Making the Business Case to Justify an IG Program
The best way to measure the viability of an IG program is by determining if the investment of time and resources is going to be a worthwhile and profitable one.
The first step in justifying an IG program is to understand what key factors qualify a project as viable in a particular organization. Once that is known, steps to build the business case that satisfy or exceed those requirements can be taken.
Look for hard cost savings first. Beyond that, the benefits of information risk reduction, lower rates of medical mistakes, reduced legal exposure, and productivity of knowledge workers must be made clear to executive management to help solidify the business case.
At times the business rationale for implementing an IG program may begin with qualitative analysis; however, efforts to improve qualitatively can turn into measurable quantitative gains. For instance, focusing on patient satisfaction can bring real improvements in patient outcomes which are reflected in improved population health and reduced mortality rates.
The executive sponsor must actively develop and own the business case, so it is important to get it right. It is best to look for hard dollar savings where possible, establish meaningful metrics, and attempt to quantify the value of ongoing information risk reduction. That value can be realized in actual financial savings when negotiating cyber-insurance rates. It can also be measured as a cost avoidance value when breaches are avoided, suppressed, or their damage is minimized.
There are clear tangible and intangible benefits to implementing IG, and multiple business drivers to justify an IG program. Improving patient outcomes and reducing mortality rates are paramount goals, followed by the impact of possible leakage of ePHI and ePII, fears of HIPAA compliance violations and major fines, spiraling e-discovery costs, or even European General Data Protection Regulation (GDPR) non-compliance.
Why Healthcare Organizations Are at the Greatest Risk
When rogue players go after healthcare institutions, they do so because not only can they gain access to financial information, but also to insurance credentials and patient health histories. This information lasts a lifetime and hackers can sell it on the dark web for much more than basic credit card information, which becomes obsolete once passwords are changed. Further, the health record and insurance credentials can be sold and people can use these stolen credentials to have expensive medical procedures performed. They simply have to be the same gender and blood type, and approximately the same age and race, and then with these stolen health credentials they may have a hip or shoulder replaced, or perhaps even heart surgery.
A 2017 study by the Ponemon Institute 1 showed that healthcare data breaches were the most costly of all industry sectors, outpacing most sectors by a factor of two to one.
Saving Lives: Improving Patient Care and Outcomes
It is clear that the leading goal of IG programs in healthcare is to improve clinical outcomes, save lives, and improve overall population health. With this as a driving program focus, there are several aspects that can be addressed. First, a robust data governance program focusing on improving clinical data quality can help improve the accuracy of provider analyses, improve care, and improve patient outcomes. It can also provide more accurate data for longitudinal studies. Second, a program focus can emphasize reducing medical mistakes, which are the third leading cause of death in the U.S. behind heart disease and cancer, killing over a quarter of a million Americans each year. 2 Third, the use of analytics can not only improve the quality of analysis for caregivers to base their decisions upon, thereby improving patient outcomes, but also, there can be broader benefits. For instance, software developed at Boston Children’s Hospital uses analytics to detect “subtle patterns” and “faint signals” in detecting, plotting, and tracking disease outbreaks. 3 The software, HealthMap, scans “billions of posts from tens of thousands of social media sites, local news, government publications, infectious-disease online physicians’ discussion groups, RSS feeds, and other sources.” This process is repeated hourly to keep it current. It also uses machine learning technology (a form of artificial intelligence) to improve its prediction capabilities by matching confirmed disease outbreaks with information that had been compiled on them. The ability to quickly identify outbreaks can assist local healthcare organizations to respond and contain them more quickly and effectively.
Population Health Milestones and Metrics
Each organization will have a different set of milestones and metrics to measure progress. Some sample ones that can be used in the population health area of your IG program include:
1.Implement new medical error detection procedures and audit checks within six months.
2.Reduce medical mistakes by 10% from the average for the previous five years (or national average), within two years.
3.Reduce mortality rates for specific conditions (e.g. breast cancer) by 5% within three years.
4.Improve patient satisfaction rates by 20% over a baseline measurement within two years.
Breach and Ransomware Preparedness and Patient Trust
Information security is one of the main pillars of IG. Safeguarding patient records is of paramount importance. Consumers expect healthcare organizations not only to care for them, but also to exercise care and prudence when handling their PHI and sensitive data.
