This story was written by Keith Dawson for UBM DeusM’s community Web site Business Agility, sponsored by IBM. It is archived here for informational purposes only because the Business Agility site is no more. This material is Copyright 2012 by UBM DeusM.

Curing the Ills of Healthcare Security

A new report is a wakeup call, and not just for CIOs and CSOs.

As medical records go online, data breaches of protected health information (PHI) are becoming increasingly common. A new report steps up the pressure for better security and provides some tools to help.

The report was put together by a group of standards and security organizations led by the American National Standards Institute, The Santa Fe Group, and the Internet Security Alliance. It is titled The Financial Impact of Breached Protected Health Information, and it aims to shine a spotlight on how bad the recent and current problems of electronic health record (EHR) data security actually are. The goal is to provide ammunition and tools for security proponents to make their case to upper management that security has to be baked-in from the start of EHR projects.

The security in place for most EHR projects is clearly not adequate, given statistics like these:

Tools and concrete examples
Nearly half the report, 31 pages out of 68, is devoted to detailed walkthroughs of threats, safeguards, controls, and a 5-step method of estimating the cost of a data breach. This latter tool, which the report dubs "PHIve," consists of: conducting a risk assessment, determining a security readiness score, assessing the relevance of a cost, determining the impact, and finally calculating the total cost of a breach. Each step is described in sufficient detail that a CIO or CSO could apply the PHIve process to their own situation. Finally, there is a 14-page chapter devoted to estimating the costs of a fully worked-out breach scenario: "Unintentional, Business Associate, 845,000 Records, Clinical Fraud Resulting in 1 Death, Financial and Clinical Fraud, NY."

Security is not frequently used in the same sentence as agility. (In a future blog we'll explore how security can fit in with and enhance agile development processes.) But in the case of PHI, people's trust in the privacy and security of their medical data is a rock-bottom requirement. No EHR system can succeed if that trust is breached. True agility in this context consists of meeting all market and customer requirements -- security foremost among them.