Ultimate Guide to Healthcare Hero image of Dr. reviewing Guide and taking notes

The Ultimate Guide to Healthcare Data Security

by

Introduction

What opportunities remain for the future of a healthcare industry that has faced decades of change in two short years? Countless –– as long as organizations remain dynamic and leverage digital opportunities. From optimizing telehealth offerings to catalyzing medical innovation, robust and reliable data is the backbone for healthcare’s advancement in 2022. In the same vein, data security is integral to ensuring the protection of confidential patient information and compliance with federal and state-level regulations. Interested in learning more about the intersection between data security and healthcare? Here’s our Ultimate Guide!

 

What is considered “healthcare data?”

Healthcare data, sometimes known as medical or clinical data, is any data related to health conditions, reproductive outcomes, causes of death, and quality of life for an individual or a population. Sources for this data include surveys, claims data, administrative and medical records, disease registries, and more.

 

What are the two federal laws that have been enacted to protect personal health information?

Numerous laws protect the privacy of health data. In the United States, The Health Insurance Portability and Accountability Act (HIPAA) and The Health Information Technology for Economic and Clinical Health (HITECH) Act create standards that qualify and protect the privacy of identifiable health information.

HIPAA was enacted in 1996. Before its passage, hospitals, medical practices, and insurance companies complied with a variety of laws at state and federal levels. Oftentimes, patient information could be easily distributed without the patient’s authorization and for purposes unrelated to medical care. For example, lenders and employers could access an individual’s health record –– and subsequently deny a mortgage or job application based on medical history. 

To prevent these outcomes and protect patient privacy, legislators drafted HIPAA’s privacy rule and security rule. The privacy rule allows patients to decide who has access to their medical records, such as a primary care provider or a team of specialists. It also places specific limits on how a provider can access, use, or store patient data. The security rule ensures that electronically transmitted patient data is protected through appropriate administrative, physical, and technical safeguards.

In 2009, HITECH was also passed to ensure the confidentiality, integrity, and security of electronic health information. HITECH promoted and expanded the adoption of electronic health records (EHRs), clarified language in HIPAA to close potential loopholes, and created tougher penalties for HIPAA violations to incentivize compliance with privacy and security rules. Prior to HITECH, only 10% of hospitals adopted EHRs –– leaving healthcare out of the digital age. HITECH encouraged digital transformation through financial incentives, ultimately improving healthcare efficiency and coordination. 

 

What is Protected Health Information (PHI)?

Any health information that includes individual identifiers is considered PHI, including demographic information. Under HIPAA, the 18 identifiers of PHI are:

  1. Names 
  2. Dates, with exception to year
  3. Telephone numbers
  4. FAX numbers
  5. Geographic information
  6. Social Security numbers
  7. Email addresses
  8. Medical record numbers
  9. Account numbers
  10. Health plan beneficiary numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers including license plates
  13. Web URLs
  14. Device identifiers and serial numbers
  15. Internet protocol addresses
  16. Full face photos and comparable images
  17. Biometric identifiers (i.e. retinal scans and fingerprints)
  18. Any unique identifying number or code

 

What distinguishes Protected Health Information (PHI) from healthcare data?

All PHI is healthcare data, but not all healthcare data is PHI. PHI refers to any past, present, or future identifiable health information that is used, maintained, or stored by a HIPAA-covered entity. Physical records, electronic records, and spoken information regarding a patient’s medical conditions, provisions of care, or payment of care are all considered PHI. Examples of PHI include:

  • Phone records between an individual and a healthcare provider
  • Billing information from a doctor
  • Diagnosis of a medical condition
  • Results from a blood test

 

What isn’t considered PHI? 

Two conditions determine what qualifies as PHI: who records the information, and whether or not the information is stripped of all identifiers that could tie the information to an individual. HIPAA applies to HIPAA-covered entities and their business associates. This does not pertain to education or employment records, which may retain certain information about an individual’s health, such as allergies or blood type. Information is only considered PHI if the information was recorded by a healthcare provider or used by a health plan. Additionally, if the 18 identifiers of PHI are stripped from the health information, HIPAA does not apply. The data is then considered de-identified PHI. It is important to note that certain characteristics that could uniquely identify an individual cannot be reasonably stripped from data, as context clues and introducing additional publicly available information can lead to re-identification of an individual. This highlights how HIPAA typically does apply when using patient information, and how healthcare institutions should take appropriate and proactive measures to ensure compliance.