Breaches in the healthcare industry have become increasingly common. Some of the major data breaches in 2017 included:
■ Potentially over 100,000 patients’ ePHI was breached at Mid-Michigan Physicians Imaging Center, although only seven were confirmed. The Center delayed reporting the breach while they investigated, and ended up paying a $475,000 fine levied by the Health and Human Services Office for Civil Rights (OCR), as timely reporting is required for HIPAA compliance.
■ Bupa, an international health insurer, reported that an employee stole the PII of over 100,000 customers, but that the majority of their over 1.4 million customers were not affected. Since the theft, Bupa has increased security measures and conducted an investigation.
■ Washington State University reported the theft of a locked safe which contained a hard drive holding the personal data of about one million people.
■ Molina Healthcare, a major Medicaid and Affordable Care Act insurer, shut down its patient portal after it found a rudimentary security flaw allowing access to patient medical claims data. Over 4.8 million patient accounts may have been affected.
Also in 2017, OCR levied a civil penalty of $3.2 million against Children’s Medical Center of Dallas for breaches of ePHI which occurred in 2009 and 2013. 4
A major data breach creates a breach of patient trust, and this can have financial consequences for healthcare organizations. Over two-thirds of consumers stated they would consider leaving their healthcare provider if it suffered a ransomware attack. 5
Ransomware attacks were classified as breaches in a July 2016 statement by the Health and Human Services Office for Civil Rights (OCR). The OCR went further and stated that ransomware attacks are subject to the HIPAA Breach Notification Rule.
In April 2017, a ransomware attack was made on 6,000 computers at Erie County Medical Center (ECMC) in Buffalo, New York. 6 Short ransom notes began popping up on staff computer screens saying the hospital’s files had been encrypted, along with a demand for payment of approximately $30,000 in bitcoins. ECMC shut down its computer systems within 90 minutes and began operating offline. They were determined not to pay the ransom, and they did not. But it was very costly. The disruption lasted over six weeks and cost ECMC nearly $10 million, as they wiped all computers completely clean of any data and restored them from backups. During most of that time patient registration, notes, and prescriptions were written by hand and for the first three weeks lab results were sent by couriers. Should they have just paid the $30,000? Hindsight is 20/20, but management may have been fearful that even if they paid, the ransom requests would continue, and could escalate, and that there still could be malware lurking on their systems. They took a prudent, yet expensive, course. But if they had had an IG program implemented, the attack may have never taken place. Hackers, like robbers, go for the easiest and most vulnerable targets.
Other management teams have decided to pay the ransom, report it, and then focus on hardening their information security practices and training employees on emerging threats. In February 2016, Hollywood Presbyterian Medical Center paid $17,000 worth of bitcoins in ransom to regain access to their systems which had been encrypted. 7
Another ransomware attack took place in June 2017, hitting Pacific Alliance Medical Center (PAMC) in Los Angeles and compromising the ePHI and other sensitive data of over 260,000 patients. 8 PAMC’s notice to patients did not state whether or not ransom was paid, but officials could not rule out whether the ePHI was viewed or stolen.
Due to the July 2016 statement made by the Office for Civil Rights, tightening its reporting requirements for ransomware, PAMC took a cautious approach to reporting the incident and also offered two years of identity theft monitoring to its patients at no cost. 9
Other Types of Breaches: Medical Devices
Connected medical devices offer new possibilities for continuously monitored patient care, which can improve outcomes and research data collection. In the U.S., an average of 10–15 devices are connected per hospital bed. With more and more medical devices being connected, there are inherent vulnerabilities that bad actors may exploit. For instance, in September 2017, the Department of Homeland Security warned that a security flaw in syringe infusion pumps made by Smith Medical may allow hackers to gain access and control of the device, even changing the amount and timing of medication that is administered. 10
So healthcare organizations must, as a part of their overall IG program, institute a thorough medical device connectivity vulnerability evaluation program, beginning with vetting vendors and changing default security settings. (Smith Medical issued a software patch to address the vulnerability and stated the issue was resolved in January 2018.)
