Measuring Potential Breach Costs

Making the Business Case for Security Investments
Measuring Potential Breach Costs

The American National Standards Institute, in collaboration with two other groups, has issued a free report offering a five-step method that healthcare organizations can use to estimate the potential cost of data breaches.

See Also: Reducing Complexity in Healthcare IT

The study also provides a method for determining an appropriate level of investment needed to strengthen privacy and security programs and reduce the probability of a breach.

The 67-page report, "The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security," is designed to help security professionals and others better understand the potential risks and liabilities resulting from data breaches. Partnering with ANSI's Identity Theft Prevention and Identity Management Standards Panel to produce the report were the Santa Fe Group/Shared Assessments Program Healthcare Working Group and the Internet Security Alliance.

A free webinar featuring authors of the report will be offered March 21.

Five Steps

The five key steps for estimating breach costs, according to the report are:

  • Assess the risks, vulnerabilities and applicable safeguards for each "PHI home." The report defines a PHI (protected health information) home as "any organizational function or space (administrative, physical or technical) and/or any application, network, database or system (electronic) that creates, maintains, stores, transmits or disposes of ePHI or PHI."
  • Determine the likelihood of a data breach for each PHI home by using a "security readiness score" scale.
  • For each PHI home that has an unacceptable score, examine the relevance - likelihood or applicability - of a particular cost category and apply a "relevance factor."
  • Determine the impact of a potential breach using the formula of "relevance x consequence" to come up with an adjusted cost. Consequence is a calculation of the potential costs based on considerations for a particular organization.
  • Add up all adjusted costs for various PHI homes to determine the total cost to the organization.

Calculating potential costs of breaches, based on a detailed assessment of an organization's risk, can help justify an appropriate level of investment in breach prevention, according to the report. "No organization can afford to ignore the potential consequences of a data breach," says Rick Kam, who chaired the PHI Project, which created the report. Kam is president of ID Experts.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.