Healthcare Use Case: Protected Health Information under HIPAA

Enacted in 1996 by the Department of Health and Human Services (“HHS”), the Privacy Rule regulates the use and disclosure of protected health information (PHI) by the Healthcare industry.

Healthcare is a lucrative target for attackers who exploit misconfigured IT infrastructure and applications by using attacks such as weaponized ransomware and phishing emails. In the last 10 years, cyber criminals successfully accomplished 2,181 healthcare data breaches. Those breaches resulted in the theft/exposure of 176,709,305 healthcare records - equal to nearly half the population of the United States. Healthcare data breaches are now reported at a rate of more than one per day. The largest in 2018, UnityPoint Health notified 1.4 million patients their records may have been breached when its business system was infiltrated. Sadly, this was the second breach for UnityPoint where phishing attacks at its Madison campus breached the data of 16,000 patients 5 months earlier. In all cases, the problem arises from the common practice of creating concentric layers of security as an attempt to keep attackers out rather than directly encrypting and thus protecting the data.

On the other side of the coin are internal threats. Breaches are often attributable to the use of personal mobile devices in the workplace. BYOD policies have created new vulnerabilities in which up to 80% of healthcare providers use smartphones, tablets or laptops to support their workflows. According to a survey conducted by Health Information Trust Alliance, 41 percent of PHI breaches are attributable to the theft of an employee´s mobile device or portable media.

Deploying Bonafeyed’s technology at Healthcare businesses, encrypts patients’ PHI in real-time and the data remains protected when accessed by accounting, physicians or registered nurses at terminals or on mobile devices. In addition, the patient’s data placed on backend ERP systems or in the cloud for collaboration or archival storage remains fully protected.

Bona-Data™ Enterprise Gateway, (DSE) facilitates the fastest deployment option for legacy applications without the need for client plugins. Bonafeyed can individually protect PHI data fields within backend ERP database and with Bonafeyed’s Encryption Key Management Cloud Service (KMS), validates and authorizes access to protected data using an 800-bit Stream Cipher based technology.

When encrypted data is lost, stolen, abandoned or forgotten, it remains protected and becomes permanently inaccessible once keys are deleted or retired ensuring cyber criminals or internal non-authorized users only obtain unintelligible data, which exceeds HIPAA’s data privacy rule!