Sensitive data like PHI has been the target in most cases. Protected Health Information (PHI) is any information that unscrupulous elements can use to identify a patient as per HIPAA. ePHI is an electronic record. Any information related to the health, treatment, or billing that identifies a patient is considered PHI.

You may ponder that cybersecurity measures have been becoming more stringent year after year and that your data should be safe. Unfortunately, that is not the case.

The HIPAA journal reveals the following insights

• 25% year-over-year increase in healthcare data breaches.
• Healthcare data breaches have doubled since 2014.
• 642 healthcare data breaches of 500 or more records were reported in 2020.
• 76 data breaches of 500 or more healthcare records were reported each day in 2020.
• 2020 saw more than 29 million healthcare records breached.
• One breach involved more than 10 million records and 63 saw more than 100K records breached.
• Hacking/IT incidents accounted for 67% of data breaches and 92% of breached records.
• 3,705 data breaches of 500 or more records have been reported since October 2009.
• 78 million healthcare records have been breached since October 2009.

Why is ePHI so attractive to hackers?

Medical records have information that offers multiple opportunities like identity theft, prescription abuse, insurance frauds, blackmail, credit card theft, etc. Organizations have adopted federal laws for electronic health records(EHR) without adequate IT security.

How do HIPAA data breaches happen?

Today there are multiple ways that data breaches happen. It could be a healthcare employee opening an email attachment or a malware attack or hacking any servers or portable mobile devices or forms used to fill ePHI information. Many times mobile apps have vulnerabilities and cyber-attacks like malware and ransomware cause data breaches.

How to Protect ePHI from Healthcare Data Security Risks

HIPAA mandates the protection of PHI by law. So how can you protect ePHI in your organization? There are some ways to protect ePHI data.

1. Access management:
   
   Role-based access can help segregate data access to the people who need to have access to the data. Limiting access is one of the ways of securing ePHI and is applicable in a few scenarios. All departments need not have access to billing records. Similarly, billing department staff need not see details of medical records. Limit the exposure of your ePHI and minimize the risk of ePHI data breaches.
   
   
2. Encrypting Hard drives:
   
   Protection of hard drives with data encryption is essential to prevent data access if the hard disk or drive is stolen or lost.
   
   
3. Email encryption:
   
   Sensitive data, be it financial or ePHI, must be sent only on encrypted email services. Email encryption may involve a password, code, or link that provides access to the content.
   
   
4. Firewalls:
   
   Secure your IT networks with firewalls. There are different solutions available, and cloud-based firewall security (Firewall-as-a-Service) can help reduce costs too.
   
   
5. Destroy old data disks:
   
   There are ways to retrieve data from old and damaged hard disks, even if they may be encrypted. Old and decommissioned hard drives must be destroyed.
   
   
6. Password protection of computers:
   
   Computers should be protected with usernames and passwords as per defined IT policies. Organizations should preferably change passwords every few months, and an IT policy should have this covered. If used, Electronic Record Programs (EMR) need to have a separate login and password for enhanced security.
   
   
7. Protecting mobile devices:
   
   Organizations must protect company-owned mobile devices like tablets and smartphones to access ePHI data with passwords. Mobile devices that get lost puts ePHI data at risk.
   
   
8. Multi-factor Authentication:
   
   Enhanced security for accessing ePHI involves multiple authentications like a password plus verification with a texted code to the user’s mobile device or a biometric authentication like fingerprints or use a token that generates random codes.
   
   
9. Periodic training:
   
   People tend to forget about being cautious about security breaches and need to be reminded with ongoing training to alert them to cyber-attacks and breach attempts.
   
   
10. Business Associate Agreements:
    
    If you are working with partners or medical providers who may have access to ePHI data, you should have a BAA (Business Associate Agreement) to safeguard the use of ePHI data securely.
    
    
11. Secure ePHI data:
    
    Organizations can prevent unauthorized access to systems containing PHI or ePHI like server machines or physical lockers. Securing access could mean locking a server room or lockers that may store these data.
    
    

Importance of being vigilant and ready

Despite all the security measures, organizations carry some amount of risk to their ePHI data. It becomes vital for healthcare organizations to be vigilant and ready to act in case of any breach. You should have a planned response for any breach possibility. The response must be designed well in advance and should be easy to execute.

Real-time threat intelligence and protection helps in securing unexpected user behaviors and application anomalies.

Kogni health from Resolve is a highly extensible data discovery and security platform that offers healthcare organizations a single pane view of all their data. Custom designed machine learning techniques help classify, tag data across the organization and even mask data based on the access level. Businesses can prioritize the protection of high-risk data and ensure regulatory compliance without having to spend years identifying and organizing existing data. Kogni health monitors all data and is geared to provide sensitive data alerts to help manage policy violations fast empowering for swift actions and remediation.