PHI & Healthcare data protection: A guide for healthcare enterprises
Some interesting stats about healthcare data breaches before we begin:
- Healthcare data breaches are the most expensive – the average cost of a healthcare data breach is now $10.10 million per incident in 2022 – Cost of a Data Breach 2022 Report – IBM
- In 2021, nearly 50 million people in the US had their sensitive health data breached – a threefold increase in the last three years – Politico
- A total of 34.9% of cyberattacks occurred in healthcare in 2022, up 1% from the year before and indicative of hackers’ interest in personal health information (PHI) – Medical Economics
Healthcare records and PHI (Protected Health Information) are the hot favorite targets of cyberattacks, given all the sensitive data they contain. The risk increased manifold since the global pandemic hit, as clearly seen in the above stats. The potential value of stolen healthcare data on the dark web is upwards of $1000, making it 1000 times more than SSN and 200 times more than credit card details. Needless to say, the importance of taking serious measures for healthcare data and PHI protection is now more than ever.
What is PHI (Protected Health Information)?
The creation, usage, or disclosure of personal health information by a covered entity or its business associates while providing healthcare services is called PHI or Protected Health Information. The covered entities include healthcare providers and health insurance companies, and their business associates include data storage firms, billing companies, attorneys, cloud service providers, etc.
PHI is includes:
- The past, present, and future of mental and physical health data and the condition of a person
- Healthcare services rendered to the person
- The past, present, and future healthcare services payments
Hence, PHI appears in all medical records, conversations between the healthcare professionals, billing details, and any other vital information that can identify a person in the records of health insurance companies. PHI is present in a range of medical documents or healthcare forms and communication. Some examples:
- MRI/X-ray results
- Doctor appointments
- Test results
- Billing information
HIPAA Compliance for PHI
The HIPAA (Health Insurance Portability and Accountability Act of 1996) regulates and governs the implementation of safeguards to protect PHI’s confidentiality, availability, and integrity. HITECH (The Health Information Technology for Economic and Clinical Health) Act of 2009 further limits the collection of PHI for marketing by organizations.
The HIPAA privacy rule provides federal protection for PHI and governs how healthcare providers share and use it. HIPAA also stipulates the permission to disclose PHI to ensure the safety and health of the individuals. Organizations can sell PHI only under the following circumstances
- For research, only for cost reimbursements
- For public health purposes permitted by HIPAA
- For treatment and payment permitted by HIPAA
- For a HIPAA-covered entity’s merger and/or acquisition
Individuals have the right to make requests for amending PHI under HIPAA. Healthcare providers are legally bound to handle PHI as HIPAA security and privacy rules when signing the HIPAA agreements. The US Department of Health and Human Services can conduct HIPAA audits on business associates and covered entities.
Healthcare data and PHI – the uses and misuses
Apart from storing all the sensitive healthcare details, PHI is also extremely valuable for scientific and clinical research when anonymized and de-identified. The majority of PHI breaches fall under hacking or other IT-related crimes. PHI breaches are far more severe and have way many repercussions as compared to a banking or financial data breach. They take a very long time to come out, and you can’t change them.
Consequently, PHI is a goldmine for cybercriminals – with details such as SSN, address, and date of birth, there’s a possibility of a string of criminal activities like medical frauds, identity theft, blackmail, tax/insurance fraud, etc.
Healthcare data breach repercussions for healthcare organizations
Healthcare data breaches can bring along a lot of long-term impacts apart from hefty fines for healthcare institutions. Fines can range from $100 to $50,000 for a single violation for a HIPAA violation, depending on the negligence level. Wilful neglect leading to even a single violation leads to an automatic $500 fine. $1.5M is the maximum penalty for violations of an identical provision.
Furthermore, the ramifications of a healthcare data breach also include reputation damage. The repercussions might bring along many changes in the system – software upgrades leading to system downtime, lawsuits, and detailed reporting of the breach – to name a few. Hence, healthcare organizations now must invest in cybersecurity to protect their patients’ PHI and other healthcare data.
Healthcare data and PHI protection checklist
6 practices to ensure PHI and healthcare data protection
- Conduct risk assessments
- Get visibility to PHI data sprawl
- Limit data access
- Encrypt all data
- Update software and IT infrastructure
- Invest more in cybersecurity
- Conduct PHI risk assessments: Annual checks for security risk assessment can help healthcare organizations identify gaps, analyze vulnerability detection, and update policy reviews.
- Get visibility to PHI data sprawl: Unless you have the visibility to PHI data sprawl across Cloud IT, SaaS, etc., how can you manage it or assess the data security, compliance or privacy risk associated with it. Every healthcare enterprise should plan for protection efforts with PHI data visibility at the heart of it.
- Limit access to PHI and other healthcare data: Put effective permissions to access essential healthcare data and PHI. There are hundreds of people working with as many devices. It’s impossible to track and identify their activities. Hence, a standardized procedure for logging in and out should be in place.
- Encrypt all data, whether in transit or at rest: Mitigate the consequences of data breaches by encryption technologies. Since encrypted data is considered secure, it doesn’t constitute a data breach.
- Update your software and upgrade IT infrastructure: The older the system, the easier it is for cyber criminals to access it. Replace dated devices with the current ones. Regularly update software to fix any system bugs and thereby lower breach risks. Get experts to help you update your medical software solution to ensure they are bulletproof for any cyber threats.
- Invest more in cybersecurity to better protect healthcare data and PHI: Allocate a separate budget for upgrading to advanced security tools, legal teams, and the IT departments. These will play a crucial role in preventing healthcare data breaches and, in case of one, develop a response action plan for follow-up measures.
Prevent breaches – safeguard PHI and other healthcare data with Airavana
With the rapid digitalization in the healthcare industry, get ahead of any potential security threats to your organization. Numerous factors affect healthcare data and PHI data security. Prevent breaches by getting a secure, scalable data governance software that provides complete data visibility.
Get unified visibility to sensitive data sprawl, build automated sensitive data inventory and monitor data security and privacy violations. Track sensitive data stored within thousands of data sources across your Cloud apps to ensure complete data protection and security. Request a demo or write to us at firstname.lastname@example.org to know more about healthcare data protection.