Feb 14 2023

What Is PHI, and How Can Healthcare Organizations Keep It Secure?

Protected health information continues to be a high-value target for malicious actors. Healthcare organizations need to know how to keep it secure in an evolving IT landscape.

The Internet of Medical Things is transforming healthcare, giving clinicians more access to patient data through devices such as wearables and sensors. These devices paired with telehealth solutions enable patients to receive care from home. However, as healthcare organizations’ perimeters continue to expand beyond a hospital’s four walls, malicious actors have a larger attack surface to exploit for access to valuable patient data.

Xu Zou, vice president of network security at Palo Alto Networks, points out that many hospitals rushed to launch virtual care services during the pandemic, resulting in cybersecurity protections often being overlooked or under-resourced. While some requirements for protected health information were waived during the public health emergency, penalties will be reinstated once the PHE ends on May 11, 2023.

A patient data privacy survey conducted by the American Medical Association last year showed that nearly 75 percent of patients surveyed are concerned about protecting the privacy of their health data. It’s more important than ever for healthcare professionals to understand what PHI is and how to protect it amid an evolving health IT landscape and increasingly complex cybersecurity environment.

Click the banner for access to exclusive HealthTech security content and a customized experience.

What Is Protected Health Information?

According to UC Berkeley’s Human Research Protection Program, PHI includes any information found in medical records or clinical data sets that can be used to identify an individual. In addition, this information must have been collected, used or disclosed while providing a healthcare service. PHI can be used during the diagnosis or treatment of a patient or in clinical research processes.

The HIPAA Privacy Rule and Security Rule require the protection of identifiable health information, such as:

  • Information collected by doctors, nurses and other healthcare providers in the medical record
  • Conversations between doctors and other healthcare providers about a patient’s care
  • Patient information recorded in a health insurer’s computer system
  • Billing information

Additionally, healthcare delivery organizations are under regulatory compliance pressure to ensure the safe handling of patient data such as electronic health records and e-PHI. Many global regions and countries also have data residency requirements.

If PHI is de-identified, meaning it is stripped of identifiable data, then it is no longer classified as PHI under HIPAA. Health information is also not considered PHI when it meets certain criteria, such as being collected by entities not covered under HIPAA.

EXPLORE: Why should healthcare organizations hire a data quality manager?

How Evolving Health IT Can Complicate Cybersecurity Around PHI

Data protection laws have continued to evolve globally, especially as data and information becomes more valuable, says Marlon Harvey, principal business architect for Cisco’s customer experience healthcare practice.

“This includes everything from personally identifiable information, or PII, to PHI. While this data can be similar, in the U.S. there is a more narrow focus on federal protections for health information,” he says. “This accelerated during the COVID-19 pandemic, as healthcare organizations as well as health departments had to rethink sharing health information for the greater public good.”

On Jan. 5, 2021, President Donald Trump signed HR 7898, the HIPAA Safe Harbor Bill, into law. Harvey explains that key mandates in this bill include:

  • Amending the Health Information Technology for Economic and Clinical Health Act (HITECH Act) to require that “recognized cybersecurity practices” be considered by the Secretary of Health and Human Services in determining any HIPAA fines, audit results or mitigation remedies
  • Providing a strong incentive to covered entities and business associates to adopt “recognized cybersecurity practices” and risk reduction frameworks when complying with the HIPAA privacy and security standards to reduce risk associated with security threats and HHS enforcement determinations; specifically, the earlier adoption of an established, formalized and recognized cybersecurity framework may significantly insulate entities from regulatory enforcement in the wake of subsequent security incidents or data breaches

“Stricter protections for PHI mean that providers have to ensure their cybersecurity programs are up to date to meet the latest industry needs. These are outlined in updated National Institute of Standards and Technology guidelines,” says Harvey.

The new HIPAA Security Rule draft guidance makes explicit connections to these and other NIST cybersecurity resources.

“Healthcare organizations that have adopted recognized cybersecurity best practices; completed a HIPAA Security Risk Analysis; reduced identified risks to a low and acceptable level; and have implemented technical safeguards to ensure the confidentiality, integrity and availability of e-PHI will be treated more leniently by the HHS Office for Civil Rights, but financial penalties for organizations that have not complied with cybersecurity best practices cannot be increased,” says Harvey.

DISCOVER: How zero trust protects patient data against the most serious security threats.

In addition to facing lower penalties and sanctions, healthcare organizations that comply with the HIPAA Security Rule will be better protected against cyberthreats and data breaches.

While privacy requirements aim to keep PHI out of the hands of malicious actors, the growing number of Internet of Medical Things devices, as well as legacy devices running on outdated operating systems, create more vulnerabilities for healthcare organizations.

