Healthcare organizations are increasingly moving Protected Health Information (PHI) to the cloud. This shift brings significant benefits in terms of efficiency and accessibility, but it also introduces new challenges in ensuring the security of sensitive data. As more healthcare companies, including payers, providers, and health tech firms, transition to cloud-based operations, they face mounting pressures to protect PHI from breaches and vulnerabilities.
To understand how to protect PHI in healthcare, let’s look at an easy way to understand it and the parallels that exist between healthcare security and home security.
Understanding the Importance of PHI Security
The healthcare industry is a prime target for cyberattacks due to the valuable nature of Protected Health Information (PHI). Examples of recent cyberattacks include the Universal Health Services (UHS) Attack in 2020. UHS, a major healthcare provider in the US, experienced a ransomware attack that forced its systems offline, causing significant disruptions in patient care and hospital operations. The Anthem Inc. Data Breach nearly 10 years ago where hackers accessed the personal information of nearly 80 million Anthem customers, including names, birthdays, medical IDs, Social Security numbers, and addresses. This was one of the largest healthcare breaches in history. A more recent example is the Change Healthcare breach that happened back in Feb. of 2024 because of unauthorized access to their systems due to stolen or compromised credentials.
These examples underscore the critical need for robust cybersecurity measures in the healthcare sector to protect sensitive patient information and ensure the continuity of essential medical services. And these kinds of breaches can lead to severe regulatory penalties, reputational damage, and operational disruptions.
For these reasons (and many more) healthcare organizations must adopt a comprehensive approach to security. This involves understanding where PHI resides, implementing robust access controls, continuously monitoring security measures, and adapting to changes in the digital landscape.
The Home Security Analogy
To grasp the complexities of healthcare security, let’s draw an analogy to securing a home. Just as homeowners take steps to protect their valuables, healthcare organizations must implement similar measures to safeguard PHI in the cloud.
- Know Where Your Valuables Are
In a home, you wouldn’t leave your passports, wills, and heirlooms scattered around. Instead, you’d designate a secure place, like a safe, to store these important items. Similarly, healthcare organizations need to know where their PHI is stored in the cloud. Identifying the locations of sensitive data is the first step in protecting it. This involves mapping out where PHI resides across various systems and ensuring that it is stored in secure, designated areas.
- Implement Access Controls
Once you’ve identified where your valuables are, the next step is to control access to them. In a home, this means having strong locks on doors and windows. For healthcare organizations, this translates to implementing robust access controls for PHI. Access control measures determine who can access sensitive data, under what conditions, and what actions they can perform. This includes using strong authentication methods, such as multi-factor authentication, to verify the identities of users accessing PHI.
- Continuous Monitoring: The Security Cameras of the Digital World
In a home, security cameras provide real-time monitoring of activities, alerting homeowners to suspicious behavior. In the digital realm, continuous monitoring plays a similar role. Healthcare organizations need to continuously monitor their systems for signs of unauthorized access or unusual activities. This involves logging access events, analyzing patterns, and detecting anomalies that could indicate a security breach. Continuous monitoring ensures that any suspicious activity is promptly identified and addressed.
- Adapt to Changes: Handling the Unexpected
Homes are dynamic environments where changes occur regularly, such as new family members moving in or renovations taking place. Similarly, healthcare organizations must adapt to changes in their digital environments. This includes managing changes in personnel, applications, and infrastructure. For instance, when new employees join, their access to PHI must be carefully managed, and when they leave, their access should be promptly revoked. Regular reviews of access controls and permissions help ensure that only authorized individuals have access to sensitive data.
- Protecting Against Broken and Unlocked Windows
Just as burglars constantly devise new methods to break into homes, such as searching for broken or unlocked windows, cyber attackers continuously evolve their tactics to breach healthcare systems. Healthcare organizations must stay informed about emerging threats and adapt their security measures accordingly. This involves leveraging threat intelligence to understand the latest attack vectors and vulnerabilities. By staying ahead of cyber attackers, healthcare organizations can proactively strengthen their defenses.
Several high-profile breaches in the healthcare industry highlight the importance of robust security measures. For example, in 2020, a ransomware attack on a major healthcare provider resulted in the compromise of over 300,000 patient records. This incident underscores the need for comprehensive security strategies that encompass prevention, detection, and response.
In addition, according to a recent report by the Ponemon Institute, the average cost of a healthcare data breach is $9.42 million, the highest of any industry. This staggering figure reflects the severe consequences of inadequate security measures. Furthermore, the report found that 44% of healthcare breaches were caused by malicious attacks, emphasizing the need for proactive defense mechanisms.
To enhance security and protect PHI, healthcare organizations can follow these practical steps based on home security – and make sure you are implementing these simple steps that are best practices.
Identify and Classify PHI: Conduct a thorough assessment to identify where PHI resides and classify it based on its sensitivity. This helps prioritize security efforts and allocate resources effectively.
Implement Strong Access Controls: Use multi-factor authentication and role-based access controls to limit access to PHI. Regularly review and update access permissions to ensure they align with current roles and responsibilities.
Continuous Monitoring and Incident Response: Deploy advanced monitoring tools to detect and respond to suspicious activities in real-time. Develop a robust incident response plan to mitigate the impact of potential breaches.
Regular Security Risk Assessments: Conduct regular security assessments by leveraging CSPM technology that gives visibility into the compliance and security posture of your cloud environments and helps to prioritize and remediate risks present in your environment.
Employee Training and Awareness: Educate employees about security best practices and the importance of protecting PHI. Regular training sessions can help build a security-conscious culture within the organization.
Leverage Threat Intelligence: Stay informed about the latest threats and vulnerabilities by leveraging threat intelligence feeds. Use this information to proactively strengthen security measures and stay ahead of cyber attackers.
Protecting PHI in the cloud requires a multifaceted approach that parallels the strategies used to secure a home. By knowing where PHI resides, implementing robust access controls, continuously monitoring security measures, adapting to changes, and staying informed about emerging threats, healthcare organizations can effectively safeguard their sensitive data.
Healthcare organizations must prioritize security to protect patient data and maintain trust. By adopting a proactive and comprehensive security strategy, they can navigate the complexities of cloud-based operations and safeguard their most valuable assets—just as they would protect their homes and the valuables within them.
About the Author
Jim leads ClearDATA’s Engineering, Product Management, and IT teams. He has more than 25 years leading product organizations in the identity, integrated risk, and fraud management markets. Prior to joining ClearDATA, Jim served as Chief Operating Officer of Outseer, an RSA Company, where he served over 10 years in executive leadership roles. Prior to RSA in 2012, he served in executive leadership roles for Aveksa, CA and Netegrity. Ducharme frequently speaks at industry events and regularly contributes articles to trade publications.
Jim also holds several patents and a Bachelor of Science in Computer Science degree from the University of New Hampshire. He and his wife live in Maine in their dream log home, which was featured in Log and Timber Home Living magazine.
Jim can be reached online at https://www.linkedin.com/in/jimducharme/ and at our company website http://www.cleardata.com.