Internet Security Alliance Partners with ANSI, Shared Assessments
Project on Financial Impact of Breached Protected Health Information
CIMIP director to lend expertise to project
Utica, NY (04/25/2011)
- The Internet Security Alliance (ISA) has joined the American National Standards Institute (ANSI), via its Identity Theft Prevention and Identity Management Standards Panel (IDSP), in partnership with the Shared Assessments Program and its Healthcare Working Group, for a new initiative on the financial impact of unauthorized access to protected health information (PHI). The “PHI Project” was formally kicked off April 7 via a two-hour webinar involving 110 participants.
“We are delighted to welcome ISA and its chief executive officer, Larry Clinton, as our partner in this initiative,” said Jim McCabe, ANSI senior director of standards facilitation, and Robin Slade, senior vice president and chief operating officer of The Santa Fe Group, which manages the Shared Assessments Program, in a joint statement. “ISA has been a leader in helping companies to take a holistic approach in understanding and addressing the financial ramifications of cyber security vulnerabilities across the enterprise,” Mr. McCabe added.
ISA and ANSI have an existing partnership for assuring enterprise-wide cybersecurity, which has resulted in the 2010 publication The Financial Management of Cyber Risk: An Implementation Framework for CFOs and its 2008 predecessor The Financial Impact of Cyber Risk: 50 Questions Every CFO Should Ask. Mr. Clinton has traveled the country promoting this unique approach to dealing with cyber challenges through a series of “role-play” scenarios with other subject matter experts.
“The PHI Project we are embarking on is a logical follow-on to the earlier work, but tailored to a specific sector—in this case healthcare,” commented Mr. Clinton. “The financial impact on an enterprise that suffers a breach of PHI is significant, as is the potential reputational harm to an individual whose data has been compromised. Our focus will be on helping to inform organizations’ investment decisions in information security best practices and in financial risk mitigation strategies.”
Rick Kam, president and co-founder of ID Experts, and chairman of the PHI Project, explained the effort this way: “We need to develop an approach to translate the impact of the unauthorized disclosure of PHI on the individual. We can then use a formula to determine the potential financial risk to an enterprise based on the amount of PHI they need to protect or may disclose in a breach.”
The PHI Project aims to develop a report of its analysis within just a few months time. The work effort will progress through several subcommittees, including:
§ a legal subcommittee that will identify existing legal protections related to PHI, co-chaired by Christine Arevalo of ID Experts, Chris Cwalina and Steve Roosa of Reed Smith, LLP, and Jim Pyles from Powers Pyles Sutter & Verville, PC;
§ a survey subcommittee that will query chief security / privacy officers or consumers on what they consider to be sensitive data, led Christine El Eris and Michael Morelli of Affinion Group, Larry Ponemon of the Ponemon Institute, Don Rebovich of the Center for Identity Management and Information Protection at Utica College; and Andrew Serwin from Foley & Lardner LLP;
§ an ecosystem subcommittee that will define points of compromise in the healthcare ecosystem where there are risks of exposure, co-chaired by James Christiansen of Evantix, Gary Gordon of the Center for Identity at the University of Texas at Austin, and Lynda Martel of DriveSavers Data Recovery, Inc.;
§ a financial subcommittee that will assess the financial impact of the disclosure of PHI, led by Larry Clinton of ISA, Sandeep Tiwari of Zafesoft, and Debbie Wolf of Booz Allen Hamilton;
§ a communications subcommittee that will develop and manage a communications plan, co-chaired by Catherine Allen, chairman and CEO of The Santa Fe Group, representing Shared Assessments, and Linnea Solem of Deluxe Corporation; and
§ a final subcommittee that will facilitate overall integration of the subcommittee input with a view toward producing a coherent final report, led by Rick Kam of ID Experts and Ed Stull of Direct Computer Resources, Inc.
For additional information, see www.ansi.org/phi or send an email to firstname.lastname@example.org.
The initiative is made possible through the generous support of the organizations listed below. Additional partner sponsors are welcome; see sponsorship opportunities for more information.
§ Clearwater Compliance
§ DriveSavers Data Recovery, Inc.
§ Affinion Security Center
§ Booz Allen Hamilton
§ Center for Identity Management and Information Protection at Utica College
§ Direct Computer Resources, Inc.
§ Europ Assistance USA
§ ID Experts
§ ZOHO ManageEngine
The American National Standards Institute (ANSI) is a private non-profit organization whose mission is to enhance U.S. global competitiveness and the American quality of life by promoting, facilitating, and safeguarding the integrity of the voluntary standardization and conformity assessment system. Its membership is comprised of businesses, professional societies and trade associations, standards developers, government agencies, and consumer and labor organizations. The Institute represents the diverse interests of more than 125,000 companies and organizations and 3.5 million professionals worldwide.
The Institute is the official U.S. representative to the International Organization for Standardization (ISO) and, via the U.S. National Committee, the International Electrotechnical Commission (IEC), and is a U.S. representative to the International Accreditation Forum (IAF).
About the Shared Assessments Program
The Shared Assessments Program was created by leading financial institutions, the Big Four accounting firms, and key service providers to inject standardization, consistency, speed, efficiency and cost savings into the service provider assessment process. Through membership and use of the Shared Assessments tools (the Agreed Upon Procedures and the Standardized Information Gathering questionnaire), Shared Assessments offers outsourcers and their service providers a faster, more efficient and less costly means of conducting rigorous assessments of controls for security, privacy and business continuity. The Shared Assessments Program is managed by The Santa Fe Group, a strategic consulting company based in Santa Fe, New Mexico.
About the Internet Security Alliance
The Internet Security Alliance is a multi-sector trade association established in collaboration with Carnegie Mellon University in 2000. ISA's mission is to combine advanced technology with the pragmatic business needs of its members and help create effective public policy leading to a sustainable system of world-wide cybersecurity. ISA advocates a modernized social contract between industry and government creating market based incentives to motivate enhanced security of cyber systems. ISA provides its members with a range of technical, business and public policy services to assist them in fulfilling their mission.