Protect Health Data, Report Urges

The time and money spent protecting personal health information from data breaches are well worth the investment, contends a new industry security report.

The 67-page report, "The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security," includes a five-step method that health care organizations can use to assess security risks and build a case for improving security. The report, released Monday, was prepared by the nonprofit American National Standards Institute with the Shared Assessments Program and the Internet Security Alliance.

The five steps are:

• Conduct an assessment determining the risks, vulnerabilities and applicable safeguards for each PHI home, or place in the IT system where personal health information rests.
• Determine a security readiness score for each PHI home based on the likelihood of a data breach.
• For each unacceptable security readiness score, examine the likelihood of a particular cost factor being applicable and apply a relevance factor.
• Use the formula "relevance x consequence = impact," with impact representing the adjusted cost.
• Add the adjusted costs to determine the total adjusted cost of a data breach.