5 things CIOs need to know about funding the protection of PHI

With groups recently banding together to demand a tightening of security for protected health information, looking at the financial side of a breach has been put front and center. But according to Rick Kam, president and cofounder of ID Experts, there's an aspect of protecting PHI that's "not getting picked up," and is focusing on the relationship between CIO and CFO. 

"We started on the path about a year ago to uncover what would happen if PHI was disclosed, and what the financial impact would be," said Kam, speaking of the recent report, "The Financial Impact of Breached Protected Health Information." He added that, "one of the things we realized is the value of data is in the eye of the beholder." 

With the wavering emphasis placed on protecting PHI, Kam and his team concluded it's up to the CIO to translate their technical-speak into money-speak. "They're good at talking technical, but get them in a room of CFOs, and unless they play ball or watch The National Hockey League, they're in trouble," he said.  

Kam outlines five things CIOs need to know about getting the funding they need to protect PHI. 

1. Organizations don’t understand the value of protecting PHI. According to Kam, it came as no surprise that many organizations don't understand the risks associated with PHI and disclosing it. "It's because the executive teams that run these organizations, many of them don't understand the risks and they don't understand the value of protecting it," he said. "And it's because you have so many other things on their plates that they're trying to do." Achieving meaningful use and preserving their Medicare and Medicaid streams are just a few examples of what may rank higher than investing in the protection of PHI, Kam said. 

[See also: 6 tips for handling personal health information.]

2. CIOs and CFOs don't speak the same language. Kam and his team imagined a conversation among organization leaders to determine where a CIO may fall short in explaining the significance of investing in PHI protection. He explained that the VP of sales and the VP of marketing, for example, can easily present potential projects in terms of return on investment – something CIOs aren't naturally apt to think about. "They speak a different language," he said. "They'll pop up and say, 'We have several initiatives, like data loss prevention, encryption, firewalls,' and they'll go on at a cost of $10 million." Kam continued by saying although a CIO may make the argument that legislation has been enacted, that may not be enough to get the funding they need. "As you could imagine, around the table, people are falling asleep," he said. "So when the CFO finally asks the question, 'So for every dollar we invest in all these initiatives, what is it going to return to our organization?' the CIO is dumfounded, and they can't answer."