PHI losses: how much and how come?

Protected Health Information (PHI) has never been more attractive to cybercriminals. If you analyze the Office for Civil Rights (OCR) portal showing breaches of 500 or more individual records, you can see that in 2015, 112 million healthcare records were stolen in the U.S. 2016 looks to be more of the same for PHI regarding compromised medical records reported at the OCR portal, being over 13.5 million across 186 organizations at the time of writing. The 2015 figures were particularly high because they involved large-scale hacks; for example, the Anthem breach resulted in the exposure of over 79 million lost records. In 2016, to date, 60 of the 186 incidents were due to hacking and of this, the largest scale losses involving millions of medical records were caused by security hacking.

Although hacking is a major factor in the loss of PHI, we cannot ignore the other factors involved in PHI exposure. Insider threats account for significant numbers of exposed PHI. The OCR recently put out an alert warning of the dangers of insider threats to PHI, quoting from an Accenture / HFS research paper which cited that 69% of respondents had experienced an insider breach. Insider breaches may not result in massive numbers of exposed records, but they transpire across a wider set of organizations.

It seems then, that Protected Health Information is at risk from the outside, in. But it is also at risk from the association as well. A case exemplifying this was the Medical Informatics Engineering breach which exposed 3.9 million U.S. based PHI records. This case has impacted hundreds of healthcare providers who use this centralized service. The multi-zonal attack landscape of PHI leaves those of us who are at the epicenter of its care with a conundrum – where do you start in ensuring that PHI is protected across a highly disparate and complex ecosystem?

As always, the best place to start is at the beginning and with a question, “How is protected health information used in healthcare?” Using this question as a steerage will open up the myriad usage patterns and pathways of data that can give us the insight we need to put the right protection measures in place. Couple this with the framework set out by the Health Insurance Portability and Accountability Act (HIPAA), which lets us weave in its various mandates around HIPAA-compliant Cloud services, the disposal of medical records and HIPAA email compliance, and we start to build up a picture of the areas needing focus around PHI security.

In this article, we will look at some of the major areas and platforms where protected health information is used and found in the healthcare ecosystem. Each area has its own protection requirements, but because of the perhaps unique interconnected nature of healthcare, with the need to share data to assist better patient outcomes, each area also has an impact on other areas.

How is protected health information used in healthcare?

This fundamental question forms the basis for building interwoven security policies that touch all of the points of healthcare that PHI overlaps. PHI is used throughout the healthcare industry as a baseline for patient identification and care. It consists of up to 18 identifiers as defined by HIPAA. It comes in paper or electronic form. It is shared throughout healthcare services, and with associated businesses to carry out health care related work. It must be accessible by the individual owner of the PHI data, and it must be secured to HIPAA standards.

Protecting PHI in Email

Email has become a natural medium for communication in healthcare. Patients have reached a point where they expect to be able to communicate with their physicians using email. This is borne out in a report by the American Journal of Managed Care who found that 56% of patients had used email as a primary contact with a doctor in the last year. Email is convenient and can be a useful tool in improving patient-doctor communication. However, transferring sensitive data via an email, which could be intercepted by malicious persons, or even just erroneously sent to the wrong recipient, is a serious consideration when using this medium as a conduit for PHI, and HIPAA email compliance needs to be adhered to.

The HIPAA privacy rule to establish email compliance has made provisions to allow the exchange of PHI through email, but within the bounds of certain security criteria, for example:

  • Checking the recipient email address is correct before sending;
  • Limiting the amount of PHI data sent in an email;
  • Offering alternatives to an email when sending PHI; and
  • Using encryption when sending especially sensitive data or extensive PHI data sets.

And then, of course, there is the phishing problem. If you build a system that allows email exchange as part of your communication methods, then it is a natural place for phishers to focus on.

Using common sense rules and applying the correct technology will open up email as a communication medium for the industry, whilst allowing you to implement HIPAA email compliance.

Protecting PHI online

HIPAA 45 CFR § 164.524 has the provision to allow individuals to access their health data, including the ability to inspect their PHI. This is most easily accommodated by allowing online access, through the increasing use of electronic PHI (ePHI) and Electronic Health Record (EHR). PHI online, however, is a widely disparate condition. PHI can be held across multiple devices, by multiple parties. As health wearables and Internet of Things devices enter the healthcare arena, this situation is only going to become more complicated.

The use of EHR and ePHI have truly taken off. Over 74% of physicians have an electronic health record system in place. Around one third of these were regularly sharing data with third parties such as hospitals. Better patient outcomes have been shown to be related to the availability of (EHR) systems that contain ePHI as well as a plethora of other patient related data, so this practice needs to continue. Making these data available online to patients and other stakeholders opens up the system to attack at the front door, i.e., the login point. Protecting PHI online is now a fundamental part of healthcare security. General protection of PHI accessibility online, much of which is part of HIPAA recommendations, includes:

  • Verification of an individual’s identity before access is allowed;
  • Encrypted connections, i.e., using SSL/TLS;
  • Robust authentication measures, e.g., second factor authentication and adaptive authentication (especially to help prevent phishing attempts);
  • General security housekeeping such as patch management; and
  • Adhering to OWASP Top Ten web threat advisories.

One new twist in protecting PHI online is the use of social networking sites by medical students and other healthcare professionals. A study by the University of Florida was able to present evidence of serious privacy violations of patient data. Images and similar PHI were found posted by medical professionals on social networking sites like Facebook. Although perhaps not entirely violating HIPAA and PHI protection, as identification may have been difficult, these instances of exposure may well become higher profile if not covered by a general policy applied to the protection of PHI online.

