**1. Introduction**

Across the globe, data security is becoming more regulated. For example, in the European Union, the General Data Protection Regulation (GDPR) protects its citizens [1]. In China, the Cybersecurity Law of 2017 was one of the first well known laws passed to protect the data and communications of its citizens [2]. In the United States of America, medical entities in the country's critical infrastructure are covered under Federal laws to protect patient information. Specifically, the Health Insurance Portability and Accountability Act (HIPAA) [3] and Health Information Technology for Economic and Clinical Health Act (HITECH) [4] are Federal-level regulations for covered entities that secure patient-protected health information (PHI). PHI covers a gamut of different identifiers and includes patient names, birthdays, social security numbers, medical record numbers, license plate numbers, biometric data, among a few others. The digital form of PHI is electronic PHI or ePHI. In the United States, vendors and services which are not covered under HIPAA (perhaps because they do not bill patients for services rendered) are regulated by the Federal Trade Commission (FTC) and must self-report health data breaches to the FTC [5]. Furthermore, the European Commission officially ratified the final version of the GDPR to include notification from a breached supervisory authority to be made within 72 hours (or provide reasons for a delay) [1].

In the United States, both HIPAA-covered and non-covered entities may also be under other legal requirements, such as non-disclosure, confidentiality restrictions, or other security requirements, for other organizational, research, or employee data.

The management within covered groups has historically remained siloed intra-organization where different components of the organizational risk are being managed and decisions made by different units within the organizations without a standardized and well-connected systematic methodology. For example, the legal, audit, budget, health informatics, security, privacy, medical, and information systems teams may all be disjointly managed, causing frustrations in adequately quantifying and coordinating the organizational risks. In such disjoint cases, an exception to an organizational policy may result in unidentified operational risk if the different departments are not consistently coordinated and periodically reviewing, perhaps updating, the associated risks.

This chapter begins by describing data breach risks in HIPAA-covered entities as reported to the United States government that cause patients higher risks for identity theft. Then it integrates current research into building a standardized risk assessment library that enables both inter- and intra-organizational risk coordination. This design facilitates standardizing and communicating risks as well as reasonable internal statistics related to technical and administrative limitations, organizational policy exceptions, and federal legal requirements to inform the business, auditors, insurance companies, and business associates of risks.
