report, "The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security," highlights the need for organizations to adopt a new method to evaluate the value of PHI, said the leaders of the PHI Project, which consists of standards organization ANSI, the Santa Fe Group/Shared Assessments Program Healthcare Working Group and the Internet Security Alliance.
Here are seven keys to the financial impact of breached PHI, as outlined in the report.
1. The healthcare ecosystem has expanded to include more organizations, with increased chances of breached PHI. By 2008, 41.5 percent of office-based physicians reported using an EMR system, and today, that number has grown even more with the help of incentive programs. The number of stakeholders in the "healthcare ecosystem" have grown as well, and, according to the report, are responsible for the confidentiality, integrity and availability of data. "The threats to the security of PHI are not specific to one stakeholder group but are ubiquitous throughout the entire ecosystem due to the volume and availability of PHI data..." the report read. "The growing risk of health information privacy liability is occurring at a time when there is significant pressure to reduce spending on healthcare. In addition, the ability to protect health information has not matched the public's expectations for privacy, to the detriment of the finances and reputations of organizations in the healthcare ecosystem."
2. The laws and regulations have evolved since the enactment of HIPAA. Although protection requirements for PHI evolved slowly at first, said the report, in recent years, they have expanded along with the use of EHRs. When HIPAA was enacted in 1996, only covered entities were subject to established standards for the privacy and security of PHI. "Since then, detailed HIPAA Privacy and Security regulations were issued, subjecting only certain 'covered entities' to both privacy and security standards…and the Genetic Information Non-Discrimination Act of 2008 has been enacted, affording special privacy protections for genetic information." In addition, the American Recovery and Reinvestment Act of 2009 was passed, which included incentives for healthcare providers and practitioners to adopt EHRs, along with the HITECH Act, which enhanced privacy rights and penalties for those who violated those rights.
[See also: PHI releases first direct-care workforce state data center.]
3. Statistics concerning breaches in recent years, along with the value of personal medical information, has made the public distrusting of the system. The report referenced information collected by the Identity Theft Resource Center, which told data breaches are occurring in healthcare at nearly three times the rate as in banking and finance. It also highlighted interesting statistics, such as a thief who can get $50 on the street for a medical identification number, compared to just $1 for a Social Security number. Stolen information isn't the only kind that puts an organization at risk; "snooping" into a patient's medical records has become yet another liability, with 35 percent of studied breaches including snooping. "Not surprisingly, the frequent reports of massive breaches of [PHI] have eroded the public's confidence in the ability of healthcare providers and organizations to protect the privacy of PHI," the report read. "Approximately 69 percent of Americans have head of, or read of, health records being stolen from healthcare providers…a majority of Americans [54 percent] only trust their healthcare providers 'somewhat.'"
Continued on the next page.
4. Major "contributors" to PHI breaches have been narrowed down to 11. An analysis of the most recent data breaches have shed light on what type of circumstances are most likely to result in a breach. For starters, the report identified the "insider," or a current or former workforce member, employee or contractor, who is known as a malicious or non-malicious insider, dependent on their intentions. The "outsider" is a non-workforce-member who is intent on disrupting the organization or gaining access to PHI for disreputable purposes. "Some of the most significant breaches, in terms of number of records lost, are caused by lost/stolen media," the report added, which comes at no surprise. In fact, findings in a PwC survey found theft accounted for 66 percent of reported health data breaches in the past two years. Additional risks to PHI include dissemination of data between stakeholders of the ecosystem; mobile devices; business associates, suppliers, vendors and partners; cloud providers; virtual physicians' offices; wireless healthcare device technology; and state-sponsored cyber crime.
5. Specific safeguards and controls have been proven to mitigate the risks of a PHI breach. The report emphasized the need for an enterprise-wide risk management approach. "Too often, information security is viewed solely as an IT problem," it read. "However, such a view is too narrow and masks the larger organizational responsibility." Although a compliance program may be unique to each organization, three aspects of any program will, without a doubt, help mitigate the risk of a data breach. They include privacy policies, procedures and technology. "Privacy policies contain the overarching principals embraced by the executive members of an organization that establish both the culture as it relates to the importance of safeguarding PHI and their expectations of employees, subcontractors, providers and business associates," the report read. In addition, developing and implementing procedures help ensure the effectiveness of the "key controls" in the policies, while certain IT helps with access control integrity of audit controls and transmission security.
[See also: 5 ways to manage the cost of health IT.]
6. Not enough is being done across the nation to protect against breaches. In fact, according to the November 2011 HIMSS Security Survey, although organizations are adding money to their IT budget, 53 percent admitted less than 3 percent of their budget was allocated to information security. "And according to a January 2012 survey of compliance professionals, only 27 percent of the over 970 participants felt that they have enough resources for their compliance programs." Additionally, according to a survey conducted by ID Experts, almost 40 percent of respondents couldn't agree with the statement, "Management views privacy and security as a priority," while 54 percent couldn't agree with the statement, "We possess sufficient resources to ensure requirements are currently being met." Lastly, the same survey confirmed a majority of participants want to comply and secure PHI, but budgetary constraints and the lack of executive commitment and leadership prohibit them from doing so.
7. Methods have been created to calculate data breach costing. Lastly, the report highlighted its PHIve method, or a five-step approach to determine to cost of a data breach. In short, the steps include conducting a risk assessment to assess risks, vulnerabilities and applicable safeguards for each "PHI home"; determining a "security readiness score" for each PHI home by determining the likelihood of a data breach based on the security readiness score scale; examining the relevance of a particular cost category and applying a relevance factor from the relevance factor hierarchy; determining the impact, or multiplying relevance times consequence; and adding up all the adjusted costs to determine the total adjusted cost of a data breach to an organization.
Follow Michelle McNickle on Twitter, @Michelle_writes