The Financial Impact of Breached Protected Health Information

The Financial Impact of Breached Protected Health Information

THE FINANCIAL IMPACT OF BREACHED PROTECTED HEALTH INFORMATION A Business Case for Enhanced PHI Security Licensed to Mary Chaput. ANSI order Free_Document. Downloaded 3/11/2012 3:09 PM. Single user license only. Copying and networking prohibited. © 2012 American National Standards Institute (ANSI) / The Santa Fe Group /Internet Security Alliance All rights reserved. Published by ANSI. Printed in the United States of America. No part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, except as permitted under Sections 107 or 108 of the U.S. Copyright Act, without prior written permission of the publisher. Material in this publication is for educational purposes. Neither the publisher nor the authors assume any liability for any errors or omissions or for how this publication or its contents are used or interpreted or for any consequences resulting directly or indirectly from the use of this publication. For legal advice or any other, please consult your personal lawyer or the appropriate professional. The views expressed by the individuals in this publication do not necessarily reflect the views shared by the companies they are employed by (or the companies mentioned in this publication). The employment status and affiliations of authors with the companies referenced are subject to change. Licensed to Mary Chaput. ANSI order Free_Document. Downloaded 3/11/2012 3:09 PM. Single user license only. Copying and networking prohibited. The Progression of the Health Care Ecosystem TABLE OF CONTENTS Acknowledgments 5 Executive Summary 9 Introduction 11 Chapter 1 13 The Progression of the Health Care Ecosystem Chapter 2 17 The Evolution of Laws, Rules, and Regulations Chapter 3 21 PHI Data Breach Landscape Chapter 4 25 Threats and Vulnerabilities Chapter 5 31 Safeguards and Controls Chapter 6 35 Survey Findings on Current Practices and Attitudes Chapter 7 39 PHIve – The 5-Step Method of Data Breach Costing Chapter 8 45 Calculating the Costs of a PHI Breach Using PHIve Finale 59 Endnotes 61 Appendices – Available on the PHI project website at webstore.ansi.org/phi Appendix A – Glossary of Terms and Acronyms Appendix B – Legal and Regulatory Liabilities Appendix C – Legal Considerations with Respect to Cloud Computing Appendix D – PHI Threat Scenarios Appendix E – Complete Results of Survey: Current Practices and Attitudes The Financial Impact of Breached Protected Health Information download this publication freely at webstore.ansi.org/phi – 3 – Licensed to Mary Chaput. ANSI order Free_Document. Downloaded 3/11/2012 3:09 PM. Single user license only. Copying and networking prohibited. Acknowledgments PROJECT TEAM The following professionals are acknowledged for their contributions to the development of this report through participation in project meetings and teleconferences. The report was developed based on their collective inputs, following a consensus process, and does not necessarily reflect the views of the companies and organizations listed. ActiveHealth Management Manomohan Kalathil Aeritae Consulting Group, Ltd. Rob Ramer Affinion Security Center Christine El Eris* Alvarez & Marsal Mandar Rege American Health Information Management Association Harry Rhodes American National Standards Institute Jim McCabe, Liz Neiman, Sally Seitz Androscoggin Home Care & Hospice Julie Porter AWARE Software, Inc. Dr. James Zaiss B System Compliant, LLC Rustom Bhopti Bayhealth Medical Center Bonnie R. Millman BKD LLP Matthew Lathrom Blue Cross Blue Shield of Michigan Dawn Geisert Bluewater International Dr. Gary R. Gordon* Booz Allen Hamilton Inc. Debbie Wolf,* Ilene Yarnoff Catholic Health Initiatives Carrie Harding The Center for Identity Management and Information Dr. Don Rebovich,* Ingrid Norris, Barb Stack Protection at Utica College Church Pension Group Services Corp. Stephen Tihor Clearwater Compliance LLC Bob Chaput, Mary Chaput, Eric Lombardo, Jon Stone CyberRisk Partners Alfred Bartkiewicz Deluxe Corporation Linnea Solem* Direct Computer Resources, Inc. Ed Stull* DriveSavers Data Recovery, Inc. Lynda Martel* eLCHEMY, Inc. Erin E. Kenneally The Financial Impact of Breached Protected Health Information download this publication freely at webstore.ansi.org/phi – 5 – Licensed to Mary Chaput. ANSI order Free_Document. Downloaded 3/11/2012 3:09 PM. Single user license only. Copying and networking prohibited. Europ Assistance USA Michael Billings, Vladimir Poletaev Evantix James Christiansen* Foley & Lardner LLP Peter McLaughlin, Andrew B. Serwin* FS-ISAC Eric Guerrino George Washington University Patricia MacTaggart HCA, Inc. David Vulcano Health Market Science Michael Nelson Henry Ford Health System Meredith Phillips IBM Corporation Jon Bogen ID Experts Christine Arevalo,* Bob Gregg, Rick