Is it time
for a fresh
look at your
PHI breach
strategy?

Healthcare data breaches can reverberate across care communities. Some of the largest breaches have involved settlements of almost $75 million and affected millions of patients and members. This has left healthcare IT leaders looking for new ways to safeguard protected health information (PHI) and costly lawsuits, government fines and negative press. Proactive healthcare leaders are countering PHI breach threats, steering their organizations away from reactionary postures toward strategies that emphasize resiliency in data security.

The Department of Health and Human Services (HHS) published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form.

Protected health information is any individually identifiable health information that a HIPAA-covered entity uses, transmits, maintains or stores. It can include physical and electronic records, as well as spoken information. Electronic protected health information (ePHI) is any form of PHI that's created, saved, received or transferred in electronic form.

When PHI is breached, the entity is required by law to report within a timely manner. This timely manner is a clock counting down either from the time a covered entity became aware of a breach or when it should have known from reasonable diligence. It's then required to notify individuals, the Department of Health and Human Services and potentially the media (if over 500 individuals' information has been breached). This should be done "without unreasonable delay" or up to 60 calendar days after the date of the discovery.

Unfortunately, as an industry, healthcare has continued to lag in identifying breaches. Delaying notification can limit the steps an impacted individual can take to protect their information, and there are instances of information being posted on data leak sites before breach notification letters have even been sent.

To begin your shift toward a proactive breach response, it's useful to understand what today's healthcare threat landscape looks like. According to Verizon's Data Breach Investigations Report (DBIR):

• Errors are still a major problem: Miscellaneous errors are trending downward but are still higher than in other industries.
• Internal actors remain an issue: They might be less frequent than external threats, but internal personnel still make up 39% of threat actors responsible for breaches.
• Money is the biggest motivator: Criminal groups targeting healthcare are still most frequently looking for a payout, with financial motivations characterizing 95% of breaches.
• Training is critical: Security awareness and skills training are important in reducing risks to PHI.

Healthcare has a lot of room for improvement in how it responds to and prevents PHI breaches. Considering the impact of a PHI breach on individual entities, shifting to a proactive stance can pay off in multiple ways.

According to the HIPAA Journal, the average cost of a healthcare data breach has risen to over $9 million per incident as of 2021, the highest of all industries. Ransomware attacks averaged a cost of $4.62 million per incident. Remote work appears to be correlated with an increase in costs, with average costs being $1 million higher when remote work was a factor in the breach.

The healthcare industry should also be aware of strong public demand for fines for providers failing to have proper safeguards in place. One survey found 90% of patients believe healthcare providers should face financial penalties for not implementing adequate safeguards.

Larger PHI breaches must be reported to the media, meaning a public breach could jeopardize your healthcare organization's brand and reputation even among those not directly impacted by a breach. Research suggests 56% of patients don't trust private practices to secure their data, and only 33% trust large hospital networks. This skepticism isn't misguided, as nearly 50 million Americans had sensitive health data breached in 2021. 

This loss of reputation can have real bottom-line impacts. Two-thirds of patients said they would leave their healthcare provider if PHI or payment information was compromised in a data breach due to the provider's poor security measures.

A PHI breach could jeopardize patient engagement efforts. Patients have admitted to withholding information from providers over concerns about cyber security.

Since healthcare chief information officers are spending more on cyber security, now is an excellent time to step away from a posture of fear and focus resources on mitigation and resilience. This approach will be more effective than handling breaches after the fact. Here are a few best practices to get you started.

One survey of IT and security leaders found 97% consider remote workers to be exposed to more risk than office workers.  Consider adopting a Zero Trust approach to cyber security so as to minimize entry points for cyber criminals.

CISOs and IT leaders should work with CEOs and chief operating officers to update them on how the organization can get ahead of its specific risks. This will be critical in building the strategies, tools and resources required to improve PHI breach detection response times, securing electronic protected health information and avoiding fines.

Many healthcare organizations are suffering from a cybersecurity talent gap. Work with human resources to develop recruiting and employee life cycle plans that are aligned with a long-term and proactive cyber security strategy.  Additionally, companies like Verizon can offer tools and teams that can help you augment and/or outsource all or part of your security strategy.