10 Best Practices for Securing Protected Health Information (PHI): What Is PHI and How To Secure It

What Is Protected Health Information (PHI)?

Protected Health Information (PHI) refers to any health-related data that can identify an individual and is used, stored, or transmitted in the course of medical care. This includes medical history, diagnosis and treatment records, payment information, insurance claims, and patient contact details.

PHI is governed by the Health Insurance Portability and Accountability Act (HIPAA), which mandates how covered entities and business associates secure, transmit, and manage this data. PHI spans multiple formats—electronic health records (ePHI), paper documents, emails, voice recordings, and mobile applications.

Any organization that touches PHI must comply with strict federal requirements or face legal, financial, and reputational consequences. PHI security is a cornerstone of healthcare cybersecurity, requiring a proactive and compliant approach.

Why PHI Is a Prime Target for Cybercriminals

PHI tends to carry more long-term value on the dark web than credit card numbers or bank credentials. Unlike financial data, patients cannot easily change their medical history, diagnoses, or identity attributes.

Attackers target PHI because it enables:

• Long-term identity theft and synthetic identity creation
• Insurance fraud and prescription abuse
• Highly personalized scams and extortion
• Theft of contact, payment, and Social Security data in a single breach

Ransomware and third-party breaches continue to expose systemic vulnerabilities in the healthcare sector—and recent statistics suggest healthcare entities need to buckle down on cybersecurity defenses. In 2024, approximately 275 million PHI records were leaked, according to the HIPAA Journal. That’s a 63.5% increase from the previous year. Healthcare had the most third-party breaches of any sector last year, according to SecurityScorecard’s 2025 Global Third Party Breach Report.

Medical data has long been the top target in data breaches. After a slight dip in the trend in recent months, medical data has surged to the top of data type leaked in breaches in 2025, according to Verizon’s Data Breach Investigations Report.

How to Secure Protected Health Information

1. Classify and Inventory All PHI

Begin by mapping where PHI is stored, processed, or transmitted. This includes:

• Electronic Health Records (EHRs)
• File shares and relational databases
• Email systems and messaging apps
• Cloud storage repositories
• Backup systems and disaster recovery sites
• Third-party platforms and software-as-a-service (SaaS) tools

Why it matters: You cannot secure PHI without full visibility into its location and handling.

2. Implement Role-Based Access Controls (RBAC)

Limit PHI access based on job function and business need. Apply least privilege principles across departments:

• Segregate access for clinicians, billing personnel, IT staff, and administrators
• Audit user permissions quarterly and remove dormant accounts
• Enforce approvals for elevated privilege access

Why it matters: Insider misuse and excessive access are common causes of healthcare data breaches. Strong access control is a foundational element of HIPAA compliance.

3. Encrypt PHI at Rest and in Transit

Encryption is an addressable implementation specification safeguard under HIPAA’s standards.

Why it matters: Data encryption renders intercepted or stolen PHI unreadable to attackers.

4. Strengthen Authentication with Multi-Factor Authentication (MFA)

Require MFA for:

• Access to Electronic Health Record (EHR) platforms
• Remote virtual private network (VPN) connections
• Cloud-hosted patient portals
• Administrative or privileged accounts

Use phishing-resistant authentication methods such as hardware tokens or biometric systems.

Why it matters: Credential theft remains a primary attack vector for data breaches.

5. Monitor User Behavior and Audit Logs

Track and log user interactions with PHI, including:

• Logins, logouts, and access timeframes
• File views, edits, downloads, and exports
• Administrative changes and privilege escalations

Integrate user behavior analytics (UBA) to detect suspicious patterns, such as large after-hours data access or irregular login locations.

Why it matters: Real-time monitoring of audit logs supports compliance, breach prevention, and health data governance.

6. Secure Mobile Devices and Bring Your Own Device (BYOD)

Healthcare professionals frequently access PHI using smartphones, tablets, and personal laptops. Protect these devices by implementing:

• Mobile Device Management (MDM) software
• Enforced encryption and remote wipe capabilities
• Lock screen requirements and timeout policies

Why it matters: Mobile devices are easily lost or stolen, creating a high-risk vector for medical data protection.

7. Ensure Third-Party Compliance

Business associates—vendors and partners that handle PHI—must meet the same standards as internal teams.

Use Business Associate Agreements (BAAs) to:

• Formalize security expectations
• Define breach notification timelines
• Establish audit rights and remediation thresholds

Why it matters: HIPAA scrutinizes third-party risk, and effective control extends beyond internal systems.

8. Maintain Backups and Test Restoration

A strong backup strategy can assist security teams in cases of ransomware, system failures, and accidental deletion. Best practices include:

• Daily encrypted backups of critical systems
• Cloud-based redundancy with geographic separation
• Immutable storage that prevents modification of backups
• Regular testing of restoration procedures

Why it matters: Backups support HIPAA compliance and contingency planning to ensure medical data protection during major incidents.

9. Train Staff on PHI Security and Privacy

Every employee who accesses PHI must receive training. Programs should include:

• Definitions and examples of PHI
• Common social engineering tactics, including phishing
• Secure communication protocols and data handling
• Steps for reporting suspected incidents

Provide regular refreshers and adapt content by role—clinicians, administrative staff, IT, and finance teams all face different risks.

Why it matters: Human error causes over half of breaches—according to Verizon’s 2025 Data Breach Investigations Report human error caused 60% of breaches. Training is essential to health data governance.

10. Develop and Test an Incident Response Plan

A PHI breach response requires a coordinated, time-sensitive approach. Your IR plan should cover:

• Detection, containment, and forensic investigation
• Notifications to affected individuals and the U.S. Department of Health and Human Services within 60 days
• Communications to regulators, the media, and legal counsel
• Post-incident documentation and remediation

Run simulated breach scenarios (tabletop exercises) involving stakeholders from legal, compliance, PR, and IT security.

Why it matters: A mature PHI breach response plan reduces exposure and accelerates recovery.

Elevating PHI Protection to a Strategic Priority

PHI is among the most sensitive—and most valuable—data an organization can hold. Securing it requires more than compliance checklists. It demands proactive risk management, continuous third-party monitoring, and a strong security culture across the organization. As healthcare threats evolve, so must your defenses.

Experience Comprehensive Cyber Risk Management with MAX
SecurityScorecard’s MAX is a fully managed service that combines our advanced platform with expert driven remediation. We handle the complexities of supply chain cybersecurity, allowing you to focus on your strategic business operations.
🔗 Discover MAX