Now it’s some lazy journalist at Information Week aiding and abetting the pseudo-statistics of of the Ponemon Institute – screaming headlines of the cost of data breaches of PHI – protected healthcare information
According to Information Week; Analysis: Healthcare Breach Costs May Reach $800 Million
Since the Health Information Technology for Economic and Clinical Health Act or HITECH Act of 2009 came to being, a number of new privacy, security and reporting and non-compliance penalty provisions went into effect. And as summarized by this report from HITRUST, there have been 108 entities who have reported security breaches since September of last year.
Those breaches comprise about 4 million people and records.
In the analysis, Chris Hourihan Manager, CSF Development and Operations, HITRUST used the 2009 Ponemon Institute Cost of a Data Breach Study [.pdf], which found the average cost for each record within a data breach to be $204. That’s $144 of indirect costs and $60 of direct costs. An overview of the Ponemon study is available here.
What is the connection between the Ponemon studies (sponsored by data security vendors) and the PHI leakages?
Why is a PII leak and a meaningless plug number of $60 relevant to PHI (which requires a combination of medical data and personal identifiers?
Why can’t someone make a phone call and ask how much the companies actually paid in fines and then make a few more phone calls and start estimating ancillary costs and direct costs such as legal.
Why not just multiply by the average cost of an iPhone?
After all you can steal data with your mobile easily enough can’t you.
Cross-posted from Israeli-Security