Cyber-security Milestones and Metrics
Some basic milestones and metrics that can be used in the cyber-security area of your IG program include:
1.Security Awareness Training: Train all information-handling employees on cyber-security hygiene within 90 days, and measure their retention with basic testing.
2.Create an ongoing communications and training plan for cyber-security hygiene and implement within 90 days.
3.Complete a mock breach response exercise, analyze any weaknesses, and update procedures within 90 days.
4.Reduce the number of lost or stolen mobile devices by 50% over the previous year.
5.Reduce hacker intrusion events by 25% over the previous year.
Information security is the first requirement before information privacy can be enforced in an IG program. Patient privacy is part of the trust equation consumers have with healthcare providers. Special privacy protections for health information go back centuries. The Hippocratic Oath states, “I will respect the privacy of my patients, for their problems are not disclosed to me that the world may know.” 11 The doctor–patient relationship is protected in many countries by not only tradition, but law.
To ensure patient privacy is vigilantly guarded, a fundamental step is to initiate privacy awareness training as a part of an overall IG program. This training can include a review and update on patient privacy rights, information on the latest phishing, smishing (using SMS text), and ransomware attacks. Also the training could review privacy guidelines for the use of e-mail, mobile devices, cloud applications, and social media.
Information Privacy Milestones and Metrics
Some basic milestones and metrics that can be used in the information privacy area of your IG program include:
1.Privacy Awareness Training: Train 50% of information-handling employees on information privacy laws and Best Practices within 45 days, the remaining 50% within 90 days, and measure their retention with basic testing.
2.Create an ongoing communications and training plan for patient privacy and implement within 90 days. Reach 100% of the target employees within 90 days.
3.Update the organizational privacy policy within 90 days and publish on corporate website, and brief 100% of employees in the target group within 90 days.
4.Complete a mock privacy breach response tabletop exercise, analyze any weaknesses, and update procedures within 90 days.
Improving Operational Efficiency
Legally defensible deletion of information, that is, deletion based on standardized, enforced policies, is going to be a driver of cost reduction in any IG program. The goal of these efforts is to shrink the “storage footprint”—the gross amount of information being stored by the organization—and therefore reduce operating costs. In addition, this process has other benefits.
Deleting redundant, outdated, and trivial (ROT) business information—which is approximately 40%–70% of what the majority of organizations manage—will not only drive down hard storage costs, but it also helps to reduce legal and compliance risks and make information more findable and accessible for knowledge workers, boosting their productivity while improving the professional work environment.
Operational Efficiency Milestones and Metrics
Some basic milestones and metrics that can be used in the operational efficiency/productivity area of your IG program include:
1.Train knowledge workers in the target areas on new search capabilities and methods within 90 days.
2.Reduce average time spent searching for information by knowledge workers in the Business Office by 25% over previous baseline results, within one year.
3.Use file analysis software to conduct a cleanup and cut ROT on shared drives from a baseline of approximately 40% to 20% or less within one year.
4.Use file analysis software to conduct a cleanup and reduce storage footprint of shared drives in business units by 20% within six months.
Electronic information is being created today at unprecedented and increasing rates. Healthcare organizations, which have typically been laggards in technology implementations when compared to other industry segments, are struggling to manage this onslaught, and it is driving up legal costs. “This surplus of electronically stored information (ESI) is, in reality, driving up the cost of storage, raising the cost and risk of eDiscovery and regulatory compliance, negatively impacting employee productivity, and raising the prospect of intellectual property theft and ePII leakage.” 12
A robust IG program addresses these growing challenges.
Critical questions to raise during the decision-making process include: What if we are not able to meet legal demands for records production during litigation? What can happen if auditors or regulators investigated our recordkeeping practices? These types of serious questions must be asked and can only be addressed with a successful IG program.
Legal Operations Milestones and Metrics
Some basic milestones and metrics that can be used in the Legal area of your IG program include:
1.Revise and update the Legal Hold Notification (LHN) process within six months.
2.Train all data stewards and business unit heads on new LHN within nine months.
3.Evaluate, select, and implement predictive coding software within six months, and train 10 power users.
4.Reduce the cost-per-GB for attorney review of e-documents from a baseline of approximately $18K/GB to $10K/GB or less within one year.
