Protected Health Information (PHI) is a favorite target of cybercriminals. Sold on the black market, PHI is estimated to be 10 to 20 times more valuable than a credit card record, which typically sells for $1 or $2.
As stolen data continues to grow in value, criminals become more creative. It's an escalating battle that keeps data security a high-priority and an ongoing challenge. Knowledge, therefore, is vital, and understanding the PHI cycle is integral to physical security.
As part of a recent roundtable of technology experts, XIFIN Cyber Security Director Michael Conlon and I discussed how XIFIN protects customer data. As an introduction to this important topic, I focused on the criminal attraction of PHI and shared best practices on physical security, and Michael continued the discussion focusing on data breach prevention and protocol.
Here are some highlights from my discussion:
Kevin Hagen, Vice President Information Systems, XIFIN
Why PHI Attracts Thieves
PHI is popular with criminals because the information is easily monetized for illegal profit. Classic criminal strategies for obtaining PHI include1:
Extortion (blackmail): Criminals demand money from individuals or healthcare organizations to prevent exposing private medical informationFraud: Criminals use a valid health insurance card to obtain health care services or purchase medical equipment or pharmaceuticals that are resold at a profitIdentity Theft: Criminals use a valid social security number to open lines of credit or create fake IDs
Data laundering: Criminals sell stolen data back to legitimate businesses or repackage insurance claims data
Why PHI is Valuable
One reason criminals are attracted to PHI more than credit card information is that PHI has a longer shelf life. Credit card companies use machine learning and other tactics to identify suspicious transactions quickly. They then release mechanisms to shut down suspicious and illegal transactions swiftly. By contrast, PHI can be leveraged for a much longer period of time.
Protecting PHI Data
XIFIN understands the many machinations of obtaining PHI illegally and goes to extensive lengths to protect its data. Perhaps the most foundational security concern of any entity housing PHI information is whether the data center — where the PHI is stored — meets world-class physical security requirements. XIFIN’s data center partner is Las Vegas-based Switch, the world's only Tier 4+ Gold data center.
Physical security does not stop at the data center. The high standard set by Switch is implemented into XIFIN's own corporate physical security. At its physical locations, the company uses access control and monitoring, which includes segmenting physical areas where PHI is accessible to employees. All employees are HIPAA and security trained and limited to facility access by their involvement with PHI. Also, secure remote access is heavily restricted to highly encrypted virtual private networks.
Finally, XIFIN’s data architecture — the governance of data collected and how it is stored, arranged, integrated, and put to use — leverages best-in-class infrastructure technologies for the many data services XIFIN makes available. These best-in-class technologies enable XIFIN to monitor, alert, respond & remediate threats to our data security in a near real-time fashion. On top of that is an extensive set of security tools, and our internet presence uses a heavily fortified series of firewalls and appliances to control and inspect all data through ingress and egress. Not only does this keep data safe, but it keeps it available when needed.
In summary, it is important to do extensive due diligence when selecting a physical security partner. You’ll want an experienced company that not only ensures the safety of data stored offsite but can consult on how to bring that same level of security to your own physical locations.
For more information on data breach prevention, protocol, and training, read the complementary blog: “Best Practices for Protecting Customer Data: Focus on Data Breach Prevention and Protocol.”
1. PHI: Valuable and Vulnerable, By Juliann Schaeffer, For The Record, Vol. 28 No. 3 P. 18