Protected Health Information (PHI) security and patient privacy are major areas of concern for today’s health care providers, insurers, and their business partners. With each passing month, we are witnessing major new data breach incidents in the news that continually increase the number of individuals whose PHI is exposed.
Protected Health Information is an attractive target for the bad guys due to several reasons. Significant amounts of personal information in health records have a very long lifespan and most information contained in them cannot be easily changed. Information like social security numbers, addresses, illness information and treatments can’t be disabled or replaced with ease unlike credit cards. The information has significantly more value, retains its value over time, they are poorly secured, and on top of it cannot be disabled – with current technologies used in most healthcare environments – once they are breached. As the market rushed to digitize health records under the auspices of improved care, not much care was given to develop and implement the type of information security protocols needed to truly protect this information. So, hackers were lead to target protected health information (PHI) for big paybacks.
There are many sources available besides the daily barrage of data breaches that make the headlines – U.S. Department of Health & Human Services – Office for Civil Rights Breach Portal and Identity Theft Resource Center that provide detailed information on the scope of the data breach carnage. The alarming scope of data breaches have over time prompted a number of states to pass legislation – a reaction after the fact – in an attempt to protect the personal data of healthcare consumers. But, they fall short.
In my home state of New Jersey, a bill that was passed amending the New Jersey Consumer Fraud Act codified at N.J.S.A. 56:8-196 to 56:8-198 which became effective as of August 1, 2015. This amended law – only now – requires healthcare entities like hospitals, insurance companies, and providers, servicing patients within the state to encrypt confidential patient information or secure personal information. However, much like HIPAA and various other state mandates, the law only goes as far as suggesting sensitive data must be protected by technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person – N.J.S.A. 56:8-197. This requirement applies to removable media, laptops, desktop computers, tablets and mobile devices to protect personal information including a person’s first name, or first initial and last name linked with at least one of the following:
- Social Security number
- Driver’s license number or other state identification card number
- Identifiable health information
The law enables the attorney general to enforce it with penalty fines ranging from $10,000 for a first offense to $20,000 for all subsequent offenses and opens a path for class action lawsuits. Unfortunately, it still misses the mark to be effective.
The right way to protect patient and health information should have started by giving full control of medical information to patients themselves. This approach would have forced medical electronic records to be more portable, forced implementation of true security rather than what is in place in most healthcare environments for “compliance” or “convenience” reasons, and would have forced notification mechanisms to catch potential threats in real time. It also would have provided patients with the ability to share their data with only those they deem appropriate and would have given them the ability to control and deny access, what authorized users could do with the data trusted to them and would have provided patients the ability to render data useless if and when necessary.
In the absence of this, the best any healthcare entity can implement is to first and foremost, discover where their sensitive patient information is, implement data-centric and people centric encryption and use policies to control, track and govern health information.
This is not a radical idea and the technology to properly secure PHI exists today. Those interested in what they can do to implement the best approach to data security can use Fasoo’s Data Security Framework as a blueprint for a true security program that meets and exceeds today’s needs and advanced persistent threats.