Securing Protected Health Information in the 21st Century

Securing Protected Health Information in the 21st Century


With great power comes great responsibility, so is the case with the rapid advancement in technology experienced in the 21st Century. In the wake of new software and high-tech medical devices being introduced every day, the proliferation of data breaches has become common place. It is the duty of all key players in the health sector to buckle up and come up with more stringent measures to counter the numerous cyber-attacks being reported daily and keep the bad guys away.

The homework is already halfway done for stakeholders looking to protect their clients’ records. In August 1996 then President Bill Clinton signed the Health Insurance Portability and Accountability Act(HIPAA) to law. Two decades later this very law, with few tweaks here and there, continues to define how PHI should be handled. The ball is in the stakeholders’ court, therefore, to fully comply and play by the book. As concerning electronic PHI, which is the most used form of information nowadays, the stakes are even higher.

In Title II of the law:’ HIPAA Administrative Simplification,' the act states: “Title II directs the U.S. Department of Health and Human Services (HHS) to establish national standards for processing electronic healthcare transactions. It also requires healthcare organizations to implement secure electronic access to health data and to remain in compliance with privacy regulations set by HHS.” Implementing the intricate details of this law to the latter can be dicey, especially when an organization’s staff is not well termed with the HIPAA Compliance terms. These are further explained under the very title as summarized below:

  1. HIPAA National Provider Identifier Standard- A special national provider identifier number to be assigned to each entity, including individuals.
  2. HIPAA Transactions and Code Sets Standard- Defines how to process and submit insurance claims and the standardized electronic data interchange mechanism involved.
  3. HIPAA Privacy Rule- Also known as the Standards for Privacy of Individually Identifiable Health Information, are national standards established to protect patient health information.
  4. HIPAA Security Rule-Security Standards that protect Electronic Protected Health Information.
  5. HIPAA Enforcement Rule- Outlines guidelines to use in investigations into HIPAA compliance violations.

Once the staff is familiarized with these rules, the next step is to ensure that the data security system in place is watertight and even in the case of unauthorized access, no malicious agenda can prevail.

Combating ransom-ware attacks

On February 5, 2016, the Hollywood Presbyterian Medical Center parted with $17,000 to strangers who had hacked into their system and locked off members from accessing certain parts of the network. They encrypted the hospital’s EHR and demanded an exchange of the money for the encryption key. This was not a new case to the list of ransom-ware attacks directed to health insurance companies or hospitals. In May 2015, the UCLA Health system suffered a massive cyber-attack as well that saw a compromise on information of at least 4.5 million of its patients. The aftermath of the attack was exposure of delicate details such as medical info of patients, their medical record numbers and social security numbers to name but a few.

There are two types of ransomware. There’s the locker type that prevents users from seeing certain sensitive information and the crypto type where the hacker encrypts data so that only after you’ve paid is the encryption key made available. Paying the ransom, however, does not guarantee that the all the information will be given back or retained in its earlier form.

To fight these incessant attacks, health care providers cannot afford to stick to the old methods of antivirus and firewalls only. These features are effective in their own right but can be gullible to strong malware. To establish an infallible security protocol that has advanced malware protection, there needs to be a concerted effort between device manufacturers and the health organization buying these devices. This way the manufacturer can configure the devices and the system as a whole to fight the types of data breach mostly faced.

Another positive effort would be to train and thoroughly sensitive employees on email security and cyber security in general. This way they’ll know what dangerous red lights to look out for, while operating the data system from their laptops or mobile devices.

Unauthorized access

Away from ransom-ware attacks, it is still possible for malicious people on the internet to get access to information and make ridiculous amounts of money from it by selling it on the Dark Web/black market. According to a 2014 survey done by Bitglass, 68% of data breaches are due to device loss or theft.

When a laptop or mobile device with sensitive information is stolen, the thief gets direct access to all the information he needs, including financial records. Identity theft is enabled, and the person can decide to alter insurance information, medication dosages or even the operation of a certain medical device which can result in death.

This calls for the need to pay more emphasis in securing the data itself rather than the devices. At the end of the day, it is the sensitive data that’s more valuable. The various technologies that can make this happen include on-the-fly data encryption, DLP, and DRM, redaction among others.

When it comes to data encryption, various tactics apply. Data in motion is usually intercepted on the network by say, stealing a password. Strong passwords, therefore, need to be set and changed from time to time. Data at rest, on the other hand, is stored information in a device. To take care of this, it is important that apart from creating physical barriers to the servers or devices, backup files are stored on a different network. Cloud computing also comes in play.

The truth of the matter

Cyber-attacks are not going away anytime soon. The government has tried helping out through legislation such as the one done by the California Senate Public Safety Committee to counter ransom-ware attacks. While these efforts are steps in the right direction, it is upon the users of these systems to take data privacy seriously and unequivocally safeguard the medical information of their patients.