Protected health information, or PHI, is someone’s personal medical data. This data is typically subject to regulations from many different governing bodies depending on the country in which it is gathered. This data will usually be stored for a set amount of time that varies based on the regulatory body. For example, in the United States, there is a 6-year period in which data must be stored.
What Is PHI?
PHI will be data about current medical problems, past procedures, and detailed private information about the patient. This information is created and stored by any organization processing your health in some way, such as a hospital, family doctor, or pharmacy. Each organization and any group processing health data is subject to data retention policies. These can vary depending on the specifics of the data and the country in which it is processed. In the United States, HIPAA regulations dictate that there should be 6 years where data is stored.
With this data often being stored for long periods, it is important to make sure that it is stored safely and securely. Data breaches that expose patient data can be disastrous, causing harm to the patients and harm to the reputation of the organization that was breached. As a result, any entity storing PHI needs to be cautious with how they keep this data. This applies to both digital and physical media. Depending on the governing bodies affecting each organization, they will be subject to different guidelines.
Data also must be protected when it is being moved anywhere, and there should be protections in place to prevent unauthorized people from being able to access data that is not theirs. Data being captured in transit can lead to a breach situation in the same way as data being siphoned out at rest. In the same way, data being given out to anyone who asks for it without verifying that it is being given to the right person is a very dangerous situation.
From a cybersecurity perspective, these guidelines are followed in a few different ways. The most important thing to do when protecting any sort of data is to implement proper encryption. Proper encryption should be done at rest and in transit. This prevents plaintext data from being captured in the event of a data breach and also can stop man-in-the-middle attacks. To prevent malicious actors from accessing data through legitimate means, proper authentication and access control should be in place anywhere with PHI.
Why Is PHI Protected?
There are several reasons why it is important to keep PHI safe. Primarily, it is important to keep this information protected for patient privacy and trust. Health information can be very sensitive and personal, and most people will not be comfortable with anyone being able to get access to that information. It is paramount that patients and healthcare providers maintain a level of trust so that the patient feels comfortable sharing their private problems.
Another reason to keep PHI safe is the risk of a hacker getting access to it and being able to leverage it for other purposes. PHI is typically going to be very personal data that most people will assume to be completely confidential. Hackers will use this assumption to create social engineering campaigns against the victims of data breaches. They will be able to build false trust with the patient by showing that they know private information.
Social engineering attacks are the starting point for 80-95% of cyber attacks. Not only can it be used to attack patients and try to get money or further compromise data, but it can also be used as the starting point to attack their workplace for similar goals. Modern social engineering techniques are already extremely effective when done without elevated knowledge due to modern techniques and technologies, but the success rate skyrockets when the attacker has private information.
To ensure that PHI is stored properly, regulatory bodies typically require various types of auditing against any entities processing this data. In the United States, these policies are mandated and enforced by HIPAA. This act requires audits to be performed annually with strict guidelines for audit items and passing criteria. Another requirement is that these organizations perform annual penetration testing to ensure that data cannot be accessed through misconfigurations or software exploits.
Meet HIPAA Requirements With Blue Goat Cyber
Blue Goat can help you ensure that you are managing data properly. PHI breaches can be extremely costly and damaging to your business, but following HIPAA guidelines can help with the process. Blue Goat can be your resource for mandated auditing and penetration testing to give you confidence that you are safe against attack. Contact us to schedule a consultation.