5.Use file analysis software to conduct a cleanup and cut ROT on shared drives from a baseline of approximately 40% to 20% or less within one year.
6.Evaluate, select and implement digital signature software within six months, and train 10 power users.
One Big Negative Event Can Change the Ballgame
The September 11th terrorist attacks on New York and Washington, D.C., and Hurricane Katrina hitting New Orleans and the Gulf Coast changed the realities of disaster recovery and business continuity plans. And the WikiLeaks revelations changed the realities of e-document security. So too can one large adverse event—like a major data breach or particularly costly lawsuit—change the way a healthcare organization considers managing, securing, and governing information.
Business Drivers for IG Programs
According to Osterman Research, in its report entitled, The True ROI of Information Governance, the top three drivers for justifying an IG program are:
1.Risk avoidance;
2.Regulatory risk mitigation; and,
3.Employee productivity improvement. 13
As noted in that report, having a comprehensive understanding of total costs before and after applying any solutions is the key to building a believable ROI Model. The cost analysis might focus in a target area and may be as simple as information storage costs, or more complex and somewhat of a moving target like e-discovery collection and review costs. (Often it is tough to get an internal legal team to break these out accurately.)
Once the baseline costs have been determined, estimated savings can be calculated using the appropriate financial models or justification approaches that suit a particular organization.
1.Information collection during litigation: As the volume and velocity of electronically stored information (ESI) rises, so will e-discovery costs during litigation rise, and the costs and effort to classify, categorize, and manage ESI on a daily basis. End users will take the path of least resistance, which means the information will be organized in accordance with the skillset of those end users, and with a minimum of effort. The lack of consistency will ultimately add to information collection costs whenever there is an e-discovery request. 14
2.Document review for litigation: This function is usually done by attorneys or high-end paralegals at an hourly billing rate per document or per megabyte. The more documents subject to legal review, the higher the cost. By proactively removing unnecessary and irrelevant ESI, fewer documents will have to be reviewed, resulting in lower review costs.
3.Information storage savings: Contrary to what many believe about storage costs getting cheaper, the exact opposite is true for organizations today (which rely on online access to enterprise storage), due to rapidly increasing volumes. One must consider the full cost of information ownership, which includes not only storage hardware but floor space, air conditioning, electricity to run the hardware and software, maintenance and support costs, staff salaries, contractor costs, and physical and software security, to name a few. As noted in the Osterman report, “an IG program will deliver two areas of storage savings: the percentage of storage resources freed up due to more efficient and ongoing data retention/disposition procedures, and the continuing storage savings from an ongoing defensible disposition practice.” 15
Soft Costs: Intangible Cost Offsets
There are also some less calculable benefits:
1.Potential revenue gains: Often overlooked is the gain in revenue as a result of recovered employee productivity. When employees in, say, the Business Office spend fewer hours searching for and/or re-creating information, they spend more time engaged in activities that could generate more revenue for the organization (such as billing and collections). That enhanced productivity can generate real top-line revenue growth. 16 In addition, performing analytics on cleaned data can provide new insights that may result in new revenue-generating product and service innovations.
2.Information risk reduction: Risk avoidance involves taking steps to mitigate exposure to negative events. Risk mitigation is a key component and goal of IG programs. An organization’s business risk impact from IG may take the form of reducing the likelihood of lawsuits by reducing medical mistakes, or reducing the likelihood of a breach or ransomware attack. It can also improve the odds of winning lawsuits due to more efficient collection and review of responsive information, giving the legal team more time and resources to spend on a winning strategy. At the same time the organization will be lowering its risk of compliance violations of HIPAA and other major regulations, reducing the likelihood of court sanctions and fines, which can be substantial and run into the millions. Further, the organization is improving its information security defenses, guarding against breaches and protecting the brand while reducing exposure to reputational risk. 17
3.Improvements in knowledge worker productivity: When an organization’s highest-paid professionals cannot locate information to make a decision, they must waste time searching and may ultimately end up doing double-work by re-creating the information. This is difficult to calculate, but it is a real cost. An average knowledge worker can spend 15%–25% of their workweek simply searching for information, according to studies. The organization should shoot for providing the right information to the right professionals at the right time—securely. When this is the aim of an IG program, substantial productivity benefits will accrue and management will be promoting a more professional and efficient work environment, while minimizing staffing needs.
