The effects of a data breach can be devastating to any company and can have far reaching effects. Target estimated the credit card data breach costs, after insurance reimbursement at $105 Million. In addition, 40 million payment cards and 70 million other records, including customers email addresses and phone numbers were stolen. This breach was severe enough for the CEO to resign.
The Ponemon Institute released a report in September 2014 indicating that 43% of companies had experienced a data breach in the past year and that was an increase in 10% over the prior year. It’s not a matter of if your company will be attacked, it’s when it will happen. According to the report, the magnitude of the breaches is increasing and more than 80% of the breaches were caused by employee negligence.
I do believe that we will see a flood of lawsuits pertaining to PHI data breaches and with the stringent HIPAA laws in place, medical practices and the associated industry can expect to pay exorbitant penalties.
Companies need to protect PII, PHI and PCI from both internal and external threats and should retain only information that is crucial to the operation of the business and what is legally required if their data is breached.
Personally Identifiable Information (PII) is information that can be used to identify on its own or in conjunction with other information a single person. The National Institute of Standards and Technology (NIST) Special Publication 800-122 defines PII as “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records, and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.” So, for example, a user’s IP address as used in a communication exchange is classified as PII regardless of whether it may or may not on its own be able to uniquely identify a person.
Protected Health Information (as defined by HIPAA.COM) means any information, whether oral or recorded in any form or medium, that –
· is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
· relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and
1. Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment foe the provision of health care to an individual; and
(I) That identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual
Payment Card Industry (PCI) Compliance is adherence to a set of specific security standards that were developed to protect card information during and after a financial transaction. According to TechTarget, PCI compliance is required by all card brands and per the PCI Security Standards Council there are six main requirements for maintaining compliance.
1. Build and maintain a secure network
· Install and maintain a firewall configuration to protect cardholder data
· Not use vendor-supplied defaults for system passwords and other security parameters
2. Protect cardholder data
· Protect stored cardholder data
· Encrypt transmission of cardholder data across open, public networks
3. Maintain a vulnerability management program
· Use and regularly update anti-virus software
· Develop and maintain secure systems and applications
4. Implement strong access control measures
· Restrict access to cardholder data by business need-to-know
· Assign a unique ID to each person with computer access
· Restrict physical access to cardholder data
5. Regularly monitor and test networks
· Track and monitor all access to network resources and cardholder data
· Regularly test security systems and processes
6. Maintain an information security policy
· Maintain a policy that addresses information security
The costs associated with a data breach and subsequent loss of PII, PHI and or PCI can be devastating to any organization, no matter their size. These costs come in the form of financial penalties and loss of reputation and in some cases result in criminal prosecution.
Reputation is one of an organization’s most important and valuable assets and is intrinsically linked with brand image. According to research done by the Ponemon Institute, respondents said that their brand would diminish by 21% in the event of 100, 000 confidential consumer records being lost due to a data breach and that it would take on average about a year to restore the organization’s reputation. Data breaches involving employee confidential information and also records containing confidential business information can also be extremely harmful to an organization.
Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or government entities to notify individuals of security breaches of information involving PII. Some states have passed legislation requiring businesses to proactively implement security measures to protect PII before a data breach occurs.
Protecting PII, PHI and PCI within an Enterprise Content Management System
It goes without saying that all data in databases, files and applications and data being transmitted needs to be secure and encrypted. Just as important is to purge files and data no longer required to be kept in accordance with any laws and regulations and to redact all PII, PHI and PCI.
PII collected by businesses and government is stored in various formats either digitally or hard copy paper. At least 32 states and Puerto Rico have enacted laws that require entities to destroy, dispose, or otherwise make PII unreadable or undecipherable.
There has been an increasing awareness to protect data at the source and not just at the perimeter
Redacting documents, especially unstructured documents, can be a very challenging exercise and should be entrusted to an enterprise content management software and development company that is competent and experienced in developing and integrating redaction software and workflow to automate the redaction processes.
The passage of the HITECH Act increased penalties for information security negligence pertaining to PHI. The basis for the act requires organizations that handle PHI meet a baseline criteria for protection of data in transit, in use, at rest and when disposed. The HITECH Act is noteworthy because it provides definition around the protection of PHI and puts an emphasis on the encryption of PHI.
The penalties for HIPAA violations and data breaches of PII, PCI and PHI can be devastating to any organization and companies should not spare any expenses with regards to HIPAA compliance training and the securing of networks and data.