Consumers today are more concerned about their data privacy than ever before, with 92% of Americans worried about online privacy. While consumers worry about the security of their mobile phones, email, and browsers, healthcare providers are also under increased scrutiny to keep patients’ protected health information (PHI) secure. Patient healthcare information is especially sensitive data and therefore frequently targeted by cybercriminals, but it’s also difficult to secure at scale.
HIPAA requires organizations to protect any piece of healthcare information that qualifies as protected health information. This means organizations have to follow very stringent rules for protecting this data — or risk serious financial and even criminal penalties.
Let’s take a deep dive into what, exactly, PHI is, as well as the best ways healthcare organizations can keep their PHI secure to improve patient safety and ensure compliance.
What is Protected Health Information (PHI)?
The HIPAA Privacy Rule governs protected health information, which is any snippet of health or personal information that can be used to identify a person. PHI also includes information related to someone’s mental or physical health in the past, present, or future.
The HIPAA Privacy Rule requires anyone who handles PHI to follow strict requirements for transmitting, storing, and disposing of this data. If a piece of data qualifies as PHI, patients automatically have the legal right to the privacy and security of that information. By designating certain information as PHI, HIPAA regulates what can be freely shared about patients.
Several types of businesses generate and manage PHI, including:
- Hospitals and doctor’s offices
- Insurance providers
It’s challenging to protect PHI because it’s everywhere. It’s in billing statements, x-rays, lab results, prescriptions, and even phone records. It can be printed on a form, shared verbally, or transmitted electronically (which is called electronic protected health information, or ePHI). But regardless of how it’s shared, providers must follow HIPAA standards to protect PHI.
Not all patient data counts as PHI. Data only qualifies as PHI if it fits into one of these 18 identifiers:
- Name. This also includes a patient’s initials or the names of their emergency contacts and relatives.
- Geography. Anything smaller than the state level qualifies as PHI, which includes their street, address, city, county, or ZIP code.
- Dates. This includes birth dates, dates of death, age, admission dates, and treatment dates.
- Phone number.
- Fax number.
- Email address.
- Social security number.
- Medical record numbers.
- Health plan beneficiary number.
- Account number.
- Certificate or license number. This includes driver’s license numbers.
- Vehicle identifiers, like VIN or license plate number.
- Medical device identifier.
- IP addresses.
- Biometrics, like fingerprints.
- Full facial photographs.
- Any other unique identifying characteristic.
While it’s best to err on the side of caution and assume that all patient information is PHI, there are some exceptions. Data is only PHI if it can be tied directly to a patient. For example, vital signs without identifying information don’t count as PHI. If you aggregate and anonymize data, it’s possible to share healthcare information without HIPAA compliance concerns because it’s no longer personally identifiable.
Why Providers Must Protect PHI
For data that is classified as PHI, protecting it is crucial for maintaining compliance. More importantly, criminals can cause significant damage with PHI if they manage to steal it, including serious risks to patient safety.
It’s also incredibly lucrative, with healthcare data selling for $250 to $1,000 or more per record on the black market. Since cyberattacks targeting healthcare organizations can compromise millions of patient records in a single breach, attackers can make a substantial sum of money from a single attack. Social Security numbers, on the other hand, sell for about $1 each, and credit card numbers for about $5 each on the dark web.
Stolen patient data can lead to so many problems, including:
- Identity theft
- Delayed or faulty treatment
- Prescription drug abuse
- Financial fraud
If healthcare organizations fail to protect patient information, it can lead to devastating financial consequences for the organization and the patients. Most importantly, it can lead to poorer patient health outcomes. Since the stakes are so high, it’s the providers’ duty to protect patient PHI.
PHI vs. ePHI
Originally created in 1996, HIPAA existed long before the age of high-speed internet access, cloud computing, and ubiquitous smartphones. In the 90s, providers still transmitted PHI via fax, paper forms, and even snail mail. However, thanks to digital devices, today’s providers can transmit more patient data in less time.
Digitized PHI, which is called electronic protected health information (ePHI), is any form of PHI that’s received, sent, or stored electronically. This includes data in online patient records, applications, PDFs, emails, medical devices, flash drives, and any other electronic format. The standards for PHI and ePHi are the same — the only difference is the medium providers use to store and transmit the data.
Digital tools make healthcare more convenient, but they’re a double-edged sword. Because it’s in a digital format and stored and shared in company networks and on the internet, ePHI is more vulnerable to theft in the form of cyberattacks. While you can lock PHI documents in a file cabinet, securing ePHI is much more difficult, especially for large hospitals and distributed healthcare organizations.
