Sunday, March 27, 2011

ANSI and Shared Assessments Launch Initiative to Examine Financial Impact and Harm of Breached Patient Information

This crossed my desk this week, and I jumped on it. I look forward to continue to develop the RISK models, while controlling the Theater. First up, to help the group understand that HARM is not just due to financial impact. This is not news to Medical Device manufactures, or Healthcare Providers; but it does seem to be a specific focus of this ANSI group.  This broader definition of HARM has been a big discussion in the IEC/ISO 80001 discussions, and even there it isn't fully understood.

ANSI and Shared Assessments Launch Initiative to Examine Financial Impact and Harm of Breached Patient Information

New York, NY, March 23, 2011 – Healthcare organizations are struggling with two key concerns today: how to protect patient information and how to better understand the financial harm caused when protected health information (PHI) is lost or stolen. A new project – led by the American National Standards Institute (ANSI), via its Identity Theft Prevention and Identity Management Standards Panel (IDSP), in partnership with the Shared Assessments Program and its Healthcare Working Group – has been launched to explore the financial impact of unauthorized PHI access. The goal for the “ANSI/Shared Assessments PHI Project” is to identify frameworks for determining the economic impact of any disclosure or breach of protected patient data.

The ANSI/Shared Assessments PHI Project got underway last week with a meeting of its advisory committee. The initiative brings together professionals from across the industry: data security companies, identity theft protection providers and research organizations, legal experts on privacy and security, standards developers, and others.

This effort will culminate in a report targeted at those responsible for and entrusted with protecting and handling PHI. The report will help inform the healthcare industry in making investment decisions to protect PHI, as well as improve responsiveness if and when this patient information is breached. 

Rick Kam, president and co-founder of ID Experts, is chairing the initiative. “Organizations that are custodians of healthcare data are grappling with how to calculate their risk exposure when PHI is lost or stolen,” commented Kam. “The ANSI/Shared Assessments PHI Project will inform their investment decisions to protect PHI and will provide guidance on how to respond if this data is compromised.”

The group plans to tackle the problem by identifying existing legal protections related to PHI, defining points of compromise in the healthcare ecosystem where there are risks of exposure, and assessing the financial impacts of the disclosure of PHI. A survey is also contemplated to support the fact-finding process.

Industry experts are invited to participate in the next meeting, via a two hour conference call on April 7, 2011, from 12:00 p.m.– 2:00 p.m. Eastern. Interested parties can send an email to to join in the work effort. There is no fee to participate and most of the work will take place via conference call over the next few months.

The initiative is made possible through the generous support of the following organizations: DriveSavers Data Recovery, Inc. (premium sponsor) and Affinion Group, Center for Identity Management and Information Protection of Utica College, Direct Computer Resources, Inc., Europ Assistance USA, ID Experts, and ZOHO ManageEngine (partner sponsors). Additional sponsors are welcome; see sponsorship opportunities.

About ANSI
The American National Standards Institute (ANSI) is a private non-profit organization whose mission is to enhance U.S. global competitiveness and the American quality of life by promoting, facilitating, and safeguarding the integrity of the voluntary standardization and conformity assessment system. Its membership is comprised of businesses, professional societies and trade associations, standards developers, government agencies, and consumer and labor organizations. The Institute represents the diverse interests of more than 125,000 companies and organizations and 3.5 million professionals worldwide.

The Institute is the official U.S. representative to the International Organization for Standardization (ISO) and, via the U.S. National Committee, the International Electrotechnical Commission (IEC), and is a U.S. representative to the International Accreditation Forum (IAF).

About the Shared Assessments Program
The Shared Assessments Program was created by leading financial institutions, the Big Four accounting firms, and key service providers to inject standardization, consistency, speed, efficiency and cost savings into the service provider assessment process. Through membership and use of the Shared Assessments tools (the Agreed Upon Procedures and the Standardized Information Gathering questionnaire), Shared Assessments offers outsourcers and their service providers a faster, more efficient and less costly means of conducting rigorous assessments of controls for security, privacy and business continuity. The Shared Assessments Program is managed by The Santa Fe Group, a strategic consulting company based in Santa Fe, New Mexico.

No comments:

Post a Comment