How to Manage Risks Related to Electronic Protected Health Information?

Anita Bhuptani, Director of Sales at IPRO

The storage of electronically protected health information (ePHI) opens your healthcare/insurance organization up to substantial liability. Data breaches of healthcare data are on the rise, 25% year-over-year between 2014 and 2020. Unauthorized access and disclosure incidents in 2020 accounted for 22.27% of the total amount of breaches (HIPAA Journal).

Most healthcare organizations continuously amass this personal information. Over time, the vast amount of data can become unwieldy and unmanageable. The result is sensitive patient data remaining vulnerable to breaches and/or being stored away unknowingly in some remote data store.

What healthcare businesses need is continuous risk assessment/auditing to know what ePHI they have and where it resides. In fact, HIPAA mandates that organizations perform enterprise-wide risk analyses to “determine whether any vulnerabilities to the confidentiality, integrity, and availability of PHI exist”. Organizations that fail to conduct these analyses run the risk of steep financial penalties.

Recent settlements include (

  • Premera Blue Cross – $6,850,000 settlement for risk analysis and risk management failures, and other potential HIPAA violations
  • Excellus Health Plan – $5,100,000 settlement for risk analysis and risk management failures, and other potential HIPAA violations
  • Oregon Health & Science University – $2.7 million settlement for the lack of an enterprise-wide risk analysis.
  • Cardionet – $2.5 million settlement for incomplete risk analysis and lack of risk management processes.

Last year alone (2018), there were also 365 data breaches in the U.S. among healthcare organizations. Anthem Inc., for example, paid a settlement of $16M due to a data breach, and UnityPoint Health was the victim of a hacking incident that exposed the PHI of 1,421,107 individuals.

The Solution

What can you do to quickly, easily, and assuredly uncover risks within your data sources (cloud and on-premise)? IPRO illuminates the unknown inside unstructured data (within documents, emails, chat messages, mobile devices, electronic calendars, etc.) to uncover compliance and personal data vulnerabilities. It enables internal auditors to view all unstructured data and have a direct look into its content wherever it is located, whether it’s in file systems, email archives, SharePoint, SharePoint O365,, Citrix ShareFile, and so on. This enterprise software also enables admins to take control of any malicious data contained within employee emails to thwart dangerous phishing and malware attacks that could expose stored PHI.

Administrators can set up automated audits according to their organization’s policies. The solution will then proactively audit newly created and stored documents even between audits with the automatic detection of all non-compliant data. In other words, if two employees are discussing a patient, for example, and accidentally include PHI in their electronic communications, the solution will detect this vulnerability and quarantine the stored communication so it can be reviewed and ultimately deleted.

To help automate this process and keep managers notified of potential issues, alerts and email reports can be sent every morning or as soon as non-compliant information is saved. Compliance, privacy, or security teams can act by tagging, deleting or quarantining data directly from email reports. This way, potential vulnerabilities can be detected on time and remediated to ensure no unnecessary PHI is stored where it shouldn’t or for too long.

ePHI Risk Mitigation

By taking centralized control of your PHI storage, you will minimize your organization’s overall risk exposure, thereby saving potentially millions in avoidable fines and lawsuits. You will also protect your business reputation in the eyes of your patients. Big, costly data breaches are made public in the news. You don’t need that negative publicity. It could force future patients to seek treatment or insurance coverage elsewhere.

With the ever-increasing public and regulatory scrutiny surrounding personal information (HIPAA, GDPR, CCPA – California Consumer Privacy Act), now is the time to look into information auditing before it is too late.