THE “PHI PROJECT” – THE FINANCIAL IMPACT OF BREACHED PROTECTED HEALTH INFORMATION A BUSINESS CASE FOR ENHANCED PHI SECURITY
THE “PHI PROJECT” REQUIRED: Enhanced programs for safeguarding Protected Health Information (PHI) WHO: Guardians of the trust forming the foundation of the health care delivery system SOLUTION: Information and tools to develop a compelling business case for requesting investments and resources to ensure PHI privacy and security
100+ EXPERT PARTICIPANTS 70 ORGANIZATIONS • American National Standards Institute (ANSI) • via its Identity Theft Standards Panel (IDSP) • The Santa Fe Group/Shared Assessments Healthcare Working Group • Internet Security Alliance (ISA) • Health care industry leaders • Security and privacy experts
APPROACH BASED ON SUCCESS OF PRIOR PROJECTS
WHAT MAKES HEALTH CARE WORK? Availability Integrity Trust Confidentiality
THE PROBLEM IS…..BREACHES • Between 2005 & 2008: nearly 39.5 million electronic health records • In the past two years: the privacy of 18 million Americans • In the period September through November of 2011: ü health records of 4.9 million military personnel, ü 4 million patients of a health care system, and ü 20,000 patients of an academic medical center • 72 provider organizations in a November 2011 survey: ü 96% : at least one data breach in the past 24 months ü On average: 4 data breach incidents during past two years
WHAT’S HAPPENING?
THE RAMIFICATIONS… For the first time in history, it is possible to: • Improperly disclose PHI of millions of individuals “in a matter of seconds,” • Steal health information from a virtual location, and • Breach PHI in a manner that makes it impossible to restore.
WHY STEAL PHI? • Physician ID numbers are Ø Medicare fraud estimate? $60B/ year used to fraudulently bill for services Ø Majority of clinical fraud? Obtain prescription narcotics for • Patient ID information is illegitimate use lent to friends or relatives Ø ~5% of clinical fraud: Free health in need of services care Ø Patient ID Information: $50/record • Patient ID numbers are Social Security number: $1 sold on the black market Ø Average Payout for defrauding a health care organization: $20,000 Regular ID theft? $2,000
TOP ELEMENTS THREATENING PHI SECURITY Human Methods • Malicious Insider • Lost / Stolen Media • Non-Malicious Insider • Outsider Intrusion • State-Sponsored Cyber • Dissemination of Data Crime • Mobile Devices • Wireless Devices Evolving Stakeholders • BAs and Subcontractors • Cloud Providers • Virtual Physician’s Office
SAFEGUARDS AND CONTROLS ARE WELL KNOWN…
SO WHAT’S HAPPENING? PHI PROJECT SURVEY FINDINGS
THE LAWS ARE COMPLEX PHI PROJECT SURVEY FINDINGS
COMPLIANCE IS NOT EASY PHI PROJECT SURVEY FINDINGS
STUMBLING BLOCKS TO A STRONG SECURITY POSTURE PHI PROJECT SURVEY FINDINGS
WHY A MODEL? • Published average cost of a data breach exist, but relevant to all? • This model provides an opportunity to: ü Be specific to an organization ü Calculate what a breach might actually cost, and ü Build a compelling business case for strengthening a compliance program
PHI PROJECT REPORT Table of Contents 1. The Progression of the Health Care Ecosystem 2. The Evolution of Laws, Rules, and Regulations 3. PHI Data Breach Landscape 4. Threats and Vulnerabilities 5. Safeguards and Controls 6. Survey Findings: Current Practices and Attitudes 7. PHIve –The 5-Step Method of Data Breach Costing 8. Calculating the Cost of a PHI Breach Using PHIve 9. Finale 10. Appendices
THE PHI VE MODEL: BUILDING A BUSINESS CASE FOR ENHANCED SECURITY
Recommend
More recommend