Kam,* Doug Pollack Identity Theft Resource Center Linda Foley Independent Consultant Vivek Desai Independent Consultant Susan A. Miller, J.D. Independent Consultant Jane Schweiker Independent Consultant David Walling Independent Consultant Richard E. Wolfe Information Law Partners Regan Adams Internet Security Alliance Larry Clinton,* Joshua Magri, Stephanie Schaffer Kraft Foods Global Abhishek Agarwal LMI Roxanne Everetts, Virginia Stouffer McKesson Corporation Louise Smith, John B. Sapp Jr. MCM Solutions for Better Health Amy Gasbarro Meditology Services Cliff Baker, Bethany Page Middlegate Med Dr. Sean Scorvo MPV Nicole Miller North American Security Products Organization Ann Whitehead North Carolina Healthcare Information & Holt Anderson Communications Alliance Inc. N-Tegrity Solutions Group Mark Cone OlenderFeldman LLP Aaron Messing, Joseph S. Pecora, Jr. Orchestrate Healthcare George J. Gides, Jr. Patterson Companies, Inc. Adam Stone Phillips Nizer LLP Thomas Jackson Ponemon Institute Dr. Larry Ponemon* Powers Pyles Sutter & Verville PC James C. Pyles* Robert Pinheiro Consulting LLC Bob Pinheiro Sallie Mae Michael Castagna The Santa Fe Group Catherine Allen,* Robin Slade, Kelly Wagner Science Applications International Corporation Marsha Young Sentar Inc. Deborah Williams Shared Health Abraham Gilbert Sky Catcher Wendy Richards Stay Well Health Management Christine Sublett – 6 – download this publication freely at webstore.ansi.org/phi The Financial Impact of Breached Protected Health Information Licensed to Mary Chaput. ANSI order Free_Document. Downloaded 3/11/2012 3:09 PM. Single user license only. Copying and networking prohibited. Summit Security Group, LLC Dan Briley Swarmology Inc Malcolm Bohm Symantec Axel Wirth Terra Verde Ser vices Don Turnblade Triad Biometrics LLC Scott Coby Trinity Mother Frances Hospitals and Clinics Patrick Leech Tunitas Group Bill Pankey University of California Grace Crickette University of Kansas Jane M. Rosenthal University of Texas Center for Identity Dr. Suzanne Barber Veriphyr Nicole Borner Wells Fargo Insurance Services, Inc. Tim McClung Wentworth-Douglass Hospital Peter Lincoln West Virginia Dept. of Health & Human Resources Ellen Cannon The White Stone Group, Inc. Gretchen S. Johnson Zafesoft Sandeep Tiwari* *Subcommittee co-chair Thanks and acknowledgments are given for the support and participation of all the organizations that supplied experts to this initiative. Without the contributions of these individuals and their collective expertise, particularly those that chaired the various subcommittees and that participated actively, this final deliverable would not have been possible. Special acknowledgment and appreciation is given to Rick Kam of ID Experts for being the project chairman and co-chair of the Finale subcommittee, and to Ed Stull of Direct Computer Resources, Inc., for co-chairing the Finale subcommittee. Their leadership and dedication in helping to shape the initiative, lead its proceedings, and build consensus for the final deliverable were instrumental in reaching a successful outcome. Special thanks also go to Mary Chaput of Clearwater Compliance LLC for many hours spent editing the document and synthesizing the various inputs into a coherent report. Appreciation is given to the American National Standards Institute (ANSI), The Santa Fe Group, and the Internet Security Alliance (ISA) for the effective project management that kept this initiative on track and allowed for a successful delivery of the final publication in a timely manner, particularly from Jim McCabe, Liz Neiman, and Sally Seitz of ANSI; Catherine Allen, Robin Slade, and Kelly Wagner of The Santa Fe Group; and Larry Clinton, Joshua Magri, and Stephanie Schaffer of ISA. Special acknowledgment is given to Powers Pyles Sutter & Verville PC and the Consumer Electronics Association (CEA) for hosting project meetings. Special thanks are extended to Deluxe Corporation for printing the report. Appreciation is also extended to ID Experts and MacKenzie Marketing Group for their support on communications and outreach activities. The Financial Impact of Breached Protected Health Information download this publication freely at webstore.ansi.org/phi – 7 – Licensed to Mary Chaput. ANSI order Free_Document. Downloaded 3/11/2012 3:09 PM. Single user license only. Copying and networking prohibited. Thank you to the following outside reviewers for their insightful comments on the draft report which contributed to the final version presented here: – Mary N. Chaney, Founder and CEO, MBS Information Security Consulting, LLC – James H. Dykstra, Principal, Edington, Peel & Associates – Dr. John Adams Fox, President and CEO, FFC Computer Services, Inc. – Mathieu Gorge, Founder

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    67 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us