Posted on Feb 1, 2021
With the sophistication of attacks on the rise and healthcare providers relying increasingly on vulnerable mobile and IoT medical devices, the healthcare industry faces considerable risk, and its providers can be hit with stiff penalties when Protected Health Information (PHI) is compromised.
Under the Health Insurance Portability and Accountability Act (HIPAA), covered entities are required to enact security measures to guarantee the confidentiality, integrity, and availability of PHI. So what is PHI, and what is a covered entity?
PHI is defined as information which “relates to the past, present, or future physical or mental health or condition of an individual, the provision of healthcare to an individual, or the past, present, or future payment for the provision of health care to an individual.” This definition applies to information that is stored or transmitted in any physical or electronic form by HIPAA-covered entities. PHI does not include health data collected on personal devices unless the applications in use are created for a physician or covered entity.
Any health plan, healthcare clearinghouse, or healthcare provider that stores or transmits health information is a covered entity under HIPAA. This designation extends to business associates as well, which are individuals or firms that provide services on behalf of HIPAA-covered entities involving the use or dissemination of PHI. All covered entities must sign a HIPAA-compliant business associate agreement that outlines HIPAA compliance standards.
When used by a HIPAA-covered entity to provide healthcare services or process payments related to those services, the following 18 identifiers are considered PHI:
If a health record has all of these identifiers removed, it is no longer considered PHI.
PHI is highly valuable compared to other types of information often sought by hackers. A 2018 Trustwave report found the average selling price of a health record to be $250.15, while a Social Security Number sold for $0.53. Health records can be exploited by cybercriminals for a longer period of time, as they typically provide multiple pieces of personal information that can be used in a variety of ways—i.e. to file false medical claims or fill fraudulent prescriptions. Unlike stolen credit card information which has a relatively short shelf life, as victims of theft usually cancel stolen cards relatively quickly, it can take longer for a healthcare organization to identify records that have been stolen.
The HIPAA Security Rule requires covered entities to enact physical, technical, and administrative security measures to ensure the safety of PHI. These measures include HIPAA and general cyber awareness training, encryption and endpoint security controls, and limiting the disclosure of PHI to the minimum necessary to fulfill a particular service or request. While no healthcare organization can entirely negate the risk of incurring a data breach, steps can be taken to reduce the likelihood and impact of adverse events. Automated cybersecurity tools like security ratings help organizations continuously monitor their security posture, improve breach detection time, and engage in more effective remediation activities.
SecurityScorecard helps organizations achieve and maintain automated HIPAA compliance and minimize the risk of adverse findings and penalties. Starting with a score, SecurityScorecard provides an instant view of the security posture of any treatment center, insurance provider, or manufacturer in your ecosystem, and allows you to continuously identify, monitor, and manage third-party risk via integrated workflows. With a comprehensive view of enterprise security posture from a hacker’s perspective, we give you the tools and intelligence you need to protect the cyberhealth of your entire ecosystem.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.