Word of the Day: PHI breach

Word of the Day Daily updates on the latest technology terms | November 20, 2018 PHI breach A PHI breach is the unauthorized access, use or disclosure of protected health information (PHI) from an electronic health record (EHR). Attacks on health records are often carried out to get information that can be used to conduct Medicare or insurance fraud. Other demonstrated motives for PHI breaches include cyber-extortion, theft of intellectual property and identity theft. As of this writing, medical information is one of the most valuable types of data hackers can get their hands on, according to a report by the Institute for Health Technology Transformation (IHT2). While credit card information can sell for $1 on the black market and personally identifiable information can sell for $10 to $20, patient records can go for $20 to $50 each and a complete patient record - including the patient's driver's license, health insurance information and other sensitive data - can be worth more than $500. That means that if a healthcare organization has a security breach and 1,000 complete patient records are stolen, those records could fetch the hacker half a million dollars. While a bank account could simply be closed in the event of a breach, the information in a healthcare record is intended to follow the patient throughout his or her lifetime and that persistence is what creates value. In the United States, personal health information is protected by the HITECH Act and the Health Insurance Portability and Accountability Act (HIPAA). In 2016, the number of major PHI breaches reported to the United States federal government involved the health data of 15.1 million people, a sharp rise from 2015, when 11.3 million people were affected by reported breaches. In what was probably the most notorious ransomware strike in recent years, cybercriminals shut down the data system of Hollywood Presbyterian Medical Center in Los Angeles in February 2018. The 434-bed hospital was forced to use paper records for two to three days, and ultimately paid $17,000 ransom in the bitcoin digital currency to unlock its network. Healthcare providers, payers and other organizations that handle PHI have started to spend more on cybersecurity and deploy increasingly sophisticated technologies including multifactor authentication, advanced perimeter monitoring, vulnerability testing and identity monitoring. Hospitals, health systems and physician practices have also begun training employees about ransomware and other threats, and have been implementing more comprehensive policies to determine who can access PHI. According to the Institute for Health Technology Transformation, healthcare providers can help prevent or mitigate the negative consequences of an attack on personal healthcare information by: Moving security controls as close to where data is created as possible. Following the principle of least privilege. Making security awareness training a priority. Tracking where the data is stored. Using full disk and file-level encryption. Quote of the Day "A new surge of networked medical devices and wearable gadgets present possibilities for exposure to serious security breaches in healthcare, and many hospitals are unprepared to tackle the next endpoint challenge." - Nicole Lewis Trending Terms electronic health record medical identity theft ePHI data breach response plan full disk encryption security awareness training principle of least privilege Learning Center How data duplication in healthcare is diagnosed Despite the proliferation of electronic health record systems, data duplication still plagues hospitals and can cost a large hospital around $1 million to fix. Find out how EHRs and other methods can help address duplication of patient data. Worries rise about security breaches in healthcare as endpoints expand In the face of increased security breaches in healthcare, hospitals will grapple with widening endpoint access and related cybersecurity risks. To get secure cloud storage in healthcare, gauge risks first To have secure cloud storage in healthcare, cybersecurity experts say conducting a risk assessment is a necessary step before moving to the cloud, while building a relationship between the organization and cloud provider is vital for maintaining security. HIPAA requirements steer data protection in healthcare HIPAA requirements are not specific about the technology to achieve data protection, but HIPAA's weight in disaster recovery still remains considerable. Healthcare cybersecurity must complement HIPAA compliance A comprehensive healthcare cybersecurity plan should include network monitoring, patient record access tracking, employee training and HIPAA compliance. Quiz Yourself Risk analysis is a _________ component of the HIPAA Security Rule because it allows an entity to target its main security loopholes and deficiencies. A. incisive B. decisive Answer Stay in Touch For feedback about any of our definitions or to suggest a new definition, please contact me at: mrouse@techtarget.com Visit the Word of the Day Archives and catch up on what you've missed! FOLLOW US About This E-Newsletter This e-newsletter is published by the TechTarget network. To unsubscribe from Whatis.com, click here. Please note, this will not affect any other subscriptions you have signed up for. TechTarget, Whatis, 275 Grove Street, Newton, MA 02466. Contact: webmaster@techtarget.com Copyright 2018 TechTarget. All rights reserved.