 

When are disclosures permitted for PHI?

There are, of course, instances where disclosure of PHI is required by law. Typically, these types of disclosures handle circumstances that involve public policy, safety, or other legal concerns that compete with a patients’ need for medical confidentiality. HIPAA permits disclosures under the following provisions:

  • Public health activities, such as those involving disease control, product recalls, or work-related illnesses
  • Suspected abuse, neglect, or domestic violence
  • Health oversight activities of the healthcare system, government benefit programs, or civil rights law;
  • Judicial or administrative proceedings in response to a court order or subpoena;
  • Law enforcement purposes when the PHI is relevant and material to a criminal investigation;
  • Deceased patients (to coroners, medical examiners, or funeral directors);
  • Organ donation;
  • Research, provided specific requirements are met; and
  • Government functions such as national security or intelligence activities

With such a specific and limited list of permitted reasons for disclosure, sharing data for medical research or other industry-related developments requires a careful, privacy-by-design approach. So how do organizations collaborate with data? First, let’s start by exploring why data collaboration is important in the first place.

 

What are the benefits of data collaboration in healthcare?

Data collaboration is critical for healthcare institutions. Interoperability –– the ability of two or more systems to exchange and use health information –– allows for increased clinic/hospital efficiency, reduced visits and admissions, improved diagnostic accuracy, and more. This host of potential benefits for patients’ health and well-being depends on private, secure, and streamlined sharing between healthcare providers. 

One key example of the benefits of data collaboration in healthcare is this study, conducted by researchers at Stanford University and the Houston Methodist Research Institute in 2016. By examining more than 16 million electronic health records of 2.9 million people to probe the link between common gastroesophageal reflux disease treatments and heart attacks, they found that individuals taking proton pump inhibitors (Nexium, Prilosec, and Prevacid) were 16 percent more likely to have a heart attack than those who did not take these drugs. While the study does not establish that these drugs cause heart attacks, the findings catalyze a closer examination of a potential cause-and-effect relationship between proton pump inhibitors and future heart attacks.

This example highlights how collaboration and secure information sharing can also vastly improve wider-level medical research, in addition to population health management and epidemiology/disease tracking. Access to transparent and informative data can improve the accuracy of research, provide a backbone for risk/benefit analysis of treatment options, and strengthen clinical research collaborations between healthcare providers. 

 

What is the biggest threat to the security of healthcare data?

Healthcare organizations are continually at risk for cyberthreats due to their possession of information that is of high monetary and intelligence value to hackers, cyber-thieves, and other bad actors. Protected health information, financial information such as credit card and bank account numbers, Social Security numbers, and intellectual property are all forms of targeted data. Ransomware, credential harvesting, and device theft are top mechanisms for stealing patient health information.

Immediate patient outcomes are often impacted by cyber crimes. In May of 2017, the “WannaCry” ransomware attack targeted computer systems in 150 countries, hitting over 230,000 computers globally. American hospitals and healthcare systems faced diverted ambulances, canceled surgeries, and disrupted operations –– consequences that could have been avoided through updated software and education on data security. In 2021, a Critical Insights report found that cybersecurity breaches hit an all-time high, with over 45 million individuals impacted by healthcare attacks. This number has tripled in the past three years, partially resulting from the unprecedented stress hospital and health systems faced during COVID-19. As healthcare systems continue to shore up defenses, the U.S. Department of Health & Human Services Office of Civil Rights (OCR) recommends vigilance around these top cybersecurity threats:

 

What types of data security does the healthcare industry currently implement?

