PROTECTED HEALTH INFORMATION VALUE ESTIMATOR (PHIve)
The chief risk officer was invited to serve on an American National Standards Institute (ANSI) work group. The goal of the work group was to develop and publish a guide to bring attention to the risks associated with personal health information (PHI). When hospitals and medical centers perform risk assessments, they often fail to consider the magnitude of the disruption and reputational damage from a loss of personal health information.
Following participation in the work group, UC asked Bickmore (bickmore.net) to develop an electronic software tool for the Protected Health Information Value Estimator (PHIve). The methodology used in PHIve is described in greater detail with examples in the American National Standards Institute (ANSI) publication, "The Financial Impact of Breached Protected Health Information." ANSI's publication is available at the ANSI website.
The PHIve applies a practical methodology for protected personal health information to calculate the potential (or actual) cost of a data breach to their organization. The purpose of this exciting new tool is to help PHI protectors understand the financial impact of a PHI breach so they can evaluate and recommend the appropriate investments necessary to mitigate the risk of a data breach. This helps reduce potential financial exposure while strengthening the organization's reputation as a protector of the PHI entrusted to its care.
The tool will not make decisions for you, but it will help you organize your thinking as you consider the enterprise risk management implications of a breach of protected health information.
The five steps in PHIve are:
1. Assess risks.
Assess the risks, vulnerabilities, and applicable safeguards for each PHI home. A PHI home is any organizational function or space (administrative, physical, or technical) and/or any application, network, database, or system (electronic) that creates, maintains, stores, transmits, or disposes of ePHI or PHI.
2. Security readiness score.
Determine a security readiness score for each PHI home by determining the likelihood of a data breach based on the security readiness score scale.
3. Determine relevance.
For each PHI home that has an unacceptable security readiness score, examine the relevance (i.e., likelihood or applicability) of a particular cost category, and apply a relevance factor from a provided hierarchy.
4. Determine potential repercussions.
Relevance and consequences combined create the potential repercussions of a breach. Consequences are calculated using multiple aspects of a potential breach based on a variety of considerations for your organization. Types of repercussions include reputational (loss of patients, current customers, new customers, strategic partners, or staff), financial (including costs for remediation, communication, changes to insurance, changing associates, and business distraction), legal and regulatory, operational, and clinical.
5. Total the impacts: Add up all adjusted costs to determine the total adjusted cost of a data breach to the organization.
Relevance and consequences combined create the potential repercussions of a breach. Consequences are calculated using multiple aspects of a potential breach based on a variety of considerations for your organization.
-  webstore.ansi.org/phi.