Because ePHI can be accessed, modified, and stolen in different ways, HIPAA requires you to have robust cybersecurity measures to protect digital patient information. In fact, HIPAA extended its Security Rule to require physical, administrative, and technical safeguards for ePHI.
In an age where savvy cybercriminals can steal ePHI with a few keystrokes and a continued shift towards decentralized healthcare delivery and data-driven healthcare, healthcare organizations need to create a separate strategy for ePHI protection with their cybersecurity team. As healthcare providers digitize patient care and share it among providers, patients, organizations, and other entities involved in the care continuum even more, securely sharing ePHI is the next frontier of healthcare compliance.
How to Protect PHI
As a healthcare organization, HIPAA requires you to follow common sense procedures to prevent PHI from leaving your business — either by accident or by an attack. While every organization’s PHI protections will differ, these ten best practices are a must for securing patient data.
1. Train Employees
HIPAA requires you to train employees on both HIPAA policies and cybersecurity best practices. However, HIPAA only states two situations when you’re required to train employees:
- They’re new to your business
- There are updates or changes to HIPAA
That means employees potentially could go long stretches of time without any HIPAA training. However, 45 CFR § 164.530(b)(1) (the portion of the HIPAA Privacy Rule addressing training) also states, “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate [emphasis added] for the members of the workforce to carry out their functions within the covered entity.”
The portion of the HIPAA Security Rule addressing administrative safeguards, 45 CFR 164.308, also includes a security awareness training standard, which states, “Implement a security awareness and training program for all members of its workforce (including management).” It does not elaborate further on the required frequency of training.
In other words, covered entities are responsible for ensuring that their workforce continuously understands the HIPAA regulations, the organization’s policies and procedures, and best practices for protecting PHI. If you don’t address PHI compliance frequently, compliance won’t be top of mind for your employees, which puts your organization and your patients at risk.
This is why it’s best to train your team on a regular schedule. At a minimum, the best practice is to train all employees on HIPAA annually, with twice-yearly security awareness training. However, more frequent, less time-intensive training is increasingly imperative to keep cybersecurity top of mind among your workforce. Implement a monthly mandatory training session where you share the latest cybersecurity threats and remind your team about PHI requirements.
2. Implement Access Controls
Only authorized parties should have access to patient records. This means that neither hackers nor unauthorized employees should be able to touch your patients’ PHI. For example, a nurse in a completely separate unit doesn’t need access to the records of a patient that isn’t in their care.
As a rule, only grant access to PHI on a need-to-know basis, which is known as the HIPAA Minimum Necessary Rule (also sometimes called the HIPAA Minimum Necessary Standard or the principle of least privilege). This decreases the likelihood of accidental disclosure because you’ve limited how many people have access to a patient’s data.
You should also forbid password sharing among employees. Everyone needs a strong, unique password for all systems. This way, if an attacker does steal an employee’s credentials, you can spot the source of the problem more quickly. And if you limit employee access to patient files, an attacker shouldn’t be able to access all your PHI with a single compromised login easily. That said, once they gain access to your network, they can continue to navigate your systems and exploit vulnerabilities along the way.
3. Manage Third-party Vendors
If you hire outside vendors to help you manage patient PHI, those vendors must follow HIPAA PHI requirements. HIPAA requires you to enter into a business associate agreement (BAA) with any vendor that has access to your PHI. This makes the vendor liable for security breaches, but a BAA alone isn’t enough to lock down PHI.
Thoroughly vet your third-party vendors’ cybersecurity practices. You might take PHI protections seriously, but your vendors need to do the same. Whether you outsource IT, legal, or accounting, any party with access to PHI needs proper vetting.
You should also minimize vendor access to PHI: after all, does accounting really need a patient’s full medical record to invoice them or process credit card payments?
4. Back Up Your Data
HIPAA requires you to back up all PHI, but this is also a cybersecurity best practice. This way, if an attacker holds your data for ransom, you can restore your systems from your backup and avoid business disruption that can pose substantial risks to patient safety.
Be sure to back up your data securely, both in the cloud and offline on hard drives. If you work with a third-party vendor for cloud storage or other related services, make sure you choose a HIPAA-compliant backup partner. This way, you have multiple backups in place in case the worst happens. Lastly, store your backups in different locations so you don’t keep all of your eggs in one basket.
