The Proliferation of PHI: Securing Patient Data in the Digital Era

August 30, 2018 Christina Lembo

The reach of technological innovation has continued to expand in healthcare. New and emerging technologies are solving big industry challenges to create improvements in patient access, lower wait times, securing patient information, increased interoperability, improved revenue for health systems, lower costs, and better patient outcomes. While these technologies are paving a path forward for better patient care, they have also expanded PHI’s footprint. This makes it more important, yet also more difficult than ever, to go about security patient data.

Healthcare privacy and security teams face the challenge of securing PHI in a multitude of places rather than just one system. This makes it challenging to meet compliance as the industry continues to adopt new tools. Here are several considerations privacy and security professionals should take when moving forward in their strategy for securing patient information.

New and Emerging Technologies in Healthcare

New and emerging technologies in healthcare have taken a variety of forms in healthcare. Below are the top five technological advancements seen in healthcare over the past decade:

  • #1. The Electronic Health Record (EHR): EHRs provide reliable access to a patient’s health information, creating a comprehensive picture that can help providers diagnose patient’s problems sooner. In 2009, only 16 percent of care providers were using an EHR; by 2017, over 67 percent of providers reported using an EHR.
  • #2. Mobile Health (mHealth): mHealth integrates mobile technology and healthcare with smartphone-connected medical devices and paid mHealth applications. mHealth has largely replaced traditional pagers and desktops in large hospital facilities; the mHealth technology market is projected to grow by 33 percent, to $60 billion, by 2020.
  • #3. Telehealth: Telehealth helps enhance the delivery and support of healthcare, public health, and health education through telecommunication technologies. This offers expanded access to care, improved clinical workflows, and better communication along the care continuum. Over 96 percent of employers plan to make telehealth available to their employees in 2018.
  • #4. Sensors and Wearable Technology: Wearable technologies make it possible to collect patient data like vitals and lifestyle information to submit to providers in real time. Benefits include more accurate data analysis, and therefore more timely interventions. Wearable technology is slated to grow to 210 million devices worth over $30 billion in 2018.
  • #5. Portal Technology: Patient portals are an online website connected to an EHR, focused on improving patient access to health data. This gives patients visibility into information like lab results, physicians’ notes, and immunizations. Portal technology has proven to increase patient engagement and increase adherence to treatment plans. Patient portal adoption tops 90 percent in 2018.

In the next decade and beyond, emerging technologies such as artificial intelligence, genomics, blockchain, and synthetic biology will further contribute to healthcare innovation – and further expand the PHI footprint.

What is Considered PHI, and Where is It?

Healthcare is capturing the power of these advanced technologies, and in doing so, PHI is now widely dispersed and accessed by a bevy of care workers. This makes it difficult for covered entities and business associates to properly secure PHI and meet compliance. Under the HIPAA Security Rule, all applications containing or touching PHI are subject to HIPAA laws.

PHI is anything that identifies an individual used for healthcare purpose, and may include:

  • Phone numbers
  • Vehicle identifiers
  • URLs
  • Geographic subdivisions
  • Full face pictures
  • Medical record numbers
  • Account numbers
  • Biometric identifiers
  • Names
  • Dates related to an individual
  • Email addresses
  • Health plan beneficiary numbers
  • Social Security Numbers

In today’s digital era, PHI may be stored, recorded, or transmitted in a variety of places, including:

  • Electronic medical records(EMRs)
  • Cloud applications
  • Shared network drives
  • Email
  • Excel documents
  • Mobile devices
  • Wearable technology
  • Internet of things (IoT) devices

There is now have a vast web of patient data to protect and secure. This has created more responsibility for healthcare privacy and security teams to expand and bolster their strategies to secure PHI – often without the ability to expand their teams or resources.

