Why any organization can suffer a healthcare breach, and 5 tips for keeping PHI safe

27.01.2016
It appears that companies don’t have to be in the healthcare business to suffer a health information breach. About 90 percent of all industries have had protected health information compromised, according to Verizon’s PHI Data Breach Report 2015.

More than 392 million PHI records have been disclosed from non-healthcare businesses, according to the report, but the actual total could be much higher since 24 percent of the breached organizations did not provide an exact number of records involved.

Industries with the most PHI data breaches, not including healthcare or government entities, are finance and insurance, education, retail and professional services, such as law offices and tax preparers, according to Verizon.

“I was surprised, but it does make some sense because most every organization has things like their workers’ compensation data or employee wellness programs,” says Suzanne Widup, lead author of the report. Some companies are managing their own employee health benefits programs and are becoming custodians of more healthcare information than ever before, she says. Information security teams “may not even realize they have this kind of information in their organization until it gets breached.”

Companies that are the victims of a PHI breach could face regulatory fallout and other negative consequences. “Criminals are finding ways to monetize health information more than they have in the past,” says Rob Sadowski, director of technology solutions at RSA, the security division of EMC. “It’s very plausible” that personal health information can be stolen and sold to uninsured people, used to get medical supplies and equipment that can be resold or used to submit fake insurance claims – “depending on the type of data they’re able to get,” Sadowski adds.

Rob Sadowski, director of technology solutions at RSA, the security division of EMC

HR departments gather and store much of the PHI data and need to review their processes for securing PHI, Widup says. HR functions that are outsourced to third parties should also be looked at, especially after several highly publicized data breaches involved vendors or contractors.

Protected health information is defined as personally identifiable health information collected from an individual, and covered under one of the many state, federal or international data breach disclosure laws. The main criteria is whether there is a reasonable basis to believe the information could be used to identify an individual.

PHI also goes beyond just medical records and includes email addresses, vehicle license plate numbers, biometric data like fingerprints, retinal scans or voice prints, and even full facial photographic images that have unique identifying characteristics.

Even certain combinations of seemingly harmless information can coalesce to become personally identifiable health data, Widup says. She has seen breaches where emails were sent advertising a wellness program regarding a certain condition, and the email addresses were exposed instead of being hidden in the BCC field. “That ends up being a breach because suddenly all these people know all these other people who have this condition,” she says.

At human resources consulting firm Mercer, “I do see employees and clients concerned about security and privacy of their PHI in particular. It’s not top of mind yet, but it’s on their radar,” says Jen Faifer, a Mercer principal and employee benefits attorney.

Faifer recently helped a major university audit its systems to determine which university functions were covered by HIPAA, and which were covered by the Family Educational Rights and Privacy Act (FERPA) that protects student information. “There is overlap among the different privacy and security statutes (as well as some gaps), and they’re not quite sure what information they have and what to do about protecting it,” Faifer says. “There’s also a lot of state-by-state requirements for workers’ compensation information and health information, so it’s hard to keep track of what’s required.”

Across all industries, Faifer says HR needs to be involved in developing an organization’s cyber risk management function. “When it comes to sensitive personal data, HR needs to be involved and to have a stake with respect to HIPAA and the health information that they handle,” she says.

Industry professionals say that companies should identify where PHI data is hiding in their organization and take steps to lock it down.

Training is also important for all employees who touch PHI and sensitive personal data, both internally and for vendors who perform group health and wellness program functions, Faifer says.

“Any industry must be aware that this kind of data lives in their organization, as well as how it’s processed through its various stages of use in the organization and where it goes outside the organization,” Widup says. “Make sure it has controls in place all the way along. If they haven’t done that with this kind of data, then I can pretty much guarantee that it has been exposed someplace that they don’t know about.”

(www.csoonline.com)

Stacy Collett

Zur Startseite