Why PII/PHI information is so important to be kept safe and secure from attackers

by Eli Greenberg

     Personally Identifiable Information (PII) is a term to describe and explain any delicate information or data that is particular to each individual and can be used to contact them. Examples of PII can include social security numbers, phone numbers, and email addresses. PII can also include other private information such as login IDs, digital images, IP addresses, and posts on various social media platforms. Now on to Protected Health Information (PHI) is a word that includes medical information that identifies an individual used or disclosed in providing healthcare services, whether it was a diagnosis or treatment. PHI information may include past, present, or future physical health conditions of a particular individual.

     As companies keep putting employees and customers on PII, that company will also inherit and expose themselves to potential threats if leaked. Some examples could be Yahoo! and Target; they've had some data breaches that can occur anywhere and in any company, big or small. The problem is that all this can be costly and ruin a company's reputation.

     Regardless of how the data is lost, companies will face many consequences if data is released through an employee's carelessness or a malicious attack. Some of these include fines, litigation expenses, the costs of implementing better systems, and the damage of negative publicity. And with all this negative publicity, this goes without saying that customers may want to rethink their partnership with that company. This could ruin the company for good. If this were to happen to a company, I recommend going to Digital Edge and asking for their help. They have many experts on PII/PHI and can handle that with experience and ease.  

     Some ways that professionals draw up policies and practices so that PHI/PII can be handled safely and correctly are the following: taking stock, scale down, lock it, and plan ahead. These four steps to ensuring the safety of PII should be beneficial. Taking stock means that your company should list out all computers, laptops, mobile devices, flash drives, home computers, digital copiers, and other equipment to find out exactly where PII is stored. It is crucial to track PII throughout your business/network by turning to the sales department, IT staff, human resources office, accounting personnel, and outside service providers. All these departments can help you locate the PII within your company and keep it protected.

     Next, scale down. Your company should only have the PII you need for your business and only for as long as you need it. Social Security and credit card numbers should only be used for required and lawful reasons. If you must keep PII, you should have a retaining policy for written records to determine what PII should be kept, how to secure it, how long to keep it, and how to dispose of it securely if need be. On to locking it. One of the most effective PII security plans addresses physical breaches, electronic safety, employee training, and contractor and service providers. For physical security, an organization should store files with PII in locked file cabinets, require employees to put secure files they are working on in a secure place, input strict and harsh building access control, and store PII at a secure off-site location. Lastly, it is in your best interest to use good practices in securing PII. These may include using network security, having strong authentication for access to PII, and making laptops that handle PII are secure. It may be necessary to use solid firewalls and secure wireless and remote access for employees so that PII is not always accessible. However, when it is, it's remote and wireless.

     Finally, plan upfront. Your company should create a plan for attacks. If a hacker has gotten into a computer, disconnect it from your network. Immediately look into incidents and close existing openings. Develop a list of breaches to contact should you suffer a PII breach. This list could include law enforcement, media, credit bureaus, regulatory agencies, affected businesses, and the individual victims within the company. Privacy and personally identifiable information awareness training can help employees keep PII a top priority.  

     In addition to all this, The Federal Trade Commission finalized a settlement that will require Flo Health Incorporated to obtain the consent of users of the company's fertility-tracking app before sharing their personal health information with others. This settlement was probably related to a complaint first announced in January. The FTC claims that despite promising to keep users' health data private, Flo shared sensitive health data from millions of users of its Flo Period and Ovulation Tracker app with marketing and analytics firms, including Facebook and Google. As part of the settlement, Flo Health must notify users about disclosing their health information and inform other networks or organizations that received users' health information to destroy that data.

     This shows the importance of PII and PHI and some of the consequences and risks that could ensue if certain information is disclosed. Now, Flo cannot misrepresent any of the following things under information security due to data being wrongfully disclosed:

     ●    How many consumers can control data uses 
     ●    The agreement with any privacy, security, or compliance program
     ●     How it collects, maintains, uses, discloses, deletes, or protects users' information.

     All this came about because of what Flo did to lie and hand out private information. And that is why having a professional, having someone trustworthy, and having everyone on board with clear and straightforward ways to avoid PII or PHI being released to attackers or any other individual other than the owner is of the utmost importance. 

     An example of a big company with a case study about PII is a tech company called Heureka Software, an insurance company. Their problem lay in the identification of PII information in unstructured data across the organization. They lacked visibility about what PII information existed on employee computers. In addition, they had no large-scale software, only focused on PII. And what they needed was automatic PII detection for certain information such as social security numbers, credit cards, and bank routing information. Now this company has developed tremendously and can manage PII risk, view risk trends of it, and conduct searches or take action. Lastly, they also fixed their problem and now can identify certain PII information such as security numbers, credit card numbers, and bank routing information. 

     Next, here is an example of a small company with a case study about HIPAA and social media disclosure of PHI. In today's world, social media is everywhere. It has made communicating with each other a lot easier and more convenient over the internet. However, this ease of use also makes violating HIPAA easier as well.

     For example, posting or sharing PHI online without the approval of the patient is a HIPAA violation. And that's what this case study is about. A patient at Northwestern Medicine Regional Medical Group (NMRMG), issuing for a breach of privacy in relation to her medical records while in the hospital. She accused a hospital employee of accessing her medical records and then posting them on Twitter about health care and procedures she received at MMRMG. The records consisted of very delicate information about emergency room visits, medications, medical history, and imaging results. This employee went a step further and told her patient's ex, now her boyfriend told him about her patient's PHI. The results were that this nurse or doctor was fired. Then NMRMG sent a letter to the patient acknowledging that inappropriate access to PHI had been released to the public. Next, the patient filed a lawsuit against NMRMG. The patient felt violated on many accounts and was very upset about her private information being disclosed with her permission.

     This whole thing may trigger a high-profile case due to The Department of Health and Human Services (HHS) being notified of the breach. This is a big problem. With PHI already being sensitive enough, HIPAA and social media don't help to be in the mix too.