Why is PHI Valuable to Hackers?

Most people know that healthcare data is a very popular target for hacking and phishing attempts, but why is Protected Health Information so valuable to hackers?

HIPAA has always been referred to as a complicated and overwhelming law that healthcare organizations have struggled to make sure that they are fully compliant with. That is why it is important to be reminded why protected health information is so valuable to criminals and hackers and why keeping it protected from them is so vital.

What is PHI? 

Protected health information, or PHI, which was defined by the HIPAA privacy rule, is any information within a person’s medical record that can identify them and is held by a covered entity. Under HIPAA and the Privacy Rule, there are 18 specific identifiers that must be handled with certain strict safeguards. 

Here are the 18 types of information that are considered protected health information (PHI) under HIPAA: 

  1. Name
  2. Address (Including any information more localized than state) 
  3. Any dates (except years) related to the individual, including birthdays, date of death, date of admission/discharge, etc. 
  4. Telephone Number
  5. Fax Number
  6. Email address
  7. Social Security number 
  8. Medical record number 
  9. Health plan beneficiary number
  10. Account number 
  11. Certificate/license number
  12. Vehicle identifiers, serial numbers, license plate numbers
  13. Device identifiers/serial numbers
  14. Web URLs
  15. IP address
  16. Biometric identifiers such as fingerprints or voiceprints
  17. Full-face photos
  18. Any other unique identifying numbers, characteristics or codes 

The Value of PHI 

Healthcare records are known to be one of the most valuable types of information that hackers look for. Most of the PHI that is compromised throughout the industry happens through hacking or IT incidents. That is because of the high value of PHI compared to other information that hackers may be able to find. 

Higher Selling Price

As mentioned earlier, PHI is known to be one of the highest valued types of information that can be stolen. A 2018 Trustwave Global Security Report investigated the price values of different types of stolen data that are sold on the dark web. A social security number would sell for $0.53, the details of a payment card would be $5.40 but the health care record for one person would receive an average of $250.15 when sold. This shows the dramatic difference in value of healthcare data when compared to other forms of private information that is commonly stolen and sold. 

Long Shelf Life 

One attractive quality of PHI for hackers is that it has a long shelf life compared to other forms of information that can be stolen. When a person’s credit card information is stolen, they typically realize it quickly and then are able to cancel the card, saving themselves from any other risk. However with PHI, especially a medical record that may contain a few different forms of personal information, can be used in more ways than one and it typically takes longer for an information breach to be detected. Once a breach has occurred, it will still take a bit of time for an organization to determine what information was taken and what people it will affect. 

Multiple Uses for Data 

Another reason that medical records are extremely valuable to hackers is that there are many ways to use that data on the dark web. This information can be used to purchase prescriptions, receive treatment or make fake medical claims. These actions can cause long-term and widespread chaos for those whose information has been stolen. A breach of PHI can pose a real threat to patients and healthcare systems alike, so it's worth protecting. 

Increasing Number of Attacks 

Each year Verizon releases data breach reports that tell the story of that year's worth of breaches that have occurred. Between the 2016 and 2019 reports, the number of data incidents and breaches increased by three times. The recent 2020 report shows that these numbers have continued to grow, now revealing a 71% increase in the number of breaches this year. With many of the challenges with COVID-19 and a work-from-home environment, organizations need to be more aware than ever that the PHI they are responsible for is completely secure and protected. 

COVID-19 and PHI

Especially in the middle of a nationwide healthcare crisis, PHI is at an even higher risk than it typically is. While healthcare providers are working overtime to take care of COVID-19 patients, some of their attention may be taken away from PHI security. Since the beginning of the pandemic, the FBI has reported about 2,000-3,000 more cybersecurity complaints each day from the typical 1,000 a day. Many of the increased cybersecurity attacks can be explained by the hackers desire to gain information about COVID-19 related information and use these vulnerabilities to do so. It is fairly typical that any monumental event within a country would spur on a spike in cyberattacks as it has happened in the past with other events, and is happening again with COVID-19. This crisis in particular has moved most of the workforce to remote work which has presented a whole new set of challenges to staying HIPAA compliant in a work-from-home environment

How to protect PHI from hackers 

HIPAA is made up of a few different rules that are designed to protect the privacy and security of PHI that is in the possession of covered entities and their business associates. These rules require that these organizations follow certain physical, technical and administrative safeguards that ensure that PHI will be kept safe. These safeguards, which you can read more about here, mandate that organizations take certain steps like implementing workforce training and management, limiting access to facilities or devices that contain PHI and requiring all data to be carefully encrypted. 

Due to the high value of PHI data, healthcare organizations should regularly assess the steps that they are taking to ensure the security of PHI. Although a breach of information is not entirely avoidable, it is important that a healthcare provider takes all the steps possible to lessen the risk and comply with all aspects of HIPAA. If you are wanting to see what risks may exist to PHI within your organization, complete Accountable’s free HIPAA risk analysis. It will help you know what steps need to be taken! 

PHI is important to individuals and valuable to hackers which makes it vital for organizations to protect. HIPAA lays out all the requirements and safeguards that should be put in place so that each person’s identifiable health information is kept secure from cyber criminals. For more information on how to understand the risks associated with storing, sharing and maintaining PHI and what steps need to be taken to be HIPAA compliant, ask Accountable today. Accountable is a software platform that was created to make HIPAA compliance simple therefore keeping PHI safe from any risks. 


Need HIPAA help?

Accountable can help you achieve HIPAA compliance for your company.

More Articles