5 things CIOs need to know about funding the protection of PHI
With groups recently banding together to demand a tightening of security for protected health information, looking at the financial side of a breach has been put front and center. But according to Rick Kam, president and cofounder of ID Experts, there's an aspect of protecting PHI that's "not getting picked up," and is focusing on the relationship between CIO and CFO.
"We started on the path about a year ago to uncover what would happen if PHI was disclosed, and what the financial impact would be," said Kam, speaking of the recent report, "The Financial Impact of Breached Protected Health Information." He added that, "one of the things we realized is the value of data is in the eye of the beholder."
With the wavering emphasis placed on protecting PHI, Kam and his team concluded it's up to the CIO to translate their technical-speak into money-speak. "They're good at talking technical, but get them in a room of CFOs, and unless they play ball or watch The National Hockey League, they're in trouble," he said.
Kam outlines five things CIOs need to know about getting the funding they need to protect PHI.
1. Organizations don’t understand the value of protecting PHI. According to Kam, it came as no surprise that many organizations don't understand the risks associated with PHI and disclosing it. "It's because the executive teams that run these organizations, many of them don't understand the risks and they don't understand the value of protecting it," he said. "And it's because you have so many other things on their plates that they're trying to do." Achieving meaningful use and preserving their Medicare and Medicaid streams are just a few examples of what may rank higher than investing in the protection of PHI, Kam said.
[See also: 6 tips for handling personal health information.]
2. CIOs and CFOs don't speak the same language. Kam and his team imagined a conversation among organization leaders to determine where a CIO may fall short in explaining the significance of investing in PHI protection. He explained that the VP of sales and the VP of marketing, for example, can easily present potential projects in terms of return on investment – something CIOs aren't naturally apt to think about. "They speak a different language," he said. "They'll pop up and say, 'We have several initiatives, like data loss prevention, encryption, firewalls,' and they'll go on at a cost of $10 million." Kam continued by saying although a CIO may make the argument that legislation has been enacted, that may not be enough to get the funding they need. "As you could imagine, around the table, people are falling asleep," he said. "So when the CFO finally asks the question, 'So for every dollar we invest in all these initiatives, what is it going to return to our organization?' the CIO is dumfounded, and they can't answer."
3. CIOs need to identify where their risks are. The first part of solving this communication problem said Kam, is for CIOs to do a little research at a very basic level. "[They need to] identify where they have areas or pieces of information that need to be protected, whether PII [personally identifiable information] or PHI, mental health records, and such," he said. Next, he continued, the appropriate risk mitigation strategies need to be identified as well. These could include solutions like encryption, data loss prevention, or processes and policies deemed important to include in the upcoming budgeting cycle. "They need to develop an appropriate plan of technologies and processes that would mitigate the risks of those particular situations," he said. "It won't just be a list – it'll be a proposal for various initiatives."
4. And then, those risks need to be translated into costs. It's important to think about all aspects of a potential breach, said Kam, to get the full view of where an organization could lose money. "We identified 50 or 60 cost elements," he said. Take, for example, the reputation of the entity. "Hiring a good PR firm to rebuild your reputation, or operational costs [for hiring] a new CIO," he said. Not to mention, almost every major breach nowadays comes with a class-action lawsuit. "The starting price tag is in the millions," said Kam. "So it's identifying all these various cost components but in the context of your organization." A company that provides data processing services, for example, wouldn't have the same needs as a major hospital. "So let's say the CIO works through this and they come up with $25 million as the risk value for a breach," he said. "They have that number based on all that information, so the question becomes, how much would be reasonable to invest?"
5. Presenting the information as a business case is key. Kam and his team looked to insurance companies for calculations to determine how much an organization should invest to deter against a breach. "So the CIO can now go to the CFO and say they've done a risk assessment to see the threats, and they have a handful of solutions in their pocket," he said. "They'd know, based on industry best practices, what the appropriate amount is to invest … based on the calculation, for example, an investment of roughly $8 million would be appropriate to protect against a $25 million loss." The CIO should present the business case to the CFO and CEO in their "language," said Kam. "So instead of talking about needing a firewall, [they'd say] 'We have a risk loss event of $25 million, so what we're looking to do is make a $2 million investment this year to protect against this single loss."
Follow Michelle McNickle on Twitter, @Michelle_writes