Stolen medical data is hugely valuable on the dark web — and the healthcare industry has many data breaches to prove it.
Healthcare data breaches increased by 55.1 percent in 2020 and cost healthcare organizations an estimated $6 trillion. The average cost of each breach was $7.13 million, the highest of any industry. More than 1 million people were affected by such breaches in almost every month of the year. An important part of HIPAA compliance is implementing controls to avoid penalties.
2021 has been even more dire, with at least 40 million patient records containing protected health information (PHI) compromised by mid-November. The total cost of such a data breach rose to $9.41 million.
So, what is PHI in cybersecurity? Why is it so valuable? And how can healthcare organizations secure and protect PHI?
Examples of Protected Health Information (PHI)
PHI is information in a medical record about a specific individual, including their personal data, health status, and payments made for healthcare services.
PHI is usually created or collected by “covered entities” such as doctors, hospitals, health plans (insurers), and healthcare clearinghouses (which exist between the healthcare provider and insurance company). The “business associates” of these covered entities — third-party vendors or subcontractors — may also have access to PHI.
PHI is also known as “HIPAA data” after the Health Insurance Portability and Accountability Act (HIPAA). Many data types qualify as PHI under HIPAA, per guidance from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). These include:
- Patient name and address
- Contact details, such as phone number and email address
- Social Security number
- Any dates directly related to an individual, such as birthday, treatment dates, date of death
- Medical record number
- Insurance information and health plan beneficiary number
- Biometric identifiers, such as fingerprints and voiceprints
- Full face photos
- Billing information and payment history
- Financial data, such as bank account and credit card numbers
- Diagnostic or treatment information (including mental health diagnoses)
Any data that does not meet both of the following conditions is not PHI:
- Data that identifies an individual
- Data used or disclosed by a covered entity while providing healthcare
You may include PHI data in the following:
- Billing information
- Emails and phone records
- Scans and test results
- Appointment scheduling apps
H2: What Are The 3 Types of PHI?
PHI, ePHI, and PII
PHI refers to a detailed record of healthcare provision, healthcare operations, and payments made for healthcare services to a specific individual. PHI can be stored in paper or electronic form.
PHI is not the same as Personally Identifiable Information (PII). PII is any kind of personal information that can be linked to an individual. PHI is a subset of PII that only refers to health information.
Electronic protected health information, or ePHI, is PHI created, stored, transmitted, or received electronically.
Why Is PHI (and ePHI) Valuable?
According to Trustwave, a single healthcare data record can fetch up to $250 on the black market. This is much higher than the following highest-valued data, a payment card, which only goes for $5.40 per record.
PHI is so valuable because a single medical record contains an individual’s health-related PII, such as the person’s:
- Medical and behavioral health history
- Health insurance information
- Contact information
This treasure trove allows cybercriminals to engage in various illegal activities, such as:
- Stealing victims’ identities to apply for credit cards, loans, or to obtain medical services
- Obtaining prescription medications
- Filing bogus medical claims for cash reimbursements
Cybercriminals can also use this information to blackmail or embarrass a victim.
In contrast, a financial record usually contains only a single information about a victim. In addition, credit or debit cards can be canceled when a victim realizes the theft. That’s not possible with medical data, which provides a permanent record of an individual.
Consequences of PHI Breaches
A Protected Health Information (PHI) breach can significantly affect healthcare organizations and patients. When hackers get unauthorized access to patient data, both groups suffer.
Healthcare groups can face big fines, lawsuits, and damage to their reputation. Under HIPAA rules, the Office for Civil Rights can charge penalties from $100 up to $50,000 per violation. If extreme violations happen due to purposeful neglect, criminal charges could happen. Lawsuits from patients are also common after data breaches.
Beyond money issues, a breach hurts public trust in the group’s ability to protect sensitive data. This loss of goodwill can reduce patient engagement and retention. Dealing with the breach also costs money for investigating, notifying patients, credit monitoring services, and taking steps to prevent future incidents.
For patients, a breach of medical records leaves them in danger of severe medical identity theft. This could allow criminals to get medical services, prescriptions, and equipment fraudulently. This can damage insurance coverage and the victim’s health and finances.
Data Protection Requirements for Protected Health Information
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. law that mandates that every (U.S.) individual’s PHI must be safeguarded to assure its confidentiality, integrity, and availability.
The HIPAA Security Rule includes specific guidelines around how ePHI is assessed, both in terms of the following:
- Media used to store ePHI, such as personal computers, mobile devices, external portable hard drives, removable storage devices, and
- This means transmitting ePHI, such as WiFi, DSL, email, and file transfers.
The HIPAA Security Rule requires healthcare providers and covered entities to protect their patients’ ePHI with appropriate physical, technical, and administrative safeguards.
