(Ghostwritten for Cristina Pop)
Protected health information (PHI) is a specific type of personally identifiable information (PII) that relates to medical records as well as any past, present, or future information about an individual’s physical or mental health. This specific type of PII is covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which is a federal law that protects sensitive patient health information from being exposed without their consent or knowledge.
Who and what is affected by HIPAA?
The types of PHI covered by HIPAA include different types of sensitive data. This includes personal information that allows identifying the individual, such as names, social security numbers, and telephone numbers, as well as specific medical information such as medical IDs and medical records, but also related financial information, such as payment card industry (PCI) data like credit card numbers.
All institutions and businesses in the United States that create, process, store, transmit, or even touch PHI are obliged to comply with the regulations of HIPAA and undergo regular audits. This includes healthcare providers, health plans, healthcare clearinghouses, but also any business associates, for example, those involved in claims processing, billing, or data analysis. Therefore, HIPAA applies to many organizations that are not directly considered a part of healthcare.
The HIPAA law permits disclosure of PHI without patient permission only in particular cases, such as for the purpose of treatment, payment, research (limited dataset), or public interest. Due to such strong restrictions and wide reach, PHI is one of the types of PII that needs to be safeguarded the most. And due to the fact that nowadays, most information is stored not as paper records but rather in electronic form, it’s electronic PHI (ePHI) that is the primary focus of HIPAA.
Note that while HIPAA is a law that applies only to the United States, there are relevant regulatory requirements covering the same type of data in other regions as well, for example, Europe’s General Data Protection Regulation (GDPR).
The dire consequences of HIPAA violations
HIPAA violation penalties apply to both individuals and organizations. They can be civil violations ranging from $100 to $25,000 (for multiple cases of abuse) or criminal violations ranging from $50,000 to a maximum of $250,000, along with restitution paid to victims and likely jail time. These numbers are just the tip of the iceberg because a breach also imposes huge costs of remediation and potential business loss. In 2021, the average cost of a HIPAA-related data breach was deemed to be $9.42 million.
Therefore, protecting PHI from theft and leakage is an absolute priority for any institution affected by HIPAA, both for the safety of the institution itself as well as its employees. Most businesses that deal with personal data of any kind should make sure that they are required to have HIPAA compliance.
DLP helps protect PHI from HIPAA and more
One of the rules of the HIPAA act is called The Security Rule. It lists the safeguards for confidentiality, integrity, and availability of PHI. Organizations that are affected by HIPAA must, for example, protect against reasonably anticipated, impermissible uses or disclosures of PHI. And one of the best ways to protect electronic PHI against such impermissible uses or disclosures is by using data loss prevention solutions (DLP).
DLP solutions such as Endpoint Protector help organizations secure PHI in ways that no other software or systematic solutions can. While DLP should be a part of a comprehensive security policy that includes other types of tools preventing, for example, unintended access to PHI via web vulnerabilities or malicious software, any security system that lacks a DLP solution is leaving a huge gap in data security.
Here are four primary use cases when DLP solutions are the only type of solution able to meet The Security Rule of HIPAA.
1. Preventing accidental exposure of PHI over insecure channels
Organizations affected by HIPAA allow some of their employees to have access to patients’ sensitive information. A simple example could be an end-user working in customer support that would be using an online chat system connected to Facebook Messenger to reply to any individual queries in real time. For example, a patient could request some information about themselves, and the employee could make a mistake by providing patient data without checking the identity of the person making the query. This could be a potential breach of HIPAA.
Professional DLP software prevents such cases in several ways. First of all, it helps the employee identify data that is considered PII (automatic data classification). Second of all, it would prevent the employee from copying and pasting such data using the operating system’s functions into any kind of insecure channels such as Facebook Messenger, Microsoft Outlook, or even a local chat system or a webinar tool. This helps safeguard both the employee who could be making a simple mistake as well as the organization itself and, most importantly, the patient.
2. Avoiding loss of PHI during insecure transport
While most hitech organizations transmit data between systems and locations using secure electronic channels and networks, many healthcare systems are stuck in the old ways, using software from many years ago and systems that are not interconnected in any way. Therefore, it is quite a common case in healthcare that data is transmitted using slightly outdated means, such as copied onto a pen drive and physically carried to another system. If such workflows contain PHI and are not secured (encrypted and password-protected), they represent a HIPAA breach.
This is another area where DLP security solutions help healthcare organizations maintain HIPAA compliance. DLP policies may make it impossible to copy automatically classified PHI onto external media or may enforce the encryption of such information. Either way, this prevents accidental data leaks, such as the famous incident in Japan.
3. Reducing the risk of PHI theft by criminal organizations
To an average individual, it is hardly apparent how extensive and dangerous cybercriminals organizations are nowadays. Since they work without physical presence and consequences, and malicious hacking is beyond the understanding of most people, we tend to dismiss the danger that they pose. And these organizations make their money by stealing not things but data.
PHI is one of the tastiest treats for a criminal organization. They can sell it to competitors, they can ask the owner for a ransom so they avoid major HIPAA fines, or they can find many other ways to monetize such theft. And the most efficient way to hack a specific organization is via targeted social engineering.
For example, a criminal organization may try to access PHI by targeting a specific employee and pretending that they are their superior asking for a complete set of PHI information on a specific group of patients. A tricked employee may copy and paste such information stored in a static file using an insecure channel such as email, making it available to criminals. Since you can configure DLP to prevent sharing of PHI via such insecure channels, criminal spear phishing attempts such as this will fail.
4. Mitigating the sale of PHI by malicious internal actors
Last but not least, statistics show that 60% of data breaches are caused by insider threats. Therefore, while you should definitely watch out for criminal organizations mentioned above, you should look out even more for insiders. And insider threats include not just the accidental cases mentioned above but also intentional cases by dishonest or disgruntled employees – both current ones and, especially, those that are just about to be laid off or were laid off but still have access to company systems.
And this is yet again the way for DLP to shine. An employee who, upon leaving the company, wants to take “all their work” along with them on a pen drive won’t be able to do so if the DLP software won’t allow it. A malicious employee who was paid off by the competition won’t be able to send sensitive information to that competitor using the company computer. Of course, the employee may get as creative as, for example, taking photos of the computer screen, but they may get discouraged or delayed long enough to prevent a HIPAA breach.
DLP should be part of your HIPAA compliance toolset
Due to the reasons above and more, any organization that is affected by HIPAA should seriously consider making a DLP solution part of their cybersecurity suite. The complexity of today’s information technology, unfortunately, demands a lot of different information security solutions to fully protect your local systems, apps, and SaaS cloud services, but implementing a DLP should be high on your priority list due to being able to avoid a lot of human errors and malicious intents.