The Proliferation of PHI: Securing Patient Data in the Digital Era

Technological innovation continues to expand every day in healthcare. New and emerging technologies solve industry challenges, create improvements in patient access, help protect patient data, and enhance patient outcomes. But while these technologies pave a path forward for quality care, they also expand PHI’s footprint. With that in mind, how do you maintain the security of patient information as it becomes more widely accessible?

As the industry continues to adopt new tools, healthcare privacy and security teams face the challenge of securing PHI in a multitude of places rather than just one system, creating roadblocks to meeting compliance. Here are several considerations for privacy and security professionals when developing a strategy for securing patient information.

New and emerging technologies in healthcare

New and emerging technologies have taken a variety of forms in healthcare. Below are the top five technological advancements seen in healthcare over the past decade:

#1. Electronic Health Records (EHR): EHRs provide reliable access to a patient’s health information, creating a comprehensive picture that can help providers diagnose problems sooner. A decade ago, only 16% of care providers were storing their records digitally. But according to a 2019 ONC report on hospitals’ use of EHRs, more than 95% of the organizations surveyed utilize digital records.

#2. Telehealth: Telehealth helps enhance the delivery and support of healthcare, public health, and health education through telecommunication. This offers expanded access to care, improved clinical workflows, and better communication along the care continuum – through telehealth, patients can speak with a practitioner without ever leaving their homes.

#3. Mobile Health (mHealth):  mHealth is a subset of telehealth that utilizes mobile phones. The National Institutes of Health (NIH) define mHealth as “the use of mobile and wireless devices (cell phones, tablets, etc.) to improve health outcomes, health care services, and health research.” Designed to allow individuals greater visibility into their health information, mHealth has already largely replaced traditional pagers and desktops in large hospital facilities.

#4. Sensors and wearable technology: From Fitbits to Apple Watches, wearable technology makes it possible for providers to collect patient data like vitals and lifestyle information in real time. Benefits include more accurate data analysis, and therefore more timely interventions. Wearable technology is slated to grow to 233 million devices worth over $27 billion in 2022.

#5. Portal technology: Portal technology focuses on improving patient access to their own health data while increasing interoperability. This provides visibility into information like lab results, physicians’ notes, and immunizations.

“While the evidence is currently immature, patient portals have demonstrated benefit by enabling the discovery of medical errors, improving adherence to medications, and providing patient-provider communication.” – The National Center for Biotechnology Information (NCBI)

In the coming decade and beyond, emerging technologies such as artificial intelligence, genomics, blockchain, and synthetic biology will further contribute to healthcare innovation – and further expand the PHI footprint.

What is considered PHI, and where is it found?

Healthcare captures the power of these advanced technologies. In doing so, PHI is now widely dispersed and accessed by a bevy of care workers. This makes it difficult for covered entities and business associates to properly secure PHI and meet compliance. Under the HIPAA Security Rule, all applications containing or touching PHI are subject to HIPAA laws.

PHI is anything that identifies an individual used for healthcare purpose, and may include:

• Names
• Phone numbers
• Social Security numbers
• Dates related to an individual
• Vehicle identifiers
• Email addresses
• Health plan beneficiary numbers
• Geographic subdivisions
• Full face pictures
• Medical record numbers
• Account numbers
• Biometric identifiers

In today’s digital era, PHI may be stored, recorded, or transmitted in a variety of places, including:

• Electronic medical records (EMRs)
• Cloud applications
• Shared network drives
• Email
• Excel documents
• Mobile devices
• Wearable technology
• Internet of things (IoT) devices

Because of this, the web of patient data to protect and secure is vast. This has created greater responsibility for healthcare privacy and security teams to bolster their strategies for protecting PHI – often without the ability to expand their teams or resources.

New and existing threats challenging healthcare privacy and security

With a larger PHI footprint comes a larger attack surface that can be leveraged by outside attackers and insider threats. Cybersecurity was once approached as a castle-and-moat model, with the focus solely on thwarting outside attackers and adversaries. But as technology has evolved, insiders have become a significant threat to patient data – according to the 2019 Verizon Insider Threat Report, 46% of healthcare organizations were affected by insider threats. In fact, it was the only industry where insiders were responsible for a higher percentage of breaches than external attackers.

Privacy and security teams face the challenge of securing PHI against these threats while handling the existing workload of patient complaints and inquiries. Top threats to patient data include:

• Drug diversion
• Cybersecurity attacks such as phishing and ransomware
• Insider threats
• Fraud
• Identity theft

Securing patient data will continue to present a challenge as new technologies, systems, and employees continue to proliferate PHI – but by taking a multi-layered and strategic approach that leverages both technology and a human approach to data privacy and security, there are ways that care providers can keep sensitive information safe.

Healthcare systems increase cybersecurity in 2020

How can healthcare systems protect patient information in an era of advanced threats? It takes a proactive and creative approach to data privacy and security. Here are three steps organizations can take to bolster their privacy and security programs:

#1. Conduct a risk analysis

Conduct a risk analysis of all systems holding PHI to identify exactly where the data is located. In an effective risk analysis, you’ll classify where ePHI is stored and order the prioritization of systems holding ePHI. Under the HIPAA Security Rule, all applications containing PHI are subject to HIPAA. By conducting a risk analysis to identify all systems and applications containing sensitive health information, you’re in a better position for accurate, productive monitoring.

#2. Identify all users

In a study of 1 million practitioners, 26% of users were found to be unknown or poorly identified to the care provider. Identifying all users within your applications is essential to ensure accurate monitoring. Once identified, you can monitor insiders with access to PHI to predict and prevent breaches. With user activity monitoring, healthcare organizations can apply behavioral analytics to the information in audit logs, ensuring the safety of mission-critical applications and systems. Since the majority of security incidents in healthcare are caused by insiders, it’s especially important to monitor user activity within EHRs and cloud applications to detect suspicious or unusual behavior. The quicker you can spot a breach or security incident, the faster it can be contained and mitigated – especially since the average time to detect a data breach is 350 days.

#3: Use tools that integrate with other applications

When choosing security or monitoring solutions, it’s important to choose scalable tools that monitor accurately. It’s also vital that they integrate with other applications for a cohesive privacy program. By integrating your solutions, you can monitor and protect your connected applications that contain PHI as required by the HIPAA Security Rule. This will create increased scalability in your security program as you continue to upgrade technology at your organization.

#4: Review access rights

Users should be given permissions to only what is necessary to perform their job role – also known as the “principle of least privilege.” Essentially, organizations can customize privileges by user and per application. For example, if an employee needs read/write privileges to a certain file system, they don’t necessarily need root privileges. Applying unnecessary access puts your organization at increased risk for security incidents.

#5: Tackle the cybersecurity skills shortage with managed privacy services

Privacy and security professionals face the challenge of responding to patient complaints and inquiries in addition to securing data against the growing threats of drug diversion, cybersecurity attacks, insider threats, identity theft, and more. In addition, industry challenges such as staff turnover, scale, budget, and complex workflows make hiring and retaining cybersecurity staff difficult. Privacy and security teams can help reduce their workload by employing the help of a Managed Privacy Services (MPS) provider – in many cases, MPS can reduce workload by up to 80% so that teams can focus on more strategic aspects of their privacy and security program.

Looking forward, healthcare technology will continue evolve, increasing the accessibility of PHI. In order to keep patient data safe, care providers must create a culture of data privacy and security while leveraging the newest technological innovations – in doing so, they can better secure patient information and foster trust between patient and provider.