"The entire healthcare delivery system depends upon a single transaction: your willingness to share the most intimate details of your personal information with your physician," adds James C. Pyles, panel member and principal with Powers Pyles Sutter & Verville PC. "You have to trust that the information won't be used to harm you or your children. If you're dealing in this business of handling health information electronically or any information electronically, you're touching on a very tender nerve that people have."
Pyles added, "It's more than breaches, it's also understanding, as a business, the expectations of your customers. If you frustrate those expectations, I promise you, you will be sued."
Part of the problem, says Catherine Allen, chairman and CEO of The Santa Fe Group, is that the financial incentives are on the side of those who seek to steal medical records. Allen said medical records go for $50 a record on the underground market, making them much more lucrative than even financial information. "It's very valuable data," she says.
Evaluating the Cost of Data Breaches
The new report is intended to be a tool to help organizations quantify overall potential data breach costs and to provide a methodology for determining an appropriate level of investment needed to strengthen privacy and security programs and reduce the probability of a breach.
"No organization can afford to ignore the potential consequences of a data breach," says Rick Kam, president and co-founder of ID Experts and chair of the PHI Project. "We assembled this working group to drive a meaningful dialogue on appropriate levels of investment to better protect healthcare organizations and PHI."
He added, "One of the things that we realized as we started to work through this process is that the chief information officer, the chief security officer, they're essentially getting outgunned by the criminals. It's not that we don't have the technology or processes or people to deal with this problem. It's that we don't have enough focus and investment from the executives."
The report provides a five-step method, the PHI Value Estimator (PHIve), for estimating breach costs and what needs to be done to protect organizations. The PHIve provides detailed information about each of the steps, which include: conducting a risk assessment, determining your security readiness score, assessing the relevance of a cost, determining the impact and calculating the total cost of a breach.
"Cybersecurity is not an IT issue," says Larry Clinton, president and CEO of the Internet Security Alliance. "It is an enterprise-wide risk management issue that needs to be addressed in a much broader sense."
Sign up for CIO Asia eNewsletters.