At human resources consulting firm Mercer, “I do see employees and clients concerned about security and privacy of their PHI in particular. It’s not top of mind yet, but it’s on their radar,” says Jen Faifer, a Mercer principal and employee benefits attorney.
Faifer recently helped a major university audit its systems to determine which university functions were covered by HIPAA, and which were covered by the Family Educational Rights and Privacy Act (FERPA) that protects student information. “There is overlap among the different privacy and security statutes (as well as some gaps), and they’re not quite sure what information they have and what to do about protecting it,” Faifer says. “There’s also a lot of state-by-state requirements for workers’ compensation information and health information, so it’s hard to keep track of what’s required.”
HIPAA’s 18 PHI Identifiers
- First and last names
- All geographical subdivisions smaller than a State, including street address, city, county, precinct, ZIP code
- Birth date, admission date, discharge date, date of death
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic or code
Across all industries, Faifer says HR needs to be involved in developing an organization’s cyber risk management function. “When it comes to sensitive personal data, HR needs to be involved and to have a stake with respect to HIPAA and the health information that they handle,” she says.
What to do
Industry professionals say that companies should identify where PHI data is hiding in their organization and take steps to lock it down.
- Know what PHI data you have. Companies should first identify the pieces of information that they own that should be considered high risk. It may be just five pieces from the HIPAA list of 18 identifiers, says Raul Ortega, a vice president at data security provider Protegrity. Companies should also develop a culture for security, Ortega says. “When you’re developing software, you have to consider security and protect data not only in greenfield apps, but you also need to go back to find that [PHI] data.”
- De-identify data through encryption or tokenization. Ortega recommends starting with the largest repositories of data and de-identify that data through encryption or tokenization, which is a non-sensitive, substitute identifier with no meaning or value. After encrypting at the repository level, work backwards to lines of business and to where the data originated.
- Involve the BI team. Companies should also know why they have this data, Sadowski says, and include it in their overall risk assessments. It also helps to get someone from the business intelligence team involved to help understand how the data is used, Ortega adds. PHI data used within lines of business can also be protected with encryption or tokenization, he adds.
- Strengthen security around data pathways between company and vendors. Data can be used for analytics or it can be shared with business partners. Make sure PHI is identified and protected when it’s moving out of the company’s systems. Develop a security shared data room online, Faifer says. Require vendors to expose privacy and security practices. “Make sure vendor contracts require them to bear the cost of a security breach, or if the organization is big enough, they can negotiate audit rights into the contract,” Faifer says.
- Monitor access to data – even by privileged users. The incidents that take the longest to detect are those being perpetrated by the organization’s trusted insiders – privileged users whose credentials were stolen by hackers, according to Verizon. Incidents that took years to discover were over three times more likely to be caused by an insider abusing their LAN access privileges, and twice as likely to be targeting a server, particularly a database. “It’s important to limit access to PHI data only to the users that are relevant, and then monitor access to that data even by privileged users,” Sadowski says. “Just because a privileged user logs on or has access to that data, are they actually using it or treating it appropriately and not dumping it out of a database and sending it outside the company?”
Sign up for CIO Asia eNewsletters.