Protecting Customer Data: Focus on Physical Security
April 18, 2019
Protected Health Information (PHI) is a desirable and lucrative target of hackers and cybercriminals around the world. When sold on the black market, PHI is projected to be up to 40 times more valuable than a credit card record, particularly if it contains social security numbers. According to the 2020 Trustwave Global Security Report, a healthcare data record may be valued at up to $250 per record on the black market, compared to $5 or $6 for a credit card number with complete data.
As stolen data continues to grow in value, criminals become more creative. It is an escalating battle that keeps data security a high priority and an ongoing challenge. Security knowledge, therefore, is vital. As part of a roundtable of technology experts, I discussed how XiFin protects customer data. Key takeaways from that discussion are highlighted below.
Why PHI Attracts Hackers and Thieves
PHI is popular with criminals because the information is easily monetized. Classic criminal strategies for obtaining PHI include1:
Why PHI is Valuable
Another reason criminals are attracted to PHI more than credit card information is that PHI has a longer shelf life. Credit card companies use machine learning and other sophisticated technologies to identify suspicious transactions quickly and often can immediately shut down suspicious transactions and suspend accounts from any further activity. By contrast, PHI can be leveraged for a much longer period of time.
Protecting PHI Data
XiFin understands the many methods of attempting to obtain PHI illegally and goes to extensive lengths to protect this data. Perhaps the most foundational security concern of any entity housing PHI information is whether the data center — where the PHI is stored — meets world-class physical security requirements. For example, XiFin’s data center partner, Switch, is the world’s only Tier 5® Platinum data center.
Physical security does not stop at the data center. The high standard set by Switch is implemented into XiFin’s own corporate physical security. At our physical locations, the XiFin workforce uses ID key card access control, segmenting physical areas accessible only the workforce members that have a business requirement to specific subsets of PHI managed by XiFin. Any possible ingress or egress points into the facility has multiple monitoring and alarming sensors. Visitors are required to register at the reception desk and are always escorted. XiFin maintains a clean desk policy, requiring sensitive documents be secured at the end of each workday. Printing of documents is kept to a minimum, as XiFin encourages a paperless work environment. All workforce members are trained on their role in protecting sensitive information, with targeted training assigned monthly on a plethora of security, privacy, and compliance topics.
In summary, it is important to do extensive due diligence when selecting a physical security partner. You will want an experienced company that not only ensures the safety of data stored offsite but can consult on how to bring that same level of security to your own physical locations.
Additional XiFin Resources:
Interested in learning more about XiFin’s Compliance Program and the services we provide to reduce our customers’ compliance concerns? Head over to our Compliance page for more information.
Sources:
1 https://www.trustwave.com/en-us/resources/library/documents/2020-trustwave-global-security-report/
1 PHI: Valuable and Vulnerable, By Juliann Schaeffer, For The Record, Vol. 28 No. 3 P. 18