New and Existing Threats Challenging Healthcare Privacy and Security

A larger PHI footprint creates a larger attack surface that can be leveraged by insider threats and outside attackers. Cybersecurity was once approached as a castle-and-moat model, with the focus solely on thwarting outside attackers and adversaries. But as technology has evolved, insiders have become just as much as, if not more of, a threat to patient data. In fact, 58 percent of security incidents are caused by insiders, according to the Verizon Protected Health Information Data Breach Report. Threats to patient data now include:

Privacy and security teams are faced with the challenge to secure PHI against these threats while handling the existing workload of patient complaints and inquiries.

Securing patient data will continue to be a challenge as new technologies, systems, and employees continue to proliferate PHI. Care providers can take a multi-layered and strategic approach that leverages both technology and a human approach to data privacy and security.

Healthcare Systems Increase Cybersecurity in 2018

So how can healthcare systems protect patient information in an era of advanced threats and widespread PHI? It takes a proactive and creative approach to data privacy and security. Here are three steps organizations can take to bolster their privacy and security programs:

#1. Conduct a risk analysis

Conduct a risk analysis of all systems holding PHI to identify exactly where PHI is located. In a good risk analysis, you’ll look at where ePHI is stored and order the prioritization of systems holding ePHI. Under the HIPAA Security Rule, all applications containing PHI are subject to the HIPAA laws. By conducting a risk analysis to identify all systems and applications containing ePHI, you can better monitor patient information.

#2. Strengthen identities and monitor

26% of users within an EHR are often “’unknown” or poorly identified. You should identify all of your users within your applications to ensure accurate monitoring. Once identified you can monitor insiders with access to PHI to predict and prevent breaches. With monitoring, healthcare organizations can apply behavioral analytics to the information in audit logs, ensuring the safety of mission-critical applications and systems. Since 58 percent of security incidents are caused by insiders, it’s especially important to monitor user activity within EHRs and cloud applications to detect suspicious or unusual behavior. The quicker you can spot a breach or security incident, the faster it can be contained and mitigated – especially since the average time to detect a data breach is 206 days.

#3: Use tools that integrate with other applications

When choosing security or monitoring tools, it’s important to choose scalable tools that monitor accurately. It’s also important that they integrate with other tools and applications for a cohesive privacy program. By doing this, you can monitor and protect your connected applications that touch or contain PHI (as required by the HIPAA Security Rule). This will create increased scalability in your security program as you continue to adopt cloud applications and other technologies.

#4: Perform access rights management review

Users should be given permissions to only what is necessary to perform their job role – also known as the “principle of least privilege.” Essentially, organizations can customize user privileges by user and per application. For example, if an employee needs read/write privileges to a certain files system, then they don’t necessarily need root privileges. Applying unnecessary privileges puts your organization at increased risk.

#5: Tackle the Cybersecurity Skills Shortage with Managed Security/Privacy Services

Privacy and security are faced with the challenge of responding to patient complaints and inquiries in addition to securing data against the growing threats of drug diversion, cybersecurity attacks, insider threats, fraud, and more. In addition, industry challenges such as staff turnover, scale, budget, and complex workflows make hiring and retaining cybersecurity staff difficult. Privacy and security teams can help reduce their workload by employing the help of a Managed Services provider – in many cases MPS can reduce workload by up to 80% so that teams can focus on more strategic aspects of their privacy and security program.

Looking forward, emerging tools and technologies will continue to create new workflows and new places in which PHI is processed, handled, and stored. Care providers need to create a foundation of data privacy and security with the help of technology and managed services so they can easily scale their initiatives and focus on strategic aspects of their program – in doing so, they can better secure patient information and foster trust between patient and provider.

Learn how care providers are using Patient Privacy Intelligence to mitigate risk regarding drug diversion, cybersecurity attacks, insider threats, and more.

Previous Article
Storing Data in the Cloud: 4 Common Cloud Compliance Misconceptions
Storing Data in the Cloud: 4 Common Cloud Compliance Misconceptions

As you store more and more mission-critical data in Salesforce and other cloud-based applications, complian...

Next Article
5 Ways to Gain Executive-Level Support for Building a Cybersecurity Program
5 Ways to Gain Executive-Level Support for Building a Cybersecurity Program

Cybersecurity has evolved from an IT project to a global concern, with The National Infrastructure Advisory...