How to Protect PHI Records from Cyber Attacks

Last year was the year of the healthcare hack! In 2015, we experienced 15 of the largest healthcare data breaches and this is only the beginning.

Over 12 months, 110 million medical records of Americans (that’s about half the adult population) were compromised. What’s scary is the fact that you don’t even have to be part of the healthcare industry to have healthcare data hacked.

According to Verizon’s PHI Data Breach Report 2015, 90% of all industries experienced a breach of sensitive Protected Health Information (PHI) records (and that’s a staggering revelation). According to the findings, 392 million PHI records were disclosed from various non-healthcare related institutions. However, this total can be a lot higher as 24% of the businesses that had their PHI records breached did not share exact numbers.

Compared to the financial sector, healthcare IT (HIT) is still lagging behind and cyber criminals have taken notice. As health data is much more permanent, it also commands a premium on the black market.

PHI records are available across non-healthcare related industries as HR departments gather this information.

What’s PHI?

Protected health information can be defined as personally identifiable information about an individual that’s covered by state and federal data breach disclosure laws. Howeverб this data goes beyond just medical records.

Other components of PHI include the following:

• Biometric data
• Email addresses
• Full facial photographic images (with unique identifying characteristics)
• Retinal scans
• Vehicle license plate numbers
• Voice prints

As a result, you can say that HR departments really need to get involved and enhance their cyber risk management functions. So whether you’re using medical software or HR software, companies need to find a way to keep this data secure.

So, what can you do?

No matter what industry you’re in, you have to figure out where your PHI data is stored and identify what information can be considered to be “high risk.” Once you’ve done that, you will have to actively take steps to keep this information secure.

Develop a Culture of Security

Developing a culture of security within the organization can go a long way to keep PHI data secure. Further, when developing new software or apps, you have to keep HIPAA’s list of 18 identifiers in mind.

Encryption and Privileged Users

A good way to keep PHI data secure is to invest in enhanced encryption. With tokenization and encryption, your identifiable data can be made unidentifiable with no value or meaning. Further, data pathways between vendors and healthcare providers need to have robust security protocols.

However, encryption alone isn’t enough to keep this data secure. You still have to have a privileged few who regularly monitor access to this sensitive data. That being said, privileged users can also have their credentials stolen to hack the system, so it will be an ongoing exercise on many levels to keep PHI data secure.

The thought process here is to limit the number of people who have access to privileged PHI data and monitor access to it in real-time. By going through the user log files, you can keep tabs on who is accessing what.

When implementing cyber security strategies, companies dealing with PHI data should consider the following:

Prevention

When you’re talking about security, prevention is always better than reaction. So no matter what you’re doing, preventative security protocols must be in the forefront of your mind.

Accuracy

Minimize false positives so that your security team doesn’t waste time.

Real-Time Protection

Pinpointing an attack and responding to it needs to happen in real-time. If you don’t catch the criminal in the act, they have a chance of getting away with the data before you can secure it. However, these security protocols shouldn’t impact user experience.

Autonomous Solution

The ideal security solution should be able to operate autonomously and run independently while getting input feeds from other solutions.

If you’re involved in any way with Health IT, expect the next couple of years to be demanding. With the increasing number of IoT devices entering the market, there will be much more data to keep secure. Government regulation is pushing manufacturers to build secure devices, but that won’t be enough as hackers will somehow find a way to break in.

As a result, the biggest challenge when it comes to HIT will be to stay one step ahead of cyber criminals to prevent cyberattacks.

What steps has your organization taken to keep PHI records secure? Share your thoughts and experience in the Comments section below or send us a tweet to @Intersog!