It appears that companies don’t have to be in the healthcare business to suffer a health information breach. About 90 percent of all industries have had protected health information compromised, according to Verizon’s PHI Data Breach Report 2015.
More than 392 million PHI records have been disclosed from non-healthcare businesses, according to the report, but the actual total could be much higher since 24 percent of the breached organizations did not provide an exact number of records involved.
Industries with the most PHI data breaches, not including healthcare or government entities, are finance and insurance, education, retail and professional services, such as law offices and tax preparers, according to Verizon.
“I was surprised, but it does make some sense because most every organization has things like their workers’ compensation data or employee wellness programs,” says Suzanne Widup, lead author of the report. Some companies are managing their own employee health benefits programs and are becoming custodians of more healthcare information than ever before, she says. Information security teams “may not even realize they have this kind of information in their organization until it gets breached.”
Companies that are the victims of a PHI breach could face regulatory fallout and other negative consequences. “Criminals are finding ways to monetize health information more than they have in the past,” says Rob Sadowski, director of technology solutions at RSA, the security division of EMC. “It’s very plausible” that personal health information can be stolen and sold to uninsured people, used to get medical supplies and equipment that can be resold or used to submit fake insurance claims – “depending on the type of data they’re able to get,” Sadowski adds.
Rob Sadowski, director of technology solutions at RSA, the security division of EMC
HR departments gather and store much of the PHI data and need to review their processes for securing PHI, Widup says. HR functions that are outsourced to third parties should also be looked at, especially after several highly publicized data breaches involved vendors or contractors.
Protected health information is defined as personally identifiable health information collected from an individual, and covered under one of the many state, federal or international data breach disclosure laws. The main criteria is whether there is a reasonable basis to believe the information could be used to identify an individual.
PHI also goes beyond just medical records and includes email addresses, vehicle license plate numbers, biometric data like fingerprints, retinal scans or voice prints, and even full facial photographic images that have unique identifying characteristics.
Even certain combinations of seemingly harmless information can coalesce to become personally identifiable health data, Widup says. She has seen breaches where emails were sent advertising a wellness program regarding a certain condition, and the email addresses were exposed instead of being hidden in the BCC field. “That ends up being a breach because suddenly all these people know all these other people who have this condition,” she says.
At human resources consulting firm Mercer, “I do see employees and clients concerned about security and privacy of their PHI in particular. It’s not top of mind yet, but it’s on their radar,” says Jen Faifer, a Mercer principal and employee benefits attorney.
Faifer recently helped a major university audit its systems to determine which university functions were covered by HIPAA, and which were covered by the Family Educational Rights and Privacy Act (FERPA) that protects student information. “There is overlap among the different privacy and security statutes (as well as some gaps), and they’re not quite sure what information they have and what to do about protecting it,” Faifer says. “There’s also a lot of state-by-state requirements for workers’ compensation information and health information, so it’s hard to keep track of what’s required.”
Across all industries, Faifer says HR needs to be involved in developing an organization’s cyber risk management function. “When it comes to sensitive personal data, HR needs to be involved and to have a stake with respect to HIPAA and the health information that they handle,” she says.
What to do
Industry professionals say that companies should identify where PHI data is hiding in their organization and take steps to lock it down.
- Know what PHI data you have. Companies should first identify the pieces of information that they own that should be considered high risk. It may be just five pieces from the HIPAA list of 18 identifiers, says Raul Ortega, a vice president at data security provider Protegrity. Companies should also develop a culture for security, Ortega says. “When you’re developing software, you have to consider security and protect data not only in greenfield apps, but you also need to go back to find that [PHI] data.”
- De-identify data through encryption or tokenization. Ortega recommends starting with the largest repositories of data and de-identify that data through encryption or tokenization, which is a non-sensitive, substitute identifier with no meaning or value. After encrypting at the repository level, work backwards to lines of business and to where the data originated.
- Involve the BI team. Companies should also know why they have this data, Sadowski says, and include it in their overall risk assessments. It also helps to get someone from the business intelligence team involved to help understand how the data is used, Ortega adds. PHI data used within lines of business can also be protected with encryption or tokenization, he adds.
- Strengthen security around data pathways between company and vendors. Data can be used for analytics or it can be shared with business partners. Make sure PHI is identified and protected when it’s moving out of the company’s systems. Develop a security shared data room online, Faifer says. Require vendors to expose privacy and security practices. “Make sure vendor contracts require them to bear the cost of a security breach, or if the organization is big enough, they can negotiate audit rights into the contract,” Faifer says.
- Monitor access to data – even by privileged users. The incidents that take the longest to detect are those being perpetrated by the organization’s trusted insiders – privileged users whose credentials were stolen by hackers, according to Verizon. Incidents that took years to discover were over three times more likely to be caused by an insider abusing their LAN access privileges, and twice as likely to be targeting a server, particularly a database. “It’s important to limit access to PHI data only to the users that are relevant, and then monitor access to that data even by privileged users,” Sadowski says. “Just because a privileged user logs on or has access to that data, are they actually using it or treating it appropriately and not dumping it out of a database and sending it outside the company?”
Training is also important for all employees who touch PHI and sensitive personal data, both internally and for vendors who perform group health and wellness program functions, Faifer says.
“Any industry must be aware that this kind of data lives in their organization, as well as how it’s processed through its various stages of use in the organization and where it goes outside the organization,” Widup says. “Make sure it has controls in place all the way along. If they haven’t done that with this kind of data, then I can pretty much guarantee that it has been exposed someplace that they don’t know about.”