Why any organization can suffer a healthcare breach, and 5 tips for keeping PHI safe

Any kind of organization can fall victim to a leak of personal healthcare records. Read on for best practices on determining what encompasses PHI - and how to keep that information under wraps

It appears that companies don’t have to be in the healthcare business to suffer a health information breach. About 90 percent of all industries have had protected health information compromised, according to Verizon’s PHI Data Breach Report 2015.

More than 392 million PHI records have been disclosed from non-healthcare businesses, according to the report, but the actual total could be much higher since 24 percent of the breached organizations did not provide an exact number of records involved.

Industries with the most PHI data breaches, not including healthcare or government entities, are finance and insurance, education, retail and professional services, such as law offices and tax preparers, according to Verizon.

“I was surprised, but it does make some sense because most every organization has things like their workers’ compensation data or employee wellness programs,” says Suzanne Widup, lead author of the report. Some companies are managing their own employee health benefits programs and are becoming custodians of more healthcare information than ever before, she says. Information security teams “may not even realize they have this kind of information in their organization until it gets breached.”

Companies that are the victims of a PHI breach could face regulatory fallout and other negative consequences. “Criminals are finding ways to monetize health information more than they have in the past,” says Rob Sadowski, director of technology solutions at RSA, the security division of EMC. “It’s very plausible” that personal health information can be stolen and sold to uninsured people, used to get medical supplies and equipment that can be resold or used to submit fake insurance claims – “depending on the type of data they’re able to get,” Sadowski adds.

Rob Sadowski, director of technology solutions at RSA, the security division of EMC

HR departments gather and store much of the PHI data and need to review their processes for securing PHI, Widup says. HR functions that are outsourced to third parties should also be looked at, especially after several highly publicized data breaches involved vendors or contractors.

Uncovering PHI

Protected health information is defined as personally identifiable health information collected from an individual, and covered under one of the many state, federal or international data breach disclosure laws. The main criteria is whether there is a reasonable basis to believe the information could be used to identify an individual.

PHI also goes beyond just medical records and includes email addresses, vehicle license plate numbers, biometric data like fingerprints, retinal scans or voice prints, and even full facial photographic images that have unique identifying characteristics.

Even certain combinations of seemingly harmless information can coalesce to become personally identifiable health data, Widup says. She has seen breaches where emails were sent advertising a wellness program regarding a certain condition, and the email addresses were exposed instead of being hidden in the BCC field. “That ends up being a breach because suddenly all these people know all these other people who have this condition,” she says.

At human resources consulting firm Mercer, “I do see employees and clients concerned about security and privacy of their PHI in particular. It’s not top of mind yet, but it’s on their radar,” says Jen Faifer, a Mercer principal and employee benefits attorney.

Faifer recently helped a major university audit its systems to determine which university functions were covered by HIPAA, and which were covered by the Family Educational Rights and Privacy Act (FERPA) that protects student information. “There is overlap among the different privacy and security statutes (as well as some gaps), and they’re not quite sure what information they have and what to do about protecting it,” Faifer says. “There’s also a lot of state-by-state requirements for workers’ compensation information and health information, so it’s hard to keep track of what’s required.”

Across all industries, Faifer says HR needs to be involved in developing an organization’s cyber risk management function. “When it comes to sensitive personal data, HR needs to be involved and to have a stake with respect to HIPAA and the health information that they handle,” she says.

What to do

Industry professionals say that companies should identify where PHI data is hiding in their organization and take steps to lock it down.

  1. Know what PHI data you have. Companies should first identify the pieces of information that they own that should be considered high risk. It may be just five pieces from the HIPAA list of 18 identifiers, says Raul Ortega, a vice president at data security provider Protegrity. Companies should also develop a culture for security, Ortega says. “When you’re developing software, you have to consider security and protect data not only in greenfield apps, but you also need to go back to find that [PHI] data.”
  2. De-identify data through encryption or tokenization. Ortega recommends starting with the largest repositories of data and de-identify that data through encryption or tokenization, which is a non-sensitive, substitute identifier with no meaning or value. After encrypting at the repository level, work backwards to lines of business and to where the data originated.
  3. Involve the BI team. Companies should also know why they have this data, Sadowski says, and include it in their overall risk assessments. It also helps to get someone from the business intelligence team involved to help understand how the data is used, Ortega adds. PHI data used within lines of business can also be protected with encryption or tokenization, he adds.
  4.  Strengthen security around data pathways between company and vendors. Data can be used for analytics or it can be shared with business partners. Make sure PHI is identified and protected when it’s moving out of the company’s systems. Develop a security shared data room online, Faifer says. Require vendors to expose privacy and security practices. “Make sure vendor contracts require them to bear the cost of a security breach, or if the organization is big enough, they can negotiate audit rights into the contract,” Faifer says.
  5.  Monitor access to data – even by privileged users. The incidents that take the longest to detect are those being perpetrated by the organization’s trusted insiders – privileged users whose credentials were stolen by hackers, according to Verizon. Incidents that took years to discover were over three times more likely to be caused by an insider abusing their LAN access privileges, and twice as likely to be targeting a server, particularly a database. “It’s important to limit access to PHI data only to the users that are relevant, and then monitor access to that data even by privileged users,” Sadowski says. “Just because a privileged user logs on or has access to that data, are they actually using it or treating it appropriately and not dumping it out of a database and sending it outside the company?”

Training is also important for all employees who touch PHI and sensitive personal data, both internally and for vendors who perform group health and wellness program functions, Faifer says.

“Any industry must be aware that this kind of data lives in their organization, as well as how it’s processed through its various stages of use in the organization and where it goes outside the organization,” Widup says. “Make sure it has controls in place all the way along. If they haven’t done that with this kind of data, then I can pretty much guarantee that it has been exposed someplace that they don’t know about.”

Join the CSO newsletter!

Error: Please check your email address.

More about CSOLANRSAVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stacy Collett

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place