It is clear that an overarching IG program can yield many benefits to healthcare organizations, through a series of discrete projects aimed at reducing information risk while improving information quality, safety, privacy, and value. In the near future, Information Asset Valuation (IAV) software will be available to aid executives and IG Program Managers in calculating the true financial costs and benefits of an IG program.
The executive sponsor must develop and own the business case.
Healthcare information is target-rich for hackers. Insurance credentials and patient health histories are very valuable.
■ Improving patient outcomes and reducing mortality are key goals of IG programs in healthcare.
■ A major data breach creates a breach of patient trust, and this can have financial consequences for healthcare organizations.
■ OCR classified ransomware attacks as breaches in 2016, and they are now subject to the HIPAA Breach Notification Rule.
■ Connected medical devices mean new vulnerabilities to patient data that must be addressed.
■ A privacy awareness training program can help educate employees on being cautious with patient information.
■ Legally defensible deletion of information is a key driver of cost reduction in IG programs as it can reduce the storage footprint and electronic storage costs.
■ One major data breach or costly lawsuit can provide the justification for an IG program.
■ Major hard dollar savings in the Legal area come from e-discovery collection and document review cost reductions.
■ There may be additional opportunities for revenue growth by using analytics to process data in the IG program effort.
■ Risk mitigation is a key component and goal of IG programs.
■ Information Governance programs produce substantial productivity benefits which accrue from cleaner, more accessible information.
1. Jessica Twentyman, “Hacking Medical Devices is the Next Big Security Concern,” Financial Times, November 8, 2017, https://www.ft.com/content/75912040-98ad-11e7-8c5c-c8d8fa6961bb?segmentid=acee4131-99c2-09d3-a635-873e61754ec6.
2. Dan Munro, “U.S. Healthcare Ranked Dead Last Compared to 10 Other Countries,” Forbes.com, June 16, 2014, http://www.forbes.com/sites/danmunro/2014/06/16/u-s-healthcare-ranked-dead-last-compared-to-10-other-countries/#7aa717021b96.
3. Doug Laney, Infonomics: How to Monetize, Manage, and Measure Information as an Asset for Competitive Advantage (Bibliomotion, 2017), pp. 95–96.
4. “Lack of Timely Action Risks Security and Costs Money,” U.S. Department of Health and Human Services, February 1, 2017, https://www.hhs.gov/about/news/2017/02/01/lack-timely-action-risks-security-and-costs-money.html.
5. “Survey: Many US Consumers Would Leave Provider over Ransomware Attack,” SmartBrief.com, May 30, 2017, http://www.smartbrief.com/s/2017/05/survey-many-us-consumers-would-leave-provider-over-ransomware-attack.
6. Jonathan Crowe, “How One Ransomware Attack Cost Erie County Medical Center $10 Million,” Barkly.com, August 2017, https://blog.barkly.com/10-million-dollar-ecmc-hospital-ransomware-attack.
7. Richard Winton, “Hollywood Hospital Pays $17,000 in Bitcoin to Hackers; FBI Investigating,” Los Angeles Times, February 18, 2016, http://beta.latimes.com/business/technology/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html.
8. Jessica Davis, “Los Angeles Provider Breached by Ransomware Attack, over 260,000 Patients Affected (UPDATED),” Healthcare IT News, August 14, 2017, http://www.healthcareitnews.com/news/los-angeles-provider-breached-ransomware-attack-over-260000-patients-affected-updated.
9. Ibid.
10. Jessican Twentyman, “Hacking Medical Devices is the Next Big Security Concern,” Financial Times, November 8, 2017, https://www.ft.com/content/75912040-98ad-11e7-8c5c-c8d8fa6961bb?segmentid=acee4131-99c2-09d3-a635-873e61754ec6.
11. Peter P. Swire, Kenesa Ahmad, Foundations of Information Privacy and Data Protection (IAPP, 2012), p. 67.
12. “The True ROI of Information Governance,” Osterman Research white paper, February, 2015, p. 1.
13. Ibid, p. 5.
14. Ibid, p. 10.
15. Ibid, p. 11.
16. Ibid, p. 11.
17. Ibid, p. 11.