5 Best Practices for Healthcare CISOs to Secure PHI
These days, a patient’s personal medical records can change hands for between $250 and $1000 on the black market. In contrast, Social Security numbers sell for around a dollar each, and credit card numbers for around five dollars on the dark web. So it isn’t hard to see why the healthcare industry has increasingly come under attack by cybercriminals in recent years.
Unfortunately, this has been happening at a time when hospitals have shifted more of their operations to the cloud, including electronic health records, but as IBM security consultant Limor Kessem has noted, they haven’t put enough investment into cloud security. While the financial sector has 30 years of experience in deterring cyberattacks, it seems likely the healthcare industry is only just waking up to the need to maintain secure PHI as it moves away from paper records.
What is PHI?
PHI or Protected Health Information was a term defined by HIPAA, the Health Insurance Portability and Accountability Act. It means any stored information that can uniquely identify a patient, and the act places various responsibilities on healthcare providers and related industries (like insurance) for maintaining it safely.
When providers fail to secure PHI, the costs can be enormous. Aside from causing widespread distress, and the potential for blackmail and fraud to so many patients, the reputational loss for healthcare companies, as well as the cost of restoring damaged systems, fighting lawsuits, paying damages, and paying fines (to the U.S. Department of Health and Human Services Office of Civil Rights) for non-compliance can be crippling.
The Cost of a PHI Data Breach
Fines can range from $100-$50,000 for each violation, and an IBM security analysis revealed that the average overall cost of each healthcare breach now exceeds $10 million, considerably more than the $4.35 million average across all industries.
In the US in 2022, the 11 biggest data breaches exposed the private health information of more than 21.5 million people. Attackers harvested various information such as social security numbers, details of health conditions, names, and addresses, which criminals can now potentially use to defraud them.
Maintaining Secure PHI
As custodians of so much valuable data, maintaining secure PHI has to be at the top of every healthcare CISO’s to-do list. But this is becoming more of a challenge in a world where competing providers want and need to offer seamless services to patients. Organizations are leaning more toward computerized systems for paying claims, answering eligibility questions, offering health information, and streamlining a variety of other clinical and administrative tasks including electronic health records, computerized physician order entry systems, radiology, pharmacy, and laboratory systems. Health plans offer access to claims and care management, and members can use self-service apps.
While these innovations make healthcare management easier for all, they also create multiple potential weak points for cybercriminals to exploit, and some of these are not even directly related to healthcare.
For instance, the software that providers rely on to perform tasks such as measuring the effectiveness of their advertising has created one of the new potential vulnerabilities that need to be monitored carefully. In 2022, a tracking pixel from Meta, the owner of Facebook was found to be sending a data packet to Facebook every time someone scheduled a doctor’s appointment online, this brings us to the first of our suggested best practices.
PHI Security Best Practices
1. Auditing and monitoring
Reflectiz offers continuous web threat management solutions that monitor for improper accessing of secure PHI, and can quickly identify instances of data being sent to unexpected locations, or detect which third-party vendors are tracking users without their consent. Reflectiz can flag up threats, like the one that led to the Meta pixel breach, to secure PHI very quickly, and are effective against others where third-party applications are involved. As the CISO of a leading hospital chain told us recently, “Reflectiz is a great product that allows us to get full visibility on our third-party risks and create an added value to our organization.” And we heard similar comments from the CISO of a nationwide health provider, who said, “The complete online inventory we have thanks to Reflectiz gives us full control over our third-party apps, and the filtering features make it easy to find any suspicious activity we have in our online ecosystem.”
While some monitoring solutions may be inclined to return false positives, that isn’t the case with Reflectiz. “Their smart alerting system makes prioritization a priority for us,” the CIO of a leading healthcare organization told us. “The onboarding process includes a baseline monitoring where we approve or disapprove app behaviors to eliminate unnecessary alert fatigue”. So, you can train the system to alert staff to the most pressing threats to secure PHI first.
2. Training and testing
It’s also important to continuously train employees because time and again it’s mistakes by humans that have paved the way for so many data breaches. It only takes one staff member to click on a phishing email to provide a way in for attackers, so it’s worth regularly sending out test emails to see who clicks on them. You can then prioritize training for anyone who wasn’t being vigilant.
3. Keeping software up to date
Developers are always updating software to patch newly discovered vulnerabilities, and attackers will be quick to exploit any applications that are out of date. That’s why you need to have good patch management policies in place, to ensure that software is kept up-to-date and free from vulnerabilities, and it’s why Reflectiz monitors them, so you always know when updates and patches are required.
4. Controlling access to secure PHI
You can secure PHI as a healthcare organization by limiting access to patient data according to need. The need to see certain information is usually determined by the staff member’s role, so you need to choose software that can restrict access based on this criterion. Having this kind of flexibility means that when staff move between roles or leave the company, their access privileges can be changed promptly each time.
5. Encryption and inventory management
It’s also essential to secure PHI that needs to leave the premises, by encrypting hard drives and adding password protection in case employees’ devices are lost and stolen (and by ensuring all such data is backed up securely). You should also be able to say at all times where these devices are and who is responsible for them, and you can use inventory management products alongside a bar-code system or RFID tags to identify and organize storage media and mobile devices.
These are just a few suggestions for best practices, but there are many more that we can help you to implement. As a CISO you know that your organization’s ability to secure PHI is an ongoing team effort, and in that regard, we think you’ll find that Reflectiz will be the team member that makes everyone’s job much easier.