The HIPAA Privacy Rule also outlines strict regulations for covered entities to safeguard PHI’s integrity, privacy, and security. It sets limits and conditions for the use and disclosure of PHI. It also gives individuals rights over their PHI, including the rights to examine PHI, obtain a copy of their Electronic Health Records (EHR), and request corrections.
All covered entities and business associates must adhere to compliance requirements laid out by the HIPAA Security and Privacy Rule.
Like HIPAA regulations, the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 also limits the types of PHI-covered entities and their business associates that can be collected from individuals, shared with other organizations, or used for marketing or promotional purposes.
Cybersecurity Best Practices to Protect PHI
Healthcare organizations are particularly vulnerable to cyberattacks, including data breaches, malware, and ransomware attacks. Besides creating, possessing, and storing valuable PHI, they also manage intellectual property, such as medical, vaccine, and disease research.
Another vulnerability arises from the increasing number of interconnected devices in the industry. Some of these devices can be remotely accessed, allowing bad actors to gain control and steal PHI.
In addition, many healthcare organizations operate on insecure legacy platforms, increasing the risk of opportunistic attacks. Inadequate cybersecurity awareness among healthcare professionals and third parties increases the risk of PHI data breaches.
Healthcare organizations can protect PHI in their information systems by following these data security best practices.
Shore Up Security Controls
All healthcare providers should review their existing cybersecurity infrastructure and implement robust controls to protect PHI. These controls may include:
- Device and application whitelisting (safe listing)
- Using the Principle of Least Privilege (PoLP) to control access
- Next-Generation Firewalls (NGFW)
- Antivirus and anti-malware solutions
- Strong policies around password creation, use of authorized software, and use of personal devices for business tasks
- System logs and security alerts
- Cybersecurity training for all employees
Encrypt Devices and Data
Protect PHI from intruders by encrypting all PHI data in transit and at rest. It’s also vital to encrypt:
- Email messages to protect content from being read by unauthorized parties
- Mobile devices such as laptops, tablets, smartphones
- All endpoints on the organization’s IT network
- All removable devices, such as USB flash drives, memory cards
De-identification and anonymization of PHI data can also help protect it from intruders.
Control Vendor Access to Devices and Data
It’s critical to restrict vendor access to devices carrying PHI on a need-to-know basis. Instead of granting open, elevated privileges, healthcare organizations should adopt a zero-trust approach to network and data access by third parties.
Vendor due diligence, a vendor risk management policy, and assessing the vendor’s cybersecurity defenses are essential strategies to protect PHI.
Upgrade All Software and Equipment
One survey revealed that 65 percent of companies running old software suffered breaches. Legacy systems and medical equipment running on outdated software are a severe problem in healthcare, resulting in security vulnerabilities and increasing the risk of PHI data breaches. So, update and upgrade all software and equipment regularly.
Maintain Secure Backups
Regular system backups can help healthcare providers retain access to PHI in case of a breach. These backups must be adequately secured and stored at offsite locations on HIPAA-compliant cloud servers. A robust backup and restoration plan should be part of a broader business continuity strategy.
Make Risk Assessments Part of the Cybersecurity and Data Protection Strategy
With regular risk assessments, healthcare providers can better spot cybersecurity gaps and address them before leading to a HIPAA data breach. Regular vulnerability scans and penetration tests will help identify exploitable vulnerabilities that risk PHI security.
Physical Security Best Practices to Protect PHI
Along with cybersecurity rules, healthcare groups need to put in place physical security steps to safeguard printed or digitally stored Protected Health Information (PHI). Recommended best practices include:
- Lock up paper medical records, backup drives, and other media with PHI in cabinets. Only let essential staff access them.
- Physically lock down servers, computers, mobile devices, and medical machines like MRI scanners.
- Put in security cameras to monitor sensitive areas with PHI data.
- Require ID badges to enter areas with PHI. Keep detailed visitor logs.
- Only let people take out devices storing PHI without OK’ing it.
- Make sure only staff who should see PHI can view it. Use privacy screens, device angles, and password locks.
- Make an emergency plan to protect PHI in case of fires, floods, or other damage.
- Safely destroy digital and paper PHI when throwing out old equipment and files.
Following physical and cybersecurity policies is critical to fully protecting patients’ private health information from hackers and unauthorized access.
ZenGRC Can Help You Avoid PHI Data Breaches
A PHI data breach is a severe problem for both the breached healthcare organization and individual victims. Strong PHI protection starts with better visibility of the attack surface.
ZenGRC lets healthcare organizations achieve this visibility and HIPAA compliance with comprehensive risk assessments, automated workflows, and insightful reporting. Its integrated platform provides a single source of truth so that healthcare providers can identify and address PHI threats before a breach occurs.
You are always audit-ready with ZenGRC, allowing risk and compliance managers to focus on the big picture. Schedule a demo to see what ZenGRC can do for your organization.