Personal health information (PHI), also referred to as protected health information, generally refers to critical information related to the following ; medical history, test and laboratory results, insurance information and other data that a healthcare professional collects to identify an individual and determine appropriate care.
As per HIPAA act of 1996 healthcare professionals, insurance company’s etc. shall share very limited information on the patient health to other organisations and all the information that is shared will be in electronic format only.
Partners and business associates of healthcare that sign HIPAA or PHI related agreements will need to ensure the protection of PHI data as they are legally bound to handle the patient data as per the rules and regulations, the rule were limited to paper records but with the advent of technological advancement this rule is extended to the various forms of electronic media, any information that the companies would want to solicit will require approvals from the patients.
Organisations will also be subject to audits to ensure processes have been followed with regards the PHI.
Potential threats to PHI data will be seen in the following areas
Despite the regulations and stringent processes there have been data breaches that have been plaguing the healthcare industry, “potential cost of breaches for the healthcare industry could be as much as $5.6 billion annually”.
Patient’s data have been stolen by Cyber thieves who generally attack during the time of user logging into a system or while making billing payment, or renewals of health insurance. Data such as personal information, social security numbers, and credit card info are targets of these cyber thieves.
A potential risk due to the advent of the Mobile Technology is that there will be a rise in patients accessing their records electronically. Medical staff will access several services available through mobile platforms.
Common PHI data breaches
- Hackers targeting cloud based application and data breaches seen due to loss of usernames and passwords.
- The Internet of Things is another area which will be causing threat to PHI as more and more devices get connected to internet via Wi-Fi, sensors and other means.
- Improper disposal of data is also contributing to the loss of PHI data.
- Mobile devices at work places and not regulated has serious risks on compromising the patient health data.
- Theft of devices and instruments containing critical patient information
- Malware’s in devices of Hospitals and other places are also serious threats to PHI Data
A recent data collected in USA showed that over 100 million people have been affected due to healthcare data breaches in 2015 (figure in above shows the same).
Anthem’s 78 million-person data breach was caused by a compromised database administrator (DBA) account. A malicious outsider used the DBA’s user credentials. Once hijacked, the malicious outsider’s access appeared normal since the DBA had privileged access. It is imperative healthcare organizations step up their efforts in educating their users on data security best practices and safe actions.
How should organisations ensure PHI data Protection?
Given that the risks of PHI data is high and the impact of the same to organisations includes legal and financial hassles, following are some of the aspects that the organisations that deal with protected health information can follow:
- Ensure proper PHI inventory is being maintained
- Follow stringent access policy with regards PHI data, only “need to know basis” the data should be allowed access to various people within and outside of the organisations.
- Ensure data Classification and data sensitivity layers are created.
- ePHI should be monitored at the transmission end and receiving end, thus ensuring that data is not comprised during the transmission.
- Ensure audits are carried out regularly and any findings are closed with immediate action plans.
- Conduct trainings with regards the PHI security data violations and highlight the impact on the organisations.
- Follow encryption and masking of data while transmitting data
- Use proper disposal process to ensure that critical client data is not being compromised during the disposal process for e.g. Electronic devices need to be purged and the data securely erased (also known as “scrubbed”) prior to the device being discarded, recycled, sold, or transferred to a third party, such as a leasing company.
How will IT Vendors manage the PHI Data related concerns?
Given that PHI data breaches has huge impacts contractually and financially IT organisation have started taking steps to ensure that patient data is protected ,also with the offset of Offshoring the rules of the game are changing to ensure a strict balance between cost benefits and ensuring that the client data is not being compromised with. IT vendors have started taking concrete steps and started making investments in processes and tools to ensure client data is not being breached and this leading to goodwill and business loss.
Following are some of the aspects of PHI data protection being implemented by IT Vendors.
- Organisations should to identify the PHI related information and use filters to address it, what are the key information that needs to be protected and what are the actions that they will take to protect are being documented and implemented.
- Data masking tools and secure access methods are being applied by IT Vendors at various levels
- (onshore and offshore locations); data is made available only on “need to know “with appropriate controls applied.
- Data security tools like cipher cloud, Princeton Softech, IBM Optim, and Net 2000 Data Masker for scrubbing and depersonalization are part of organisations support services to ensure no Client data leakages take place
- Another aspect that organisations are suggesting at as a solution to help protect data is to move the data Health Vault and Private clouds to ensure that the data is not being compromised with, very tight layer security is also built in to ensure
- Given the rise in growth of mobile, cloud and wearable devices, healthcare industry will see a rise in PHI breaches and continue to see attacks due to the increased volume of PHI data.
- Healthcare industry, Service Providers, Security organisations and IT vendors all have to work closely to ensure that this risk is mitigated with tight processes and tools which will ensure PHI data not being compromised.
- Financial losses, Legal damages and contractual violations due to PHI data breaches have a huge impact to organisations good will and tarnish the Image of the organisations which undergo these breaches, to avoid such situations organisations have started investing in processes, security related applications and tools which have helped in minimizing and mitigating the losses that occur due to these data breaches.