According to Unit 42 research, 75 percent of infusion pumps scanned in hospitals had known security gaps that put them at heightened risk of being compromised by attackers.

“These devices tend to be the largest number of IoT devices used in any healthcare delivery organization, creating a large attack vector that has a weak security posture due to security gaps,” says Zou. “Protecting medical devices like those becomes as important as protecting traditional IT systems.”

Any attack that involves a patient system or IoMT device could lead to a compliance breach, he adds. The increased number of data breaches and ransomware activity not only impacts patient care and loss of revenue but also affects healthcare organizations’ reputations. However, cybersecurity is not just about responding to or preventing attacks.

“For example, the safe retirement of devices that house PHI is key when a device has reached its end of life,” says Zou. “Healthcare IT teams need to ensure the protection and removal of patient data, and that the safe disposal of these devices is centered in their clinical device management methodology.”

How Can Healthcare Organizations Keep PHI Secure?

Zou says healthcare organizations need a comprehensive zero-trust framework that can support their digital transformation journey, leading to better patient care outcomes while ensuring patient data privacy and regulatory compliance.

“Zero trust is a cybersecurity strategy that eliminates implicit trust by continuously validating every stage of digital interaction. Rooted in the principle of ‘never trust, always verify,’ zero trust is designed to protect modern digital healthcare environments,” he says. “The principle applies least-privilege access controls and policies with continuous trust verification and device behavior monitoring to block zero-day attacks. With zero trust, IoMT device communications are secure and constantly validated to thwart cyberthreats and protect sensitive patient healthcare data.”

There is inherent risk for healthcare organizations when they have connected medical devices, IT systems and general-purpose IoT devices on an unsegmented network. In that case, attacking a device such as a printer could lead to PHI access on IoMT devices. Zou says microsegmentation is key to ensuring each device is placed in its designated network segment and that a device only communicates with its authorized system.

MDS2 [Manufacturer Disclosure Statement for Medical Device Security] documents are one of the best resources to maximize IoMT security because they contain invaluable information to improve the security posture of medical devices,” says Zou, adding that despite this they are one of the least-used resources.

MDS2 documents provide biomedical teams with important information about risk management and medical device security controls to identify anomalies; for example, identifying devices that are not capable of remote software updates but are seen downloading them. Zou says healthcare organizations need a security solution that can operationalize the MDS2 documents to protect medical devices against unauthorized access to PHI, which will improve an organization’s security posture.

READ MORE: Why should health systems begin their zero-trust journey with identity?

Another important consideration for healthcare providers is whether they should store PHI in the cloud, an off-premises system in which data needs are outsourced to a third-party provider. It is important to note that HIPAA does not prohibit the storage of PHI in the cloud.

However, Harvey points out that there are challenges with storing data there, such as organizations not knowing where all applications and data are stored. Third-party hosting also limits visibility into data access and sharing. Another potential pitfall is that shared security responsibilities may be misunderstood or misapplied. If companies are using multiple cloud providers or hybrid infrastructures, security may be inconsistent.

“Realistically, choosing to store data in the public cloud means giving up some control over how the IT environment is managed, secured and maintained,” says Harvey. “There is also no clear guideline that unifies the various cloud providers.”

Despite those risks, healthcare organizations can still protect their data in the cloud. A major consideration for IT decision-makers when considering cloud migration is to select a HIPAA-compliant hosting provider that is certified to the required standards of the HIPAA Security Rule by an independent third party.

Marlon Harvey
The key to securing PHI is to always find the right balance that is the most beneficial to your organization’s and customers’ needs.”

Marlon Harvey Principal Business Architect, Cisco’s Customer Experience Healthcare Practice

Harvey says organizations should also ensure the hosting service is designed for enhanced privacy. The cloud provider should also have ultra-secure access controls and up-to-date procedures on patching. It’s important that the provider actively upgrades equipment and reviews its security policies as they pertain to the cloud environment. When uploading or downloading data from the cloud, it should be encrypted.

“Your provider should have an actively managed compliance program that verifies their adherence to the various regulatory requirements and security standards,” says Harvey. “You must know where all PHI data is stored. Your provider should be able to give you the exact locations of your data.”

Alternatively, healthcare providers can adopt a hybrid cloud solution, says Harvey, which will allow organizations to secure their most sensitive PHI on-premises to ensure ongoing compliance with HIPAA regulations

“An important point to remember about information security is that it has always been about finding a balance between ease of access and the sharing of data versus locking down a system. The more you have of one, the less you have of the other,” he adds. “The key to securing PHI is to always find the right balance that is the most beneficial to your organization’s and customers’ needs. Noncompliance with data regulations and a subsequent breach can lead to monetary losses and damage to brand authority.”

FG Trade/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.