How to Safely Manage Personal Health Information
Personal health information (PHI), also referred to as protected health information, generally refers to critical information related to the following: medical history, test and laboratory results, insurance information and other data that a healthcare professional collects to identify an individual and determine appropriate care.
As per HIPAA act of 1996 healthcare professionals, insurance company’s etc. shall share very limited information on the patient health to other organisations and all the information that is shared will be in electronic format only.
Partners and business associates of healthcare that sign HIPAA or PHI related agreements will need to ensure the protection of PHI data, as they are legally bound to handle the patient data as per the rules and regulations. The rules were [originally] limited to paper records but with the advent of technological advancement this rule is extended to the various forms of electronic media, [and] any information that the companies would want to solicit will require approvals from the patients. Organisations will also be subject to audits to ensure processes have been followed with regards the PHI.
Despite the regulations and stringent processes, there have been data breaches that have been plaguing the healthcare industry, and “potential cost of breaches for the healthcare industry could be as much as $5.6 billion annually,” one study noted.
Patient’s data have been stolen by cyber thieves who generally attack during the time of [a] user logging into a system, while making [a] billing payment, or renewing health insurance. Data such as personal information, social security numbers, and credit card info are targets of these cyber thieves.
A potential risk due to the advent of the mobile technology is that there will be a rise in patients accessing their records electronically. Medical staff will access several services available through mobile platforms.
Common PHI data breaches
The Internet of Things is another area which will be causing threat to PHI, as more and more devices get connected to internet via Wi-Fi, sensors and other means. Improper disposal of data is also contributing to the loss of PHI data.
Other threats include:
- Mobile devices at work places that are not regulated.
- The theft of devices and instruments containing critical patient information
- Malware in [hospital] devices or networks.
A recent data collected in USA showed that over 100 million people have been affected due to healthcare data breaches in 2015.
Anthem’s 78 million-person data breach was caused by a compromised database administrator (DBA) account. A malicious outsider used the DBA’s user credentials. Once hijacked, the malicious outsider’s access appeared normal since the DBA had privileged access. It is imperative healthcare organizations step up their efforts in educating their users on data security best practices and safe actions.
How should organisations ensure PHI data Protection?
Given that the risks of PHI data is high and the impact of the same to organisations includes legal and financial hassles, following are some of the aspects that the organisations that deal with protected health information can practice:
- Ensure proper PHI inventory is being maintained.
- Follow stringent access policy with regards to PHI data: only “need to know basis” the data should be allowed access to various people within and outside of the organisations.
- Ensure data classification and data sensitivity layers are created.
- ePHI should be monitored at the transmission end and receiving end, thus ensuring that data is not comprised during the transmission.
- Ensure [that] audits are carried out regularly and any findings are [addressed] with immediate action plans.
- Conduct training with regards the PHI security data violations and highlight the [potential] impact on the organisation.
- Follow encryption and masking of data while transmitting data.
- Use proper disposal process to ensure that critical client data is not being compromised during the disposal process: e.g. Electronic devices need to be purged and the data securely erased (also known as “scrubbed”) prior to the device being discarded, recycled, sold, or transferred to a third party, such as a leasing company.
How will IT Vendors manage the PHI Data related concerns?
Given that PHI data breaches has huge impacts contractually and financially, [many] IT organisation have started taking steps to ensure that patient data is protected. IT vendors have [also] started making investments in processes and tools to ensure client data is not breached and this leading to goodwill.
Given the rise in growth of mobile, cloud and wearable devices, the healthcare industry will see a rise in PHI breaches and continue to see attacks due to the increased volume of PHI data. The healthcare industry, service providers, security organisations and IT vendors all have to work closely to ensure that this risk is mitigated with tight processes and tools which will ensure PHI data not being compromised.
Financial losses, legal damages and contractual violations due to PHI data breaches [can have] a huge impact to the organisations which undergo these breaches. To avoid such situations, [leading] organisations have started investing in processes, security-related applications, and tools which have helped in minimizing and mitigating the losses that occur due to these data breaches.
(About the author: Ramakrishnan Balasubramaniam is an analyst at Capgemini).