A new report, The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security, provides health care organizations with a new method to evaluate the “at risk” value of protected health information (PHI) that will enable them to make a business case for appropriate investments to better protect PHI.
This report was created through the “PHI Project” – a collaboration of the American National Standards Institute (ANSI), via its Identity Theft Prevention and Identity Management Standards Panel (IDSP), in partnership with The Santa Fe Group/Shared Assessments Program Healthcare Working Group, and the Internet Security Alliance (ISA) – that involved a cross-section of more than 100 health care industry leaders from over 70 organizations.
Representatives from Utica College and the Center for Identity Management and Information Protection (CIMIP) traveled to Washington to take part in a congressional briefing to unveil the Protected Health Information (PHI) Project report.
The survey responses revealed that the majority of participants want to comply and secure PHI, but they believe that budgetary constraints and the lack of executive commitment, leadership, and accountability, as well as the evolving nature of threats and the technologies available to protect PHI, combine to make real protection of health information extremely challenging.
Seventy-five percent believed their organization possesses effective policies to protect PHI and takes effective steps to protect PHI. But almost 40% did not believe that their organizational management views privacy and security as a priority, and 54% did not feel that their organization possesses sufficient resources to ensure protection requirements are currently being effectively protected. When asked about the complexity of the laws and the ease of compliance, only 12% felt the laws were “easy to understand” and only 14% thought the laws were “not difficult at all” to comply with. When asked to identify the most significant impediments their organization faces to achieving a strong privacy and data security posture with respect to how PHI is collected, used, and retained the most common impediment was seen as “lack of funding”(59%) and followed by insufficient time, lack of senior executive support,” and lack of accountability and leadership.”
Responses showed that more than 85.3 % of participants stated that the accidental or inadvertent exposure from an insider was the “most likely” or “very likely” threat to protected data. More than 50 % believed that some type of security threat was likely adversely affecting their organizations now.
The report is available for free download at webstore.ansi.org/phi.
Source: ANSI News Release