Securing Sensitive Patient Information for HIPAA Compliance and Patient Trust

Patience among patients has been worn thin. In 2021 alone, the healthcare industry suffered 78 data breaches, resulting in 7 million records being exposed. The impact of lost and stolen data is costly for both patients and healthcare facilities, but patients can be victimized repeatedly when their PHI is disclosed on the dark web.  

What is PHI? PHI is Protected Health Information, all the personally identifying information that makes you, you. Like your name, address, gender, medical diagnoses, prescription medications, allergies, medical device use, address, telephone number, social security number, insurance coverage, email address, financial payment information, vehicle type, and license plate. Centralizing this data to make it accessible for medical service is essential for coordinated patient care. Still, healthcare facilities must strengthen their cybersecurity posture to protect PHI and their industry.

The True Cost of a Security Breach

Let’s imagine that your IT department detects a vulnerability in your network that has been exploited. They take you offline as they scramble to prevent further damage by plugging the hole to begin recovery and remediation processes. But cybercriminals may have been rummaging through your files for days, weeks, or even months, pilfering your data and impersonating admin roles. Now you are struggling with downtime and medical service disruptions. The 2021 ITIC Hourly Cost of Downtime Survey reports that a single hour of critical server or application downtime costs $300,000 for 91% of businesses. Then add to that breach remediation bill: forensic investigation, third party remediation support, Health Insurance Portability and Accountability Act (HIPAA) fines, credit monitoring, and damage control for angry patients.

The healthcare industry mines a tremendous amount of valuable data and is responsible to patients and HIPAA to safeguard that data. HIPAA is an information security rule that structures how healthcare data and electronic files (ePHI) are to be protected during the entire data lifecycle.

The threat landscape constantly evolves and cyberattacks have become more sophisticated and targeted. Cybercriminals have learned to weaponize known vulnerabilities in software and operating systems; thus, it is up to the healthcare industry to defend themselves.

PHI Security Strategy

Not even Facebook, LinkedIn, and GoDaddy (all hacked in 2021) can guarantee an impenetrable cybersecurity perimeter. So, what can you do? Focus on realistic cybersecurity goals. Protect the highest value assets (PHI and Research and Development data) and the most critical operating systems of the healthcare organization - the ones that, if compromised, would have a devastating impact on patients and the business.

Use the National Institute of Standards and Technology (NIST) Cybersecurity Framework to guide your security strategy and implement the HIPAA Security Rule across healthcare organizations. Because medical service providers need timely access to the PHI and ePHI to care for healthcare recipients properly, HIPAA Rules structure what data gets shared, with whom and by whom, and the method of transmission.

Healthcare organizations can leverage the following five principles of the NIST Cybersecurity Framework to manage risk, protect critical infrastructure, and comply with the 3 HIPAA standards of physical, technical, and administrative safeguards.

1. Identify
1. Enumerate your attack surface
2. Prioritize spending on protecting high-value assets
3. Identify sensitive data that requires extra protection
4. Implement an IT Asset Management solution
2. Protect
1. Implement a policy of least privilege for PHI – restrict access only to those who need the data to provide care
2. Prioritize patching and upgrades
3. Segment your network
4. Enforce an encryption policy for transmitting sensitive files
5. Train employees to detect anomalies and phishing scams
3. Detect
1. Increase network and systems visibility to find gaps and vulnerabilities
2. Continuous monitoring of data movement and edges
4. Respond
1. Mitigate a security breach by locking down access and data transmission
2. Communicate the response plan, roles, and responsibilities
3. Prepare a risk-based vulnerability prioritization plan
4. Coordinate third-party support
5. Recover 
1. Map a timeline to restoration 
2. Conduct “lessons learned” meeting to discuss event
3. Restore data and services

HIPAA Compliance and Trust

Who takes the time to read the HIPAA privacy statement when checking into a hospital or medical appointment? Not many. Most sign the form or click the “I understand” box. Why? Because patients trust that medical professionals have their best interest at heart. And while that may be true, experience tells us that patients should be hesitant to disclose Personally Identifiable Information (PII) on intake forms. But those form fields are mandatory, so patients are forced into a willing suspension of disbelief to receive the care they need.

And patients do trust—that is until they get that form letter in the mail, glossing over the severity of a breach with an offer of free credit monitoring for a year or two. Then what? The injustice of being put in a compromising position, through no fault of your own, and having to spend hours on the phone justifying your existence, breeds distrust and anger.

So how can healthcare organizations safeguard data and build trust? By managing cyber risk, prioritizing vulnerability fixes, and mitigating threats before they become full-scale cyberattacks. The HIPAA Journal has released the HIPAA Compliance Checklist 2022 to help healthcare organizations implement solutions to secure their most valuable assets and protect patient data privacy. Many healthcare organizations turn to Managed Security Services Providers (MSSP) to help support cybersecurity programs and manage risk with data backups, security monitoring, and to implement strategic cybersecurity measures.

TBC for Sensitive Data Security

TBConsulting, an MSP headquartered in Phoenix, Arizona, can help your healthcare organization implement the technical, physical, and administrative cybersecurity solutions to bring your organization into compliance with the HIPAA Security Rule. 

Contact TBC today to schedule a Penetration Test or a Security Posture Assessment to meet HIPAA requirements and uncover the vulnerabilities in your systems and processes. TBC will create a roadmap to focus on compliance goals and improve your cybersecurity maturity to build patient trust and improve your business outcomes.