Looking after customer data in the healthcare industry is no easy task.
With the frightening news that a third of hospitals have been hit by ransomware, lost money through phishing, and/or experienced theft of Protected Health Information (PHI), it’s clear to see that even the most established businesses can sometimes fall victim to cyberattacks.
And it's not just down to healthcare organisations to protect customer data. Any business handling card details must have safeguards in place, in line with Payment Card Industry (PCI) requirements, to ensure it can't be accessed by unauthorised users.
PII and PHI are sometimes used interchangeably but there are differences between the two.
PII stands for Personally Identifiable Information and covers any form of data that you could identify someone by. For instance, that could be their:
- home address
- date of birth
- passport number.
You might assume that all data would be classed as PII but sometimes, information is far too vague. A zip code, for example, covers a wide area so it would be difficult to identify someone purely based on that. However, coupled with more data like somebody’s name, it would be easy to know who they are. Context is everything when it comes to PII.
Protected Health Information, or PHI, includes details that are specific to someone’s health. That could include information on:
- medical history
- medical bills
Healthcare organizations in particular will be handling plenty of PHI on a daily basis.
A little different to PII and PHI, PCI stands for Payment Card Industry. If your organisation is processing payment card information, you'll have to abide by the Payment Card Industry standards that are in place to make sure data is handled in a secure way. Read our guide to understand PCI in more detail.
PII can refer to any form of data whereas PHI will always be healthcare-related.
There may be a bit of crossover between the two because healthcare data can become PII when people are able to be identified by it.
Alternatively, data can move from PII to PHI. A patient’s address on its own would be PII but when it’s presented with information about their recent hospital admission, it would move into the category of PHI.
As a business, you have a duty to protect your customers’ PII, PHI & PCI. But you also have a legal responsibility under regulations that protect the data of individuals.
Under the Health Insurance Portability and Accountability Act (HIPAA), individuals in the US are protected when it comes to their healthcare data.
According to the Department of Health & Human Services, ‘a major goal of the Privacy Rule [within HIPAA] is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being.’
HIPAA applies to health plans, healthcare clearinghouses and any health care provider ‘who transmits health information in electronic form.’ If you’re unsure whether you’re covered by HIPAA, you can check here.
Regardless of whether you’re covered by HIPAA or any other regulations, you should always ensure you’re keeping your customers’ data safe to protect them from cases of identity theft.
Protecting PCI data is also crucial for preventing fraud, maintaining customer trust, and complying with industry regulations. With any type of data breach or leak, there is the risk that you may incur financial losses or face legal action. Your reputation may also take a hit if customers don't think they can trust you. It's vital that you have the right processes in place to secure data and ensure your organisation is prepared if an unfortunate incident were to occur.
HIPAA covers the following 18 identifiers:
2. Geographic subdivisions smaller than a state such as street address
3. Dates relating to an individual such as birth, death, admission date etc
4. Phone numbers
5. Fax numbers
6. Email addresses
7. Social security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate or license numbers
12. Vehicle identifiers such as license plates
13. Device identifiers and serial numbers
14. Web URLs
15. IP addresses
16. Biometric identifiers such as fingerprints and voice prints
17. Full face photos
18. Any other identifying number, characteristic or code
Being careless with sensitive information like PHI & PII can be bad for your customers and your business.
It not only violates your patients’ or customers' privacy and trust but it can lead to significant legal and financial consequences. PHI breaches, in particular, can result in hefty fines, damage to reputation, and even litigation, due to the sensitive nature of the information.
There are a few ways you can secure sensitive data to reduce the risk to your patient confidentiality:
1. Reduce the amount of data you retain on your customers or patients by using a data security software like Metomic. You’ll be able to see where your data is stored and who has access to it, as well as being able to set automation rules to redact information immediately or after a set amount of time.
2. Make sure the data is unable to be traced back to one individual by anonymising or encrypting it.
3. Take a look at your access controls - what are you doing to restrict access to sensitive data?
4. Educate your team on the dangers of sharing sensitive data freely across SaaS apps by using employee notifications or regular training sessions to increase awareness.
Firstly, you should take steps to contain the breach as much as possible, disconnecting the affected system as soon as you can. You’ll need to notify individuals who may have been impacted and also place a banner on your homepage for at least 90 days to make people aware of the breach. A breach impacting more than 500 people will also require you to notify major media outlets in the area.
If you’re in the US, you need to notify the Department of Health & Human services and any other regulatory agencies within 60 days of the breach taking place.
After the incident, you should take steps to review why it happened, and what your data security posture will be going forward to ensure it doesn’t happen again.
Using a data security tool like Metomic can be a gamechanger for keeping customer data secure. Take a look at how we worked with Zego to help reduce their attack surface when it came to their sensitive data.