Cloud computing and PHI

The healthcare industry, like most other sectors, is embracing the use of Cloud computing services. Cloud computing offers a number of efficiencies and cost saving options, including, on-demand access to PHI, EHR access from remote devices, sharing of EHR and PHI for better patient outcomes, and better auditing and tracking of data usage. HIPAA-compliant Cloud services are mandated by HIPAA, and the Cloud service provider must adhere to the requirements of HIPAA privacy ruling. With the invocation of the HIPAA Omnibus rule, Cloud service providers are now a distinct business associate and covered by the act. HIPAA-compliant Cloud services cover not only the technology but also the physical infrastructure of the datacenter, as well as its administrative controls.

Another area that is controversial in terms of HIPAA-compliant Cloud services and healthcare is the storage of data offshore. If PHI is stored by the Cloud service provider outside of the USA, is it then non-HIPAA compliant or outside of HIPAA’s remit? Service provider contracts (SLA’s) should make data storage arrangements transparent, and any movement of PHI outside of the US would need to be addressed in the SLA.

As with online PHI protection, HIPAA-compliant Cloud services require the same sorts of protective measures:

  • Verified identification of access entities
  • Encrypted connections over HTTPS
  • Robust authentication and anti-phishing measures
  • Security management

Protecting PHI on Wireless Networks

Mobile is also increasingly being used for email access in healthcare. In the IBM “2016 Email Marketing Metrics Benchmark Study”, healthcare professionals used mobile email access far above the mean of all industries. The HITECH act and HIPAA specify the protection of data in motion, including across wireless networks. The main focus on protecting PHI across wireless networks, no matter what medium is being used, is via encryption. Even if intercepted, the PHI would be useless if encrypted. There are a number of guidelines on the use of SSL, for example, for data in motion, including the NIST publication “Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations.

Properly Disposing of PHI

Improper disposal of PHI and disposal of medical records is an area that warrants close attention but can be overlooked. An example of a case of improper disposal which impacted the protection of PHI is the Affinity Health Plan breach, where the health data of 340,000 individuals was found on the hard drives of copy machines that had been returned to the leasing company. On the subject of improper disposal of medical records, the U.S. Department of Health and Social Services (HHS) sets out the details of disposal of PHI, expressing that:

“Failing to implement reasonable safeguards to protect PHI in connection with disposal could result in impermissible disclosures of PHI.”

Considering that much PHI is accidentally leaked through improper disposal, this whole area requires thought. Disposal covers all aspects of PHI communication across all mediums. For example, PHI sent out in emails can be difficult to dispose of because of the reach of emails, and the many forms email can take, post-send. Emails that have been printed out, for example, cannot be simply dumped in garbage cans but need to be shredded. Similarly, if saved onto removable media, such as DVDs, the disposal of emails containing PHI would require the destruction of the media.

Disposal of any media which might contain PHI is handled through HIPAA recommendations which include:

  • In paper form: Shredding, burning and pulping
  • Using specialist disposal vendors to dispose of PHI on prescriptions and the like
  • Using various methods to purge and destroy electronic media that is used to store PHI

Physical Security of PHI

The HIPAA security rule has a section that applies to physical security. What this means is the security of the physical infrastructure of an organization. It is an all-encompassing ruling covering areas as diverse as facility entry point access control, to the secure use of workstations. Physical security is the entry point for PHI protection, the castle moat if you like. Physical access controls form the basis of PHI protection.

Physical access does not stop at the door of the originating entity. The security rule covers all touch points across the extended healthcare system.

Cameras in Medical Offices

We are beginning to see an increased use of cameras in a medical context. In the main, these are used for surveillance purposes to prevent crimes and protect patients and doctors alike. The privacy implications of the use of cameras in clinics have been a concern. Under the HIPAA privacy rule, images and video are part of a patient’s PHI and as such need to be afforded the same protection as other forms of PHI. As such, policies to protect the output from video cameras should be formed but when doing so, the type of camera and technology used may also inform these policies. For example, IoT based cameras which are connected to the Internet will require encryption across connections.

Encrypted Data

Encryption of data is a baseline for all electronic PHI and medical data, and it is applied across the two phases of the data lifecycle:

  • At rest: During storage, on Cloud data centers, databases, desktops, mobile devices, wearables, removable media and so on
  • In motion: When transferred via email, across Internet connections, and IoT devices, including video, across Wi-Fi networks, and also VOIP

HIPAA compliance requirements for encryption include stringent key management, ensuring the encryption keys and encrypted data are kept separate.

For encryption techniques for data at rest, HIPAA refers to the NIST publication “Guide to Storage Encryption Technologies for End User Devices”, which covers technologies such as full disk encryption, as well as more granular encryption capabilities in file level encryption products. For encryption techniques for data in motion, the NIST publication mentioned above, which looks at TLS implementations, is also the go-to guide for HIPAA compliance.

PHI Protection Now and Going Forward

PHI protection is a complex area, covering a myriad of places, people, and devices. It requires a framework mindset based on far-reaching policies. The requirements of HIPAA compliance offer a set of guidelines based on real-world scenarios and that are continuously being improved as healthcare takes on new challenges and new technologies. At this moment in time, PHI is a prime target for cybercriminals and they are increasing their efforts into its exposure. This is evidenced by the findings of Verizon’s “2015 Protected Health Information Data Breach Report”, which shows that 90% of health organizations has experienced a PHI related breach. To protect PHI, we need to make a holistic effort across the extended healthcare landscape, using HIPAA guidelines and being security aware.

InfoSec Institute
Rated 4.3/5 based on 302 customer reviews.
InfoSec Resources

Be Safe

Section Guide

Ryan
Fahey

View more articles from Ryan

SecurityIQ has published a number of videos on social engineering and phishing. You can sign up for a free account to browse their resources and test how phishing savvy you really are.

Section Guide

Ryan
Fahey

View more articles from Ryan