Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Healthcare industry CIOs, CSOs must improve security

Thor Olavsrud | March 7, 2012
In an effort to help CIOs and CSOs build a better business case for enhancing security, a group of standards and security organizations have issued a new report on the financial impact of such data breaches.

"The entire healthcare delivery system depends upon a single transaction: your willingness to share the most intimate details of your personal information with your physician," adds James C. Pyles, panel member and principal with Powers Pyles Sutter & Verville PC. "You have to trust that the information won't be used to harm you or your children. If you're dealing in this business of handling health information electronically or any information electronically, you're touching on a very tender nerve that people have."

Pyles added, "It's more than breaches, it's also understanding, as a business, the expectations of your customers. If you frustrate those expectations, I promise you, you will be sued."

Part of the problem, says Catherine Allen, chairman and CEO of The Santa Fe Group, is that the financial incentives are on the side of those who seek to steal medical records. Allen said medical records go for $50 a record on the underground market, making them much more lucrative than even financial information. "It's very valuable data," she says.

Evaluating the Cost of Data Breaches

The new report is intended to be a tool to help organizations quantify overall potential data breach costs and to provide a methodology for determining an appropriate level of investment needed to strengthen privacy and security programs and reduce the probability of a breach.

"No organization can afford to ignore the potential consequences of a data breach," says Rick Kam, president and co-founder of ID Experts and chair of the PHI Project. "We assembled this working group to drive a meaningful dialogue on appropriate levels of investment to better protect healthcare organizations and PHI."

He added, "One of the things that we realized as we started to work through this process is that the chief information officer, the chief security officer, they're essentially getting outgunned by the criminals. It's not that we don't have the technology or processes or people to deal with this problem. It's that we don't have enough focus and investment from the executives."

The report provides a five-step method, the PHI Value Estimator (PHIve), for estimating breach costs and what needs to be done to protect organizations. The PHIve provides detailed information about each of the steps, which include: conducting a risk assessment, determining your security readiness score, assessing the relevance of a cost, determining the impact and calculating the total cost of a breach.

"Cybersecurity is not an IT issue," says Larry Clinton, president and CEO of the Internet Security Alliance. "It is an enterprise-wide risk management issue that needs to be addressed in a much broader sense."



Previous Page  1  2 

Sign up for Computerworld eNewsletters.