5. Protect Printed Records
Organizations focus so much on ePHI that they forget printed PHI needs protection too. Both PHI and ePHI require physical controls; strangers shouldn’t be able to walk into your building and access PHI or ePHI.
For starters, implement physical security measures to protect printed records, such as:
- Keycard locks
- Locking file cabinets
- Security guards
- Locked desktop computers
You should also train your employees on how to handle printed forms. This includes:
- Printing only forms and documents that are necessary.
- Implementing password-protected printing.
- Reporting any missing forms immediately.
- Never leaving printed PHI unattended, even for a moment.
- Covering charts.
- Immediately retrieving documents from the printer.
6. Protect Verbal PHI
Verbal PHI disclosures are also a potential HIPAA violation in the making, so create measures to protect patient data when it’s shared aloud. Even if employees are speaking to each other about sensitive patient information, other people could listen in on the conversation and learn a lot of private information.
To protect verbal PHI, your team should follow these guidelines:
- No sensitive conversations around other patients or in public areas.
- Never disclosing more PHI than what’s necessary to treat the patient.
- Speaking in private spaces and in low voices.
- Taking phone conversations discussing PHI in a private room or office.
7. Secure Mobile Devices
Tablets and smartphones are a fixture in modern healthcare, but organizations frequently forget that these endpoints need protection too. You can still use mobile devices to improve the speed and quality of patient care, but you’ll need to take measures to protect PHI, which include:
- Implementing two-factor authentication on all mobile devices, especially if they store data in the cloud. This includes passwords, PINs, and biometrics like facial recognition or fingerprints.
- Enabling remote wiping in the event of device theft or loss.
- Encrypting all mobile devices.
- Creating a secure Wi-Fi network just for mobile devices.
- Using mobile device management (MDM) software to monitor your devices and network at scale.
8. Update Software and Firmware
Regardless of the devices or software you use, you’ll need to update and patch them over time. Sometimes this is for performance reasons, but it’s often for security reasons too. Software providers add patches to known threats in their updates, but without the latest updates, your systems will be blind to these vulnerabilities and the latest tricks attackers use to steal PHI.
Ask your IT department to create an updated schedule for all of your devices. This includes both desktops and mobile devices as well as:
- Patient monitoring devices such as blood pressure monitors
- IoT devices such as wearable devices
- Implantable medical devices such as pacemakers and insulin pumps
- Other medical devices
- Fax machines
Any device that is connected to a network or has the capability to connect to a network (even if it’s not currently connected) should be updated regularly. Ideally, your IT team should roll out these updates automatically. If that isn’t possible, use an asset management solution to keep track of your manual updates.
9. Encrypt PHI
At no time should you ever store unencrypted patient data in your business. HIPAA requires you to encrypt PHI both at rest and in transit (i.e., when you move data between different devices or systems).
If an attacker gains access to encrypted PHI, they won’t be able to use it. Encryption masks the true content of the stolen data, and renders it as uninterpretable gibberish to an attacker. That can make the difference between safety and identity theft for your patients, so encryption is always a must.
10. Conduct Risk Assessments
HIPAA requires you to conduct risk assessments, but they’re a great way to help you locate and secure your PHI too. Regular risk assessments help you understand your business’s true level of risk. While you can’t eliminate all risks, you can certainly minimize them, and the first step is awareness.
Conducting risk assessments on a quarterly or biannual basis will help you to understand your true security posture. During the audit, your team will identify the biggest issues and make a plan to fix them. This makes it much less likely that your organization will lose PHI because of an unknown vulnerability.
Greater Visibility is Crucial for Securing PHI
There are no excuses for failing to protect PHI. HIPAA breaches and fines are on the rise, so organizations need all the help they can to stay compliant. These ten best practices will help you stay compliant, but your hospital still might need more hands-on help.
The challenge facing healthcare organizations today is that it’s increasingly necessary to share sensitive PHI among providers, patients, and other entities to streamline patient care delivery, improve the quality of care, ensure patient safety, and improve patient outcomes. However, sharing PHI inherently introduces additional risk.
Today’s healthcare organizations need to be able to share data securely, but to do so, they must first know what PHI exists and where it’s located throughout their networks. Tausight’s ePHI security intelligence platform provides a consolidated, real-time view into all protected health information — both structured and unstructured — and analyzes PHI activity and risk in your data center and across all endpoints in the healthcare continuum. Contact us today to learn how Tausight can help you gain PHI awareness and reduce your risk.