What are PHI and PII?

Protected health information (PHI), also referred to as personal health information, generally refers to demographic information, medical histories, test and laboratory results, mental health conditions, insurance information, and other data that a healthcare professional collects to identify an individual and determine appropriate care. (Source)

Personally identifiable information (PII) is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII. (Source)

Why is PHI more valuable than PII?

Personal Health Information (PHI) is more valuable on the black market than credit card credentials or regular Personally Identifiable Information (PII). Therefore, there is a higher incentive for cyber criminals to target medical databases, so they can sell the PHI or use it for their own personal gain. So far in 2019, over 15 million health records have been compromised by data breaches, according to the health and human services breach report.

The average cost of a data breach incurred by a non-healthcare related agency, per stolen record, is $158. For healthcare agencies the cost is an average of $355. Credit card information and PII sell for $1-$2 on the black market, but PHI can sell for as much as $363 according to the Infosec Institute. This is because one’s personal health history, including ailments, illnesses, surgeries, etc., can’t be changed, unlike credit card information or Social Security Numbers. PHI is valuable because criminals can use it to target victims with frauds and scams that take advantage of the victim’s medical conditions or victim settlements. It can be used to create fake insurance claims, allowing for the purchase and resale of medical equipment. Other criminals use PHI to illegally gain access to prescriptions for their own use or resale.

It seems that every day another hospital is in the news as the victim of a data breach. According to the Ponemon Institute and Verizon Data Breach Investigations Report, the health industry experiences more data breaches than any other sector. There may be some potential for bias in this claim, due to the well-defined, legally mandated reporting requirements of the Health Insurance Portability and Accountability Act (HIPPA), which makes it more likely healthcare breaches will be reported compared to breaches in other sectors.

These breaches can be caused by many different types of incidents, malware that exposes credentials, insiders who either purposefully or accidentally discloses patient data, or lost laptops or other devices.

So what can you do to manage the risk of a breach?

Tips for Healthcare Systems

  1. Encrpyt and back-up your data. Store the back-up offsite, and test to verify the back-ups are happening and you can access them.

Encryption is the best way to protect your patients’ data from being accessed once someone has found their way onto your systems. It is important that encryption is implemented both at rest and in transit and that third parties and vendors that have access to your healthcare network or databases are also properly handling patient data. Training on proper usage and handling of PHI is recommended to reduce data breaches caused by employee error, such as a lost device or accidental disclosure.

  1. Plan for a future breach. Do not bury your head and think it will not happen to you. Develop your strategy and be ready to execute it.
  2. Include a communication plan. Being transparent is critical.

Whether you need assistance in training employees, developing a breach plan or protecting your employees and residence with Identity Protection, KII Consulting can help you put the right program in place for your healthcare facility. Contact us today for a complimentary consultation.