Measuring Potential Breach CostsMaking the Business Case for Security Investments
The American National Standards Institute, in collaboration with two other groups, has issued a free report offering a five-step method that healthcare organizations can use to estimate the potential cost of data breaches.
The study also provides a method for determining an appropriate level of investment needed to strengthen privacy and security programs and reduce the probability of a breach.
The 67-page report, "The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security," is designed to help security professionals and others better understand the potential risks and liabilities resulting from data breaches. Partnering with ANSI's Identity Theft Prevention and Identity Management Standards Panel to produce the report were the Santa Fe Group/Shared Assessments Program Healthcare Working Group and the Internet Security Alliance.
A free webinar featuring authors of the report will be offered March 21.
The five key steps for estimating breach costs, according to the report are:
- Assess the risks, vulnerabilities and applicable safeguards for each "PHI home." The report defines a PHI (protected health information) home as "any organizational function or space (administrative, physical or technical) and/or any application, network, database or system (electronic) that creates, maintains, stores, transmits or disposes of ePHI or PHI."
- Determine the likelihood of a data breach for each PHI home by using a "security readiness score" scale.
- For each PHI home that has an unacceptable score, examine the relevance - likelihood or applicability - of a particular cost category and apply a "relevance factor."
- Determine the impact of a potential breach using the formula of "relevance x consequence" to come up with an adjusted cost. Consequence is a calculation of the potential costs based on considerations for a particular organization.
- Add up all adjusted costs for various PHI homes to determine the total cost to the organization.
Calculating potential costs of breaches, based on a detailed assessment of an organization's risk, can help justify an appropriate level of investment in breach prevention, according to the report. "No organization can afford to ignore the potential consequences of a data breach," says Rick Kam, who chaired the PHI Project, which created the report. Kam is president of ID Experts.