Stolen medical data is hugely valuable on the dark web — and the healthcare industry has a long list of data breaches to prove it.
Healthcare data breaches increased by 55.1 percent in 2020, and cost healthcare organizations an estimated $6 trillion. The average cost of each breach was $7.13 million, the highest of any industry. More than 1 million people were affected by such breaches in almost every month of the year.
2021 has been even more dire, with at least 40 million patient records containing protected health information (PHI) compromised by mid-November. The average total cost of such a data breach rose to a whopping $9.41 million.
So what is PHI in cybersecurity? Why is it so valuable? And how can healthcare organizations secure and protect PHI?
Examples of Protected Health Information (PHI)
PHI is information in a medical record about a specific individual, including his or her personal data, health status, and payments made for healthcare services.
PHI is usually created or collected by “covered entities” such as doctors, hospitals, health plans (insurers), and healthcare clearinghouses (which exist between the healthcare provider and insurance company). The “business associates” of these covered entities — third-party vendors or subcontractors — may also have access to PHI.
PHI is also known as “HIPAA data” after the Health Insurance Portability and Accountability Act (HIPAA). Many types of data qualify as PHI under HIPAA, per guidance from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). These include:
- Patient name and address
- Contact details, such as phone number and email address
- Social Security number
- Any dates directly related to an individual, such as birthday, treatment dates, date of death
- Medical record number
- Insurance information and health plan beneficiary number
- Biometric identifiers, such as fingerprints and voiceprints
- Full face photos
- Billing information and payment history
- Financial data, such as bank account and credit card numbers
- Diagnostic or treatment information (including mental health diagnoses)
Any data that does not meet both of the following conditions is not PHI:
- Data that identifies an individual
- Data used or disclosed by a covered entity while providing healthcare
PHI data may be included in:
- Billing information
- Emails and phone records
- Scans and test results
- Appointment scheduling apps
PHI, ePHI, and PII
PHI refers to a detailed record of the provision of healthcare, healthcare operations, and payments made for healthcare services to a specific individual. PHI can be stored in paper or electronic form.
PHI is not the same as personally identifiable information (PII). PII is any kind of personal information that can be linked to an individual. PHI is a subset of PII and it only refers to health information.
Electronic protected health information, or ePHI, is PHI that is created, stored, transmitted, or received in electronic form.
Why Is PHI (and ePHI) Valuable?
According to Trustwave, a single healthcare data record can fetch up to $250 on the black market. This is much higher than the next highest-valued data, a payment card, which only goes for $5.40 per record.
PHI is so valuable because a single medical record contains an individual’s health-related PII, such as the person’s:
- Medical and behavioral health history
- Health insurance information
- Contact information
This treasure trove allows cybercriminals to engage in various illegal activities such as:
- Stealing victims’ identities to apply for credit cards, loans, or to obtain medical services
- Obtaining prescription medications
- Filing bogus medical claims for cash reimbursements
Cybercriminals can also use this information to blackmail or embarrass a victim.
In contrast, a financial record usually contains only a single piece of information about a victim. In addition, credit or debit cards can be canceled when a victim realizes the theft. That’s not possible with medical data, which provides a permanent record of an individual.
Data Protection Requirements for Protected Health Information
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. law that mandates that every (U.S.) individual’s PHI must be safeguarded to assure its confidentiality, integrity, and availability.
The HIPAA Security Rule includes specific guidelines around how ePHI is assessed, both in terms of the:
- Media used to store ePHI, such as personal computers, mobile devices, external portable hard drives, removable storage devices; and
- Means of transmitting ePHI, such as WiFi, DSL, email, file transfers.
In general, the HIPAA Security Rule requires healthcare providers and covered entities to protect their patients’ ePHI with appropriate physical, technical, and administrative safeguards.