Protecting data in the healthcare industry is a serious challenge, and as regulatory requirements for data protections increase, healthcare organizations must take a proactive approach to implement best-practices for data security. Currently, these are steps healthcare organizations take to remain compliant and lower the risk of data breaches:

  • Educating healthcare staff
    Human error can lead to catastrophic and costly consequences. Through robust security awareness training, healthcare employees can independently make critical and careful decisions when handling sensitive patient data.
  • Implementing access and usage controls
    Data controls allow healthcare organizations to restrict access to patient information and applications to users who require access to perform their roles, or block specific actions (such as web uploads, copying to external drives, or unauthorized email sends) altogether. Data discovery and classification can also ensure that sensitive data is identified and tagged according to the level of protection necessary for the information.
  • Logging and monitoring the use of data
    An audit trail allows healthcare providers to identify which users are accessing patient information, pinpoint areas of concern in security, and strengthen protective measures. 
  • Encrypting data at-rest and in-transit
    Encryption makes deciphering patient information more difficult for attackers. By encoding data so that only authorized parties can receive and understand information, healthcare providers can prevent unauthorized persons or applications from gaining access to PHI.
  • Securing mobile devices and applications
    Smartphones and other devices are commonplace in 21st-century healthcare, with patients, physicians, and insurance providers inputting and receiving information to increase operational efficiency. Mobile device security requires a range of measures, such as encryption of application data, installation of mobile security software, and enablement of remote-wipe or lock applications for lost or stolen devices. 
  • Conduct Frequent and Thorough Risk Assessments
    Regular risk assessments encourage proactive measures against potential data breaches and cyber attacks. Locating vulnerabilities in security, growth points in employee education, and other areas of concern can reduce the risk of costly penalties from regulatory agencies and the reputational damage associated with a breach.

 

How can we improve data security in healthcare?

Scaling digital transformations, increasing cyberattacks, and rapidly changing technologies in healthcare all reinforce the need for innovative and reliable data security solutions. Ideally, these solutions should also promote interoperability between hospitals, research institutions, and other healthcare providers to maximize value derived from healthcare data –– without compromising patient privacy or incurring severe penalties after a breach.

According to the American Hospital Association, “the key to leveraging health data’s full potential for improving patient care is the establishment of a framework for compatible technical and linguistic (semantic) standards adopted by all parties that leads us to a generic, vendor-neutral data exchange program. We currently lack universally agreed upon ways of sharing and using information.”

TripleBlind is a software-only solution that can unlock the intellectual property of health data without compromising PHI or violating HIPAA. By keeping data private and in place while allowing authorized operations on the data, healthcare providers can collaborate around sensitive information and ensure compliance with regional and national privacy regulations.

Take, for example, this use case in hospital and pharmacy analytics. A critical pain point for hospital and life science researchers is the need for detailed information about patient drug purchases and usage. While these researchers often know what drugs have been prescribed to patients, they have little information about actual purchase or use rates –– information that pharmacies possess, but struggle to or cannot share due to interoperability challenges or legal barriers. 

Using TripleBlind, the hospital can run a “fuzzy match” (or exact) to identify the intersection of their customers and the pharmacy’s customers. The pharmacy can also set permissions on what data the hospital is able to see on their shared patients’ customers, allowing the pharmacy to have full access and usage controls. Through this data collaboration, the hospital can then gain insights into what medications patients are actually purchasing and taking after receiving a prescription, then incorporate their findings into future research and models.

With our privacy enhancing computation solution, no exchange of raw data ever takes place. Permissions on how data is used can be set to per-use authorization, ongoing permissions, or anything in-between –– giving data owners full autonomy over data and algorithms, while allowing data collaboration and innovation to take place. The TripleBlind Solution offers the following additional advantages:

  • Streamlined interoperability between healthcare organizations –– Using or combining PHI and PII is often a compliance migraine for healthcare professionals. The TripleBlind Solution reduces time and resource cost, allowing organizations to extract insight from data without compromising or relinquishing control over proprietary information.
  • Exceptional AI/ML modeling and analysis toolset –– TripleBlind enables all data operations to occur on any type of data, without adding speed penalties or requiring additional storage. Train AI models and find healthcare solutions faster than and with greater accuracy than ever before.
  • Aggregation of granular-level patient data while ensuring HIPAA/HITECH compliance –– Since PHI is protected by design and never moved, shared, or seen by any parties, critical information can be included in every research process –– including early indication clinical trial reporting, pharmaceuticals, and more.

Are you ready to learn more about how TripleBlind can support your organization in joining the future of healthcare data security? Check out our use cases or contact us for a demo of our next-generation product.