What Is Protected Health Information?
According to UC Berkeley’s Human Research Protection Program, PHI includes any information found in medical records or clinical data sets that can be used to identify an individual. In addition, this information must have been collected, used or disclosed while providing a healthcare service. PHI can be used during the diagnosis or treatment of a patient or in clinical research processes.
- Information collected by doctors, nurses and other healthcare providers in the medical record
- Conversations between doctors and other healthcare providers about a patient’s care
- Patient information recorded in a health insurer’s computer system
- Billing information
Additionally, healthcare delivery organizations are under regulatory compliance pressure to ensure the safe handling of patient data such as electronic health records and e-PHI. Many global regions and countries also have data residency requirements.
If PHI is de-identified, meaning it is stripped of identifiable data, then it is no longer classified as PHI under HIPAA. Health information is also not considered PHI when it meets certain criteria, such as being collected by entities not covered under HIPAA.
How Evolving Health IT Can Complicate Cybersecurity Around PHI
Data protection laws have continued to evolve globally, especially as data and information becomes more valuable, says Marlon Harvey, principal business architect for Cisco’s customer experience healthcare practice.
“This includes everything from personally identifiable information, or PII, to PHI. While this data can be similar, in the U.S. there is a more narrow focus on federal protections for health information,” he says. “This accelerated during the COVID-19 pandemic, as healthcare organizations as well as health departments had to rethink sharing health information for the greater public good.”
On Jan. 5, 2021, President Donald Trump signed HR 7898, the HIPAA Safe Harbor Bill, into law. Harvey explains that key mandates in this bill include:
- Amending the Health Information Technology for Economic and Clinical Health Act (HITECH Act) to require that “recognized cybersecurity practices” be considered by the Secretary of Health and Human Services in determining any HIPAA fines, audit results or mitigation remedies
- Providing a strong incentive to covered entities and business associates to adopt “recognized cybersecurity practices” and risk reduction frameworks when complying with the HIPAA privacy and security standards to reduce risk associated with security threats and HHS enforcement determinations; specifically, the earlier adoption of an established, formalized and recognized cybersecurity framework may significantly insulate entities from regulatory enforcement in the wake of subsequent security incidents or data breaches?
“Stricter protections for PHI mean that providers have to ensure their cybersecurity programs are up to date to meet the latest industry needs. These are outlined in updated National Institute of Standards and Technology guidelines,” says Harvey.
The new HIPAA Security Rule draft guidance makes explicit connections to these and other NIST cybersecurity resources.
“Healthcare organizations that have adopted recognized cybersecurity best practices; completed a HIPAA Security Risk Analysis; reduced identified risks to a low and acceptable level; and have implemented technical safeguards to ensure the confidentiality, integrity and availability of e-PHI will be treated more leniently by the HHS Office for Civil Rights, but financial penalties for organizations that have not complied with cybersecurity best practices cannot be increased,” says Harvey.
In addition to facing lower penalties and sanctions, healthcare organizations that comply with the HIPAA Security Rule will be better protected against cyberthreats and data breaches.
While privacy requirements aim to keep PHI out of the hands of malicious actors, the growing number of Internet of Medical Things devices, as well as legacy devices running on outdated operating systems, create more vulnerabilities for healthcare organizations.
According to Unit 42 research, 75 percent of infusion pumps scanned in hospitals had known security gaps that put them at heightened risk of being compromised by attackers.
“These devices tend to be the largest number of IoT devices used in any healthcare delivery organization, creating a large attack vector that has a weak security posture due to security gaps,” says Zou. “Protecting medical devices like those becomes as important as protecting traditional IT systems.”
Any attack that involves a patient system or IoMT device could lead to a compliance breach, he adds. The increased number of data breaches and ransomware activity not only impacts patient care and loss of revenue but also affects healthcare organizations’ reputations. However, cybersecurity is not just about responding to or preventing attacks.
“For example, the safe retirement of devices that house PHI is key when a device has reached its end of life,” says Zou. “Healthcare IT teams need to ensure the protection and removal of patient data, and that the safe disposal of these devices is centered in their clinical device management methodology.”
How Can Healthcare Organizations Keep PHI Secure?
Zou says healthcare organizations need a comprehensive zero-trust framework that can support their digital transformation journey, leading to better patient care outcomes while ensuring patient data privacy and regulatory compliance.
“Zero trust is a cybersecurity strategy that eliminates implicit trust by continuously validating every stage of digital interaction. Rooted in the principle of ‘never trust, always verify,’ zero trust is designed to protect modern digital healthcare environments,” he says. “The principle applies least-privilege access controls and policies with continuous trust verification and device behavior monitoring to block zero-day attacks. With zero trust, IoMT device communications are secure and constantly validated to thwart cyberthreats and protect sensitive patient healthcare data.”
There is inherent risk for healthcare organizations when they have connected medical devices, IT systems and general-purpose IoT devices on an unsegmented network. In that case, attacking a device such as a printer could lead to PHI access on IoMT devices. Zou says microsegmentation is key to ensuring each device is placed in its designated network segment and that a device only communicates with its authorized system.
“MDS2 [Manufacturer Disclosure Statement for Medical Device Security] documents are one of the best resources to maximize IoMT security because they contain invaluable information to improve the security posture of medical devices,” says Zou, adding that despite this they are one of the least-used resources.
MDS2 documents provide biomedical teams with important information about risk management and medical device security controls to identify anomalies; for example, identifying devices that are not capable of remote software updates but are seen downloading them. Zou says healthcare organizations need a security solution that can operationalize the MDS2 documents to protect medical devices against unauthorized access to PHI, which will improve an organization’s security posture.
Another important consideration for healthcare providers is whether they should store PHI in the cloud, an off-premises system in which data needs are outsourced to a third-party provider. It is important to note that HIPAA does not prohibit the storage of PHI in the cloud.
However, Harvey points out that there are challenges with storing data there, such as organizations not knowing where all applications and data are stored. Third-party hosting also limits visibility into data access and sharing. Another potential pitfall is that shared security responsibilities may be misunderstood or misapplied. If companies are using multiple cloud providers or hybrid infrastructures, security may be inconsistent.
“Realistically, choosing to store data in the public cloud means giving up some control over how the IT environment is managed, secured and maintained,” says Harvey. “There is also no clear guideline that unifies the various cloud providers.”
Despite those risks, healthcare organizations can still protect their data in the cloud. A major consideration for IT decision-makers when considering cloud migration is to select a HIPAA-compliant hosting provider that is certified to the required standards of the HIPAA Security Rule by an independent third party.