Skip navigation

The U.S. federal government recognizes the risk of data breaches to the healthcare industry and has enacted laws to mandate protection of personally identifiable information. This information, collectively known as Protected Health Information (PHI) in the regulations, includes identifiers such as names, geographical locations smaller than a state, dates related to the individual, phone and fax numbers, email addresses, and many other types of numbers or codes that identify an individual.


As described in Cybercrime and the Healthcare Industry, protected healthcare information can be many times more valuable than credit card data. So what makes this information so valuable? First, healthcare organizations often are not set up to detect breach, so it can go undetected for longer periods of time. Second, credit card accounts can be cancelled; however, personal identification information is much more difficult to cancel. Third, criminals can utilize the breached information in many different ways: A) fraudulent claims, B) access prescription drugs either for use or resale, C) open new credit card accounts, or D) possible blackmail or extortion opportunities with sensitive health details.


At the recent 2014 Information Systems Security Association Puerto Rico InfoSec Conference, the presentation Reducing Risk of Healthcare Data Breaches had a Breach Definition section that steps through the appropriate Code of Federal Regulations that define healthcare breach. Each slide in the section highlights the appropriate snippets of the code and provides links to the original documents (the definition spans several federal documents to weave together the full story).


Within the regulations, organizations that have 500 or more records breached are supposed to report the breach to the Health and Human Services department. These breaches are made publicly available on the Breaches Affecting 500 or More Individuals web page and the information can be searched or downloaded. As of the end of 2013, 800 reports had been filed accounting for 28,898,900 breached records. Thus far Washington D.C., Puerto Rico, plus all states, except Maine, have reported breaches.  The figure below shows the per capita impact of breached records by region. As shown, in the three years since reporting was mandated, five regions have already had at least 1 in 5 of their population’s records breached.




At the end of 2013, 98 of the breach reports had detailed comments about the breach and the organization’s response to the breach. For electronic breaches, a very typical response was to add encryption (see following graph).



While encrypting Protected Healthcare Information is a great starting point and, arguably, a very positive step to take, note that it should not be a final step. For instance, my colleague, David Houlding, wrote Healthcare Information at Risk – Encryption is Not a Panacea and describes many other activities that are worthy of considering in addition to encryption. There are several technologies available that accelerate the speed at which data can be encrypted/decrypted (e.g. processor hardware support like AES-NI or self-encrypting Solid State Drives (SSDs)). These solutions are often far more affordable to do prior to being breached rather than paying for a breach after the fact in: A) manpower, B) post-breach encryption, C) government fines, D) brand name damage, and E) loss of customer loyalty / lawsuits.


How are you protecting your Protected Health Information?


Doug Bogia, PhD, is a mobile health lead architect at Intel Corporation.

As a healthcare CIO, interoperability is probably on your radar when it comes to the thousands of devices in your organization. With more of these devices connecting to the internet, it’s important to know which vendors and products will help you coordinate your strategy. In August 2013, the United States Food and Drug Administration (FDA) updated its list of Recognized Standards that can be used for premarket reviews.  In this update, several of the IEEE 11073 Personal Health Device (PHD) standards are now recognized for increasing the opportunity to produce interoperable health care solutions.


Two of the eight standards that were adopted were 1) a base standard defining common data formats and the exchange protocol and 2) an update to the base standard.  The remaining six standards are “specializations” that define how to utilize the base standard to implement specific device types.  The supported device types include: thermometers, weighing scales, pulse oximeters, peak flow meters, glucose meters, and basic electrocardiograph (1 to 3 lead ECG) devices.


These standards were created through the consensus driven processes of the Institute of Electrical and Electronics Engineers (IEEE) and are also recognized by the International Organization for Standardization (ISO).  With dual recognition from ISO/IEEE, the standards have applicability worldwide.


Further, the Continua Health Alliance references these standards in their Interoperability Guidelines and has a rigorous test and certification process to ensure interoperability between these devices and a receiving device (i.e., PC, tablet, phone).  Continua has certified 77 devices that comply with the newly recognized standards.


The IEEE 11073 PHD team continues to generate standards for additional personal health device types such as INR, insulin pump, and body composition analyzer.  In addition, there are standards for the health & fitness space (e.g., cardiovascular fitness and activity monitoring) and independent living categories (e.g., medication monitoring).


For device manufacturers interested in creating any of the above mentioned six device types or receiving data from such devices in a standardized fashion, reviewing the FDA Procedures for the Use of Consensus Standards in the Premarket Application Review Process, would be useful.  Utilizing these standards may help simplify and streamline the premarket review process and minimize the amount of data and documentation needed in a 510(k) submission.


For healthcare providers planning to purchase personal health devices, these standards, and the IEEE/ISO/Continua/FDA acceptance of them, means it is possible to require interoperable devices utilizing open standards so the best-of-breed devices can be selected from any number of vendors and integrated into the infrastructure.


What questions do you have?