Data Breach Costing Model Provides Compelling Support for ROI on Security Investments

Share Article

Risk management and compliance thought leaders from Clearwater Compliance LLC play prominent role in co-sponsored report published today

Clearwater Compliance LLC

Making HIPAA-HITECH Compliance Easy

Clearwater Compliance, a prominent HIPAA-HITECH compliance consultancy, is once again taking a leading role in helping organizations ensure the protection of health information with the publication of a new report entitled “The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security.” The objective of the report is to present both an argument and a method for developing a credible economic case for the investment of sufficient resources to protect the confidentiality, integrity, and availability of PHI.

Co-sponsored by Clearwater Compliance, the report is the result of the “Protected Health Information (PHI) Project,” an initiative launched last spring by the American National Standards Institute (ANSI) to evaluate the financial impact of unauthorized access to Protected Health Information (PHI). Clearwater Compliance was an active participant on the Advisory Committee, in addition to a number of the subcommittees tasked with the research, development of the tool, writing and publishing of findings and recommendations.

Even with the increased focus on enforcement of HIPAA and HITECH requirements, the security efforts of organizations responsible for safeguarding PHI are simply not keeping pace with the growing risks of exposure of PHI. Those risks are a result of increasing electronic health record (EHR) adoption, the growing number of organizations handling PHI and the higher rewards of PHI theft. In order to deliver quality health care and ensure patient safety, organizations in the health care industry and their service providers require adequate processes and resources to protect PHI, the report asserts.

The report provides the protectors of PHI (CFOs, CISOs, CIOs, IT security, privacy and compliance personnel) with information to help them better understand the inherent threats to PHI, and tools to help them cost-justify more investment in security based on the potential risks and liabilities resulting from data breaches. Armed with this newly developed information, it is hoped these “PHI protectors” can win more battles for capital and resources to strengthen PHI privacy and security programs. Mary Chaput, Clearwater Compliance’s Chief Financial Officer and Compliance Officer, is participating today in a press event at the National Press Club and a Congressional staff briefing on Capitol Hill to present the findings and best practices put forward in the paper.

“As the report clearly illustrates,” Ms. Chaput said, “Preventive measures such as security technology, policies and procedures to protect PHI and security awareness training can be implemented to help mitigate risk and reduce either the probability or the impact of a PHI breach. But implementing these measures costs money, and, as the survey conducted by the PHI Project indicates, health care organizations are simply not committing sufficient resources to their security programs. This is the problem the PHI Project is attempting to solve through publication of this important report.”

Some highlights of the paper include:

  • Statistics and real life examples that underscore the need for organizations to invest in developing and implementing policies and procedures, in addition to workforce training to ensure the avoidance of unintended disclosures of PHI.    
  • PHIve (PHI Value Estimator, pronounced “five”), the 5-step method outlined in the report for assessing security risks and developing appropriate investment levels to mitigate them. It begins with a risk analysis: the determination of the risks, threats, vulnerabilities and applicable safeguards for each information asset that creates, transmits, maintains or stores PHI and ends with tools for calculating the potential cost of a data breach that is specific to an organization.

“According to a November 2011 survey conducted by Ponemon Institute, almost every participating provider organization (96%) reported having had at least one data breach in the past 24 months,” Clearwater Compliance President, Bob Chaput said. “In addition, the survey indicated that on average, health organizations have had four data breach incidents during the past two years. Budgets are tight but a persuasive analysis on the ROI in enhanced security programs will result in improved PHI safety. This paper provides a compelling financial and ethical case that there is a tangible financial return on security investments.”

Mr. Chaput will also be participating on a number of upcoming panels including: Health Care Privacy and Security Consortia, at the Nashville Technology Council event in Nashville, TN on March 8, 2012 and Managing to the "New Reality" in Healthcare Privacy: Project Findings Report from the ANSI/Shared Assessments/ISA PHI Project, at the Shared Assessments Summit 2012 on March 13, 2012 in Cambridge, Massachusetts.

Mr. Chaput concluded, “Clearwater Compliance has helped many health care covered entities and business associates strengthen their compliance programs through education programs, software and services. We are pleased to have played such a significant role in the PHI Project and publication of this seminal report.”

Further information about the PHI Project can be found by visiting

Clearwater Compliance

Clearwater Compliance helps covered entities, business associates and their subcontractors meet stringent HIPAA-HITECH Privacy, Security and Data Breach Notification requirements, including risk management software, services and solutions. Clearwater offers frequent webinars on topics related to HIPAA, the HITECH Act, and the HIPAA Security Rule. Please visit to register for a webinar, learn more about HIPAA-HITECH requirements or sign up for our compliance newsletter.

# # #

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Mary Chaput
Visit website


Clearwater Compliance DataSheet