The Four Ps of Healthcare Data Security

PHI – Protected Health Information

PII – Personally Identifiable Information

PCI – Payment Card Industry data

Proprietary Information – other information that is considered to be sensitive and confidential to patients and/or the specific healthcare organization

With a recent rise in hacking incidents affecting healthcare organizations, it is clear these organizations need to improve their defenses to prevent hackers from accessing patient information.  But what do we mean when we say patient information?  We are all exposed to warnings that stress the importance of protecting electronic healthcare data, which most healthcare organizations interpret to mean Protected Health Information, or PHI.  But who thinks about the other categories of sensitive data that require high security and strong protection?  Let’s review the most obvious four categories: the Four Ps.

1.     Protected Health Information

Presumably, every healthcare organization understands the fundamental need to guard Protected Health Information, or PHI.  The HIPAA and HITECH Acts outline the general requirements for protecting PHI and subsequent breach reporting responsibilities, if (or when) a data breach should occur.  But what about other data that is considered protected under Federal law or is considered proprietary and confidential?  Many healthcare organizations are surprised to learn that they have legal, ethical and professional responsibilities for personal data that falls outside of HIPAA protections.

2.     Personally Identifiable Information

Securing Personally Identifiable Information, or PII, is an increasingly serious issue for all business sectors, including healthcare.  Broadly covered under Section 5 of the Federal Trade Commission (FTC) Act, the requirements for protecting PII and other sensitive data are not as well-defined or prescriptive as the HIPAA guidelines; however it is important for all businesses to take PII protection seriously.  The FTC and many state Attorneys General have brought hundreds of enforcement actions and final settlement decrees against businesses that do not implement adequate protections or secure disposal of personal information.  For healthcare organizations doing business outside the U.S., it is even more important.  Several countries, including those in the EU and the UK, require strong security and mandated compliance for protecting PII.  For businesses that host their data in the cloud, there are even more compliance standards, such as the relatively new standards outlined in ISO 27018 of which to be aware.

3.     Payment Card Industry Data

Virtually every retail or online business that accepts credit cards for payment knows about PCI-DSS compliance.  It’s surprising that healthcare organizations seem unaware of their responsibilities or the requirements for protecting credit card data.  In many respects, smaller healthcare organizations do a better job at this than do some larger entities; mainly because small offices typically process charge cards through their online EMR or billing applications and are not collecting or managing PCI data themselves.  Many larger entities still process their own PCI data, storing and managing PCI data for various reasons.  These entities may have deemed the risk acceptable if the necessary and appropriate protections are in place, but how many healthcare organizations can afford the data protection mechanisms used by, let’s say, large retail firms such as Target, Walmart and Home Depot?  As recent reports of PCI data theft remind us, assuming more risk is usually not the best answer.

4.      Proprietary Information

Almost every healthcare organization collects and maintains other data that is sensitive, proprietary or requires a high degree of protection.  This can include marketing information, business plans and other trade secrets.  This may also include data such as organizational financial information, owner/executive compensation plans, Human Resources information and other data involving employees that is not strictly PII.  There is also raw and analytical clinical and business data – the new gold.  Most healthcare organizations are either collecting data or thinking that they should be doing so.  ? Most organizations only consider risk when it comes to data specifically governed by laws and regulations, however, most data that is being collected is collected for a purpose and is therefore deemed valuable to the organization and/or outsiders. And if a piece of information has value, then it raises your risk profile as a target of intrusion by hackers. 

This is merely a short review of the most common types of sensitive data that all healthcare organizations need to consider when creating or reviewing risk assessments and security plans.  There are additional federal privacy laws that will need to be evaluated on a case-by-case basis, including CAN-SPAM (email marketing), COPPA (for websites targeting kids or knowingly accepting information from kids), Do-Not-Call,  the Disposal Rule (for consumer reporting data), and the Red Flags Rule (measures to prevent identity theft).   We all understand that where the world of modern healthcare intersects with cyberspace can be a dangerous and confusing space.  The fundamental key to designing and implementing a strong, effective and affordable security plan is the understanding of what data you are collecting, managing and utilizing and where that data puts you at risk.  Only then can you develop a comprehensive set of policies and procedures to help protect your healthcare organization.