PHI Data Security Is an Executive Responsibility
Healthcare Executives Beware
When it comes to protecting personal information, much emphasis is placed on safeguarding social security numbers, credit cards, and other forms of individual identification. Most people, including healthcare executives, tend to ignore how personal health information, or PHI, is being protected. What may come as a shock to some, is that PHI is far more lucrative on the black market than credit card data. Think about it, the information exchange that occurs for a routine visit to the dentist can include our insurance information, home address, telephone numbers, payment information, and even our biometric data. This makes PHI an attractive black market commodity because of the data’s long-term value and the innate difficulty for potential victims to protect it. Moreover, it puts additional pressure on industry senior executives who are responsible not only for the quality of healthcare, but also for the security of sensitive health-related data.
Verizon’s recently published 2018 Protected Health Information Data Breach Report (PHIDBR) helps to showcase the who, how, and why when it comes to PHI theft.
- The healthcare industry accounts for 95% of PHI breaches. Other businesses that can fall victim to PHI data theft can include the finance, education, and even retail industries
- Unique to the healthcare industry, where data was either confirmed as disclosed or at risk, internal threat actors (57.5%) are more common than external actors (42%)
- When there is an observable data breach, regardless of the type of threat actor, the motive is often money
- Human error and the unintentional actions and misuse of data account for 63% of the vulnerabilities that lead to theft of PHI
- On a much lower scale, hacking and malware account for 25.6% of breaches
Keeping Data Secure
As if protecting data from malicious external threat actors wasn’t challenging enough, the Verizon report illustrates another consideration when it comes to protecting PHI – threats from within. While the expanding domain of threat actors might seem intimidating, fear not. Recall from the key findings that most of these threats are in-house, which means that senior business leaders – and yes, this extends beyond just the Chief Information Security Officer (CISO) – have the power to mitigate them! As for external threats, there are a number of options that can complement internal efforts to protect the personal health information of any industry.
Recommendations: Where to Start and What to Do
As one might anticipate, the Verizon report indicates that the healthcare industry is the most adversely impacted by PHI breaches. For those businesses dealing with health-related data, senior executives should push their information and data security programs to go beyond mere compliance with the Health Insurance Portability and Accountability Act (HIPAA). HIPAA lays out various elements and protections that help ensure appropriate protection of electronic health information or EPHI, but like most legislation regarding cybersecurity matters, HIPAA provides a baseline standard. In an era of massive data breaches and privacy concerns, in order to properly protect PHI data and further build trust with patients, employees, business partners, shareholders, and the public writ large, senior business leaders must be willing to be proactive about data and information security strategy and related investments. Here are some ways healthcare industry executives can be proactive about protecting their organization’s PHI data:
- Create a Culture of Security – From on-boarding new employees to the ongoing training of industry veterans, ensure your training staff emphasizes that employees are the first-line protectors of their customer’s data.
- Routinely Update Access Controls – Ensure that your staff cannot access data unless it is necessary for the function of their specific position. Ensure that access control lists (ACL) undergo a periodic review to ensure they up-to-date and the appropriate levels of access for specific employees. Regularly ask your CISO and the security team for updates.
- Get a Cyber Risk Assessment – Protecting PHI means understanding your threats and identifying potential areas of weakness within your organization. Obtain a cybersecurity risk assessment, including a penetration test and a compromise assessment, to find which weak points can be corrected.
- Properly Vet Third Party Vendors – Is the executive team ensuring that vendors can show you how they keep their data secure, and how those vendors plan to keep your customers’ PHI secure? Review contracts and service level agreements to understand who owns information security and how data is properly being protected. Require any third party vendors that store or transfer sensitive data to provide you with the findings of their cyber risk assessments.
- Educate Often – The cyber threat landscape is always changing and looking for vulnerabilities in your network. This means that your staff and executive teams need the time and training to be able to spot, assess, and mitigate cyber risks. As an executive, you need to lead by example.
Is your healthcare organization doing everything it can to protect the PHI of your clients or patients? If you would like help understanding these or organizational cyber risks, check out our N2K’s Resolve seminars, tabletop exercises, and training programs.