The U.S. federal government recognizes the risk of data breaches to the healthcare industry and has enacted laws to mandate protection of personally identifiable information. This information, collectively known as Protected Health Information (PHI) in the regulations, includes identifiers such as names, geographical locations smaller than a state, dates related to the individual, phone and fax numbers, email addresses, and many other types of numbers or codes that identify an individual.
As described in Cybercrime and the Healthcare Industry, protected healthcare information can be many times more valuable than credit card data. So what makes this information so valuable? First, healthcare organizations often are not set up to detect breach, so it can go undetected for longer periods of time. Second, credit card accounts can be cancelled; however, personal identification information is much more difficult to cancel. Third, criminals can utilize the breached information in many different ways: A) fraudulent claims, B) access prescription drugs either for use or resale, C) open new credit card accounts, or D) possible blackmail or extortion opportunities with sensitive health details.
At the recent 2014 Information Systems Security Association Puerto Rico InfoSec Conference, the presentation Reducing Risk of Healthcare Data Breaches had a Breach Definition section that steps through the appropriate Code of Federal Regulations that define healthcare breach. Each slide in the section highlights the appropriate snippets of the code and provides links to the original documents (the definition spans several federal documents to weave together the full story).
Within the regulations, organizations that have 500 or more records breached are supposed to report the breach to the Health and Human Services department. These breaches are made publicly available on the Breaches Affecting 500 or More Individuals web page and the information can be searched or downloaded. As of the end of 2013, 800 reports had been filed accounting for 28,898,900 breached records. Thus far Washington D.C., Puerto Rico, plus all states, except Maine, have reported breaches. The figure below shows the per capita impact of breached records by region. As shown, in the three years since reporting was mandated, five regions have already had at least 1 in 5 of their population’s records breached.
At the end of 2013, 98 of the breach reports had detailed comments about the breach and the organization’s response to the breach. For electronic breaches, a very typical response was to add encryption (see following graph).
While encrypting Protected Healthcare Information is a great starting point and, arguably, a very positive step to take, note that it should not be a final step. For instance, my colleague, David Houlding, wrote Healthcare Information at Risk – Encryption is Not a Panacea and describes many other activities that are worthy of considering in addition to encryption. There are several technologies available that accelerate the speed at which data can be encrypted/decrypted (e.g. processor hardware support like AES-NI or self-encrypting Solid State Drives (SSDs)). These solutions are often far more affordable to do prior to being breached rather than paying for a breach after the fact in: A) manpower, B) post-breach encryption, C) government fines, D) brand name damage, and E) loss of customer loyalty / lawsuits.
How are you protecting your Protected Health Information?
Doug Bogia, PhD, is a mobile health lead architect at Intel Corporation.