The HIPAA Privacy Rule also outlines strict regulations for covered entities to safeguard the integrity, privacy, and security of PHI. It sets limits and conditions for the use and disclosure of PHI. It also gives individuals rights over their PHI, including the rights to examine PHI, to obtain a copy of their electronic health records (EHR), and to request corrections.
All covered entities and business associates must adhere to compliance requirements laid out by both the HIPAA Security Rule and HIPAA Privacy Rule.
Like HIPAA regulations, the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 also limits the types of PHI that covered entities and their business associates can collect from individuals, share with other organizations, or use for marketing or promotional purposes.
Cybersecurity Best Practices to Protect PHI
Healthcare organizations are particularly vulnerable to cyberattacks, including data breaches, malware, and ransomware attacks. Besides creating, possessing, and storing valuable PHI, they also manage intellectual property, such as medical, vaccine, and disease research.
Another vulnerability arises from the increasing number of interconnected devices in the industry. Some of these devices can be remotely accessed, allowing bad actors to gain control and steal PHI.
In addition, many healthcare organizations operate on insecure legacy platforms; that further increases the risk of opportunistic attacks. Inadequate cybersecurity awareness among healthcare professionals and third parties also drives up the risk of PHI data breaches.
Healthcare organizations can protect PHI in their information systems by following these data security best practices.
Shore Up Security Controls
All healthcare providers should review their existing cybersecurity infrastructure and implement robust controls to protect PHI. These controls may include:
- Device and application whitelisting (safe listing)
- Using the principle of least privilege (PoLP) to control access
- Next-Generation Firewalls (NGFW)
- Antivirus and anti-malware solutions
- Strong policies around password creation, use of authorized software, and use of personal devices for business tasks
- System logs and security alerts
- Cybersecurity training for all employees
Encrypt Devices and Data
Protect PHI from intruders by encrypting all PHI data, both in transit and at rest. It’s also vital to encrypt:
- Email messages, to protect content from being read by unauthorized parties
- Mobile devices such as laptops, tablets, smartphones
- All endpoints on the organization’s IT network
- All removable devices, such as USB flash drives, memory cards
De-identification and anonymization of PHI data can also help protect it from intruders.
Control Vendor Access to Devices and Data
It’s critical to restrict vendor access to any devices carrying PHI to a need-to-know basis. Instead of granting open, elevated privileges, healthcare organizations should adopt a zero-trust approach to network and data access by third parties.
Vendor due diligence, a vendor risk management policy, and an assessment of the vendor’s cybersecurity defenses are also essential strategies to protect PHI.
Upgrade All Software and Equipment
One survey revealed that 65 percent of companies running old software suffered breaches. Legacy systems and medical equipment running on outdated software are a serious problem in healthcare, resulting in security vulnerabilities and increasing the risk of PHI data breaches. So update and upgrade all software and equipment regularly.
Maintain Secure Backups
Regular system backups can help healthcare providers retain access to PHI in case of a breach. These backups must be adequately secured and stored at offsite locations on HIPAA-compliant cloud servers. A robust backup and restoration plan should be part of a broader business continuity strategy.
Make Risk Assessments Part of the Cybersecurity and Data Protection Strategy
With regular risk assessments, healthcare providers can better spot cybersecurity gaps and address them before leading to a HIPAA data breach. Regular vulnerability scans and penetration tests will help identify exploitable vulnerabilities that risk PHI security.
ZenGRC Can Help You Avoid PHI Data Breaches
A PHI data breach is a serious problem for both the breached healthcare organization and individual victims. Strong PHI protection starts with better visibility of the attack surface.
ZenGRC lets healthcare organizations achieve this visibility and HIPAA compliance with comprehensive risk assessments, automated workflows, and insightful reporting. Its integrated platform provides a single source of truth so that healthcare providers can identify and address PHI threats before a breach occurs.
You are always audit-ready with ZenGRC, allowing risk and compliance managers to focus on the big picture. Schedule a demo to see what ZenGRC can do for your organization.