What Is PII and PHI and How Do You Secure Them?

Even with the regular news stories about data breaches, I’m still not sure our society views cybersecurity and cyberspace seriously enough. Many still entertain the notion that cyberspace is somehow removed from the physical world we live in, but there is nothing “virtual” about this reality or the threats that exist here. Think about how cyberspace impacts our life. Where does the majority of our communication happen? Where is the information concerning our life and possessions stored? The records for our houses, our cars, etc.—all the primary sources for these exist in cyberspace. That includes our money. Check out a bank statement. Do we really think there is physical “money” in a vault someplace? No, it’s just binary code on a hard drive somewhere. Let’s face it; if we were erased in cyberspace, our life in physical space would be miserable. We would have a hard time proving we have property, history, wealth, or even citizenship. That is why it is so important to secure the data we depend on. To that end, two acronyms we should know are PII and PHI.

What does PII stand for?

The definition of PII is personally identifiable information. This is information that, on its own or combined, can be used to identify, locate, or contact an individual. Some examples of PII are obviously sensitive: Social Security number, credit card number, driver’s license number, and account numbers. Others are less obvious but just as important: full name, date of birth, home address, phone number, employment history, purchase history, email address, or even a photo of an individual’s face. PII is legally protected by many state laws and good business practices.

What does PHI stand for?

The definition of PHI is protected health information. It is a subset of PII that is protected by the HIPAA Privacy Act of 1996. PHI is information that can be used to identify an individual AND that relates to that individual’s past, present, or future physical or mental health care or health care payments. Some examples of PHI are: any and all PII gathered in the course of providing health services, medical, dental, or prescription drug records, insurance coverage, health plan number, status in a government health program, and dates of hospitalization.

While healthcare workers in the United States are bound by HIPAA, outside the US, there are similar frameworks for PII and PHI, such as the UK Cyber Essentials, Canada’s Management of Information Technology Security (MITS), and the Australian Signals Directorate (ASD). Fines can be steep for violations. For HIPAA violations, the civil penalties for the unintentional yet inappropriate release of PHI range from $100 to $50,000 per violation, with up to a maximum of $1.5 million in a year. Individuals who intentionally obtain, disclose, or sell PHI for personal gain or malicious harm may incur criminal penalties including fines AND prison time up to 10 years.

So how do we secure this PII and PHI knowing that a data breach can affect lives and even bring legal repercussions? First, our level of security must match the level of data sensitivity. In the case of PII, it depends on the business contract under which we are handling the PII and any applicable state laws. For any PII you handle, make sure you know your obligations! In the case of PHI, we know it is considered highly sensitive and so we need to use PHI security best practices.

Cybersecurity best practices

Start out with the fundamentals (this is not an exhaustive list):

• Use a firewall.
• Use good password policies. According to Verizon^®, “63% of confirmed data breaches involved leveraging weak, default, or stolen passwords.”
• Use antimalware software that is automatically updated.
• Have policies addressing allowable software and internet usage.
• Have policies addressing the business use of personal devices.
• Keep servers and workstations continuously patched.
• Perform regular system backups.
• Monitor system logs and security alerts.

In addition to these, when dealing with PHI, it is especially important to use encryption in all its forms:

• A remote-access VPN for mobile users to establish secure connections with your network.
• Encrypted email messages to protect content from being read by someone other than the intended recipients.
• Encryption at rest to secure data persistently stored on any mobile device including laptops, tablets, and phones.
• Endpoint encryption to secure data that is copied to USB flash drives or memory cards.

The issues with mobile devices can be handled by Mobile Device Management Software (MDM). As the name implies, MDM is for the administration of smart phones, tablets, and laptops. It runs an agent installed on the mobile device that connects to a server. It can be used to enforce connectivity through the company VPN, encrypt the entire hard drive, deliver antivirus updates, and also facilitate a remote wipe of a mobile device that is lost or stolen! On BYOD (bring your own device) smart phones, it can also separate the user’s personal apps from the secure company browser, secure company email, and the associated encrypted business data.

Physical security best practices

Because cybercriminals use eyes, ears, and phones almost as much as they use computers, do the following  (this is not an exhaustive list):

• Locking screen savers should be activated on computers accessing PHI.
• Computer screens should be positioned so that only the user can see the screen (beware of windows behind you).
• Minimize paper usage. “Instead of writing on a post it, use a whiteboard and erase it.”
• Printers and FAX machines used for PHI must be placed in private areas.
• Documents should be picked up immediately and disposed of in shred bins when finished.
• Implement a clean desk policy. No PHI should be unlocked when a person is away from their work area.
• PHI must never be removed from the office unless there is a clear business need.
• Never leave any mobile device containing PHI unattended or out of reach.
• Don’t discuss PHI in public areas.

Information is one of our most precious resources and is the asset that powers and enables our business. Let’s treat it that way.

 

Dan Toth is an information systems specialist with a proven background in the development and management of systems, projects, and personnel. Dan’s particular areas of strength include Network Management, Healthcare-Related Computer Systems, Technical Training, and Information and Physical Security.

 

Click here to find out how SolarWinds Risk Intelligence can help you locate and secure personal data on your network.