Now you can measure the potential cost of a data breach in your organization and take appropriate steps to invest in a befitting solution that can prevent data breaches from occurring. The American National Standards Institute (ANSI)in collaboration with Santa Fe Group/Shared Assessments Program Healthcare Working Group, and the Internet Security Alliance (ISA), issued a report titled, “The financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security”, offering a five-step method, to help healthcare organizations determine what a data breach may cost them.
This study also presents a method to help you determine the right amount of investment you need to make to strengthen your privacy and security programs, and thus help you reduce the probability of a breach.
The report is intended to help security and healthcare professionals better understand the risks and liabilities associated with data breaches. According to the report, the five key steps you need to follow to estimate breach costs are:
Step 1: Assessing risks, vulnerabilities and applicable safeguards for each ‘PHI home.’ According to the report, a PHI (protected health information) home is “any organizational function or space (administrative, physical or technical) and/or any application, network, database or system (electronic) that creates, maintains, stores, transmits or disposes of ePHI or PHI.”
Step 2: Using a ‘security readiness score’ scale to determine the likelihood of a data breach for each PHI home. The readiness Score ranges from 1 (the likelihood of a data breach being virtually impossible) to 5 (where the possibilities are highly likely).
Step 3: Examining the relevance, likelihood or applicability of a particular cost category for each PHI home that has an unacceptable score, and applying a ‘relevance factor’ to it. The Relevance Factor could range from hardly relevant (0.05) to a state of breach (1.00) covering the pre and post breach scenarios. For instance, in examining the possible repercussions of reputational damage, the work of the organization is critical to the relevancy and level of impact for those specific cost categories. It is also necessary to consider the ‘hard vs. soft costs’
Step 4: Using the formula of ‘relevance X consequence’ to determine the impact of a potential breach, and coming up with an adjusted cost. The consequence is derived by calculating the potential costs based on considerations for your organization. The reputational repercussions could be loss of patients, loss of current customers, loss of new customers, loss of strategic partners and loss of staff. Financial and operational repercussions could be even much wider.
Step 5: Determining the total cost to your organization by adding up all adjusted costs for various PHI homes. Scoring for total impact could range from “Severe”, impacting greater than 6% of revenue to “insignificant” with less than 2% revenue impact.
The report concludes that by performing a detailed risk assessment in your organization and calculating the potential costs of breaches you can effectively justify your investment in breach prevention. And since no organization can afford to ignore the consequences of a breach, it would be best for you to follow the above-mentioned steps and measure the potential cost of a data breach. This is where SecureGRC can be valuable. It comes with the capability to perform a detailed risk analysis using a sophisticated model, and supports you through the processes of estimating potential breach costs and justifying your security investments.