Many hospitals say that protecting patient health information is an important priority. However, when the rubber meets the road, it can be difficult for healthcare cybersecurity professionals to obtain the buy-in necessary to ensure their organization is adequately equipped to take on the enormous task. This is just one of the many challenges hospitals face with risk management and protecting PHI.

As we’ve said before, cybersecurity is a business objective, not just an IT objective. So, how can you go about demonstrating the ROI of risk management when it comes to protecting your healthcare organization against a cyber-attack? Here are three money-backed reasons your organization needs a proactive risk management stance for protecting PHI:

3 Reasons for Proactive Risk Management for Protecting PHI

  1. Proactive risk management ensures you avoid HIPAA fines and penaltiesHealthcare organizations had to pay more than $19 million dollars in fines in 2017. The sad part is that a significant majority of those fines could have been prevented if organizations would have taken the appropriate risk management steps. The penalties for non-compliance are very expensive compared to the cost of proactive risk management.
  2. Proactive risk management helps you avoid growing ransomware threatsRansomware accounted for four of the top five healthcare cybersecurity breaches reported during 2017, costing healthcare organizations BILLIONS of dollars. Investing in risk management is a no-brainer when all signs indicate the number (and impact) of ransomware attacks is only expected to grow in the future.
  3. Proactive risk management is cheaper than a breach. Data breaches can be crippling to healthcare organizations. And while lost revenue is the most immediate impact for not proactively protecting your data, there’s a lot more at stake beyond financial penalties. A data breach has the possibility of costing your healthcare organization significant long and short-term revenue.

How to Demonstrate the ROI of Risk Management for Protecting PHI

Yes, you might know all the benefits of risk management, but how do you go about communicating that to key stakeholder? The best way to calculate ROI is to base the numbers on direct financial loss prevention. For example, if by spending $500 you can prevent a highly-probable annual loss of $10,000, your management will happily allocate the $500.

Here are three steps you can take to calculate the ROI of investing in risk management:

  1. Calculate an annual loss expectancy.The first step is to define an expected approximate financial loss that would be caused by specific risks and threats that are not properly mitigated. Here’s a formula to calculate the ALE: ALE = (Number of Incidents per Year) X (Potential Loss per Incident). According to the most recent study, the average cost of a healthcare data breach was $380 per record.
  2. Identify an appropriate risk management budget. The easiest way to get financial resources allocated for risk management is to provide your leadership team with the most efficient and effective solutions and products. Research here is vital. It’s important to identify and prioritize the systems and solutions that are going to make the most significant impact on your program.
  3. Calculate ROI. Once you’ve identified your annual loss expectancy and added up your risk managed budget, it’s time to calculate the ROI. Here is a formula to calculate ROI: ROI = (Annual Loss Expectancy / Proposed Risk Management Budget) X 100%. For example—If your ALE is $2.5M, and your cybersecurity budget came in around $150,000, then the ROI would be 1,667%.

The Most Affordable Risk Management Software for Protecting PHI

At LBMC Information Security, we know that fighting for financial resources to build your cybersecurity program can be challenging. That’s why we created BALLAST. Not only does it provide you a new level of accountability and support for protecting PHI, it is priced based on your specific needs.

To learn more about how BALLAST can be a cost-effective solution to make risk management and healthcare compliance easier for your hospital or healthcare organization, connect with our team today.

Mark Fulford

Mark Fulford

Mark Fulford, CISSP, CISA, ABCP, CRISC, is a Shareholder in the risk services division of LBMC, PC. With nearly 25 years of experience in information security audit and compliance, Mark understands how to translate technical jargon into actionable intelligence. With significant experience in healthcare, his expertise includes assisting companies with Sarbanes-Oxley, HIPAA & PCI, HITRUST compliance, as well as providing assurance to clients and their stakeholders through SOC 1 and 2 reporting engagements. More recently, his focus has been on helping organizations identify and manage information security risks through both guided and automated risk assessment techniques.