Protected Health Information
Protected health information (PHI) includes all individually identifiable health information relating to the past,
present or future health status, provision of health care, or payment for health care of/for an individual that is
created or received by a Covered Entity or Business Associate.
Health information is individually identifiable if it contains any of the following identifiers:
• Names
• Geographic subdivisions smaller than a state • Dates (except year only) directly related to an individual,
including birth date, date of death, admission date, discharge date; and all ages over 89 (except ages
may be aggregated into a single category of age 90 or older)
• Telephone and fax numbers
• Email addresses
• Social security numbers (SSN)
• Medical record numbers (MRN)
• Health plan beneficiary numbers
• Account numbers
• Certificate/driver’s license numbers
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers
• Web Universal Resource Locators (URL)
• Internet Protocol (IP) addresses
• Biometric identifiers (including finger and voice prints)
• Full face photographic images and any comparable images
•
Any other unique identifying number, characteristic, or code.
your medical information is worth 10 times more than your credit card number
Healthcare data so valuable & more appealing to cyber criminals as:

A healthcare record includes much more information than just financial data from other industries:
detailed identity data and financial data like credit card information.

Information of a critical nature, making it much more attractive for ransom.

Healthcare data carries a much higher value on the dark market.

Multiple uses of the data, including medical fraud and basic identity theft.
How to Protect Your Organization?
There are several areas that need to be appropriately managed in order to mitigate the risk of a cyber security
event.Compliance with the HIPAA Security Rule is a great start, however compliance does not equal security.
Some of the areas that need consistent attention are:

Inventory of devices accessing your network.

Patch Management solution to ensure known vulnerabilities are patched.

Up-to-date antivirus and anti-malware solution on every device.

Regular, third-party security risk assessments.

Encrypting patient data on servers and especially mobile devices.

Encrypting the transmission of patient data.
There are also some low-tech solutions that can be put into place that will help mitigate your security risks:

Limiting access to electronic systems through the principles of least privilege;

Ensuring only IT Administrators have access to alter IT policies and system configuration;

Keeping patient data out of site to prevent smartphone cameras from snapping quick pictures;

Implement UCSC’s Password Strength and Security Standards.
Cyber Security’s Impact on Telemedicine
Telemedicine and telehealth services rely completely on the transfer of data from one location to another,
whether it’s through interactive video consultations, store and forward technology or remote patient
monitoring. Unfortunately, this data can be stolen or even manipulated during transmissions by cyber
criminals looking to harm patient outcomes.
That’s why all players in the health IT sector including the healthcare organizations, internet service providers,
EHR vendors and data centers, all need join together and make a commitment to all help protect our health
data.
With some preparation, planning and investment in time and resources, all healthcare providers using 21st
century technologies such as telemedicine can be on the path to 21st century security and protection, giving
control back to the healthcare provider and peace of mind back to patients.
Types of Telemedicine and Telehealth Communications:


Video conferencing
Audio only phone calls

Remote auscultation using electronic stethoscopes

Tele-eICU

Diagnostic review of medical/health data

Secure messaging

Remote patient monitoring (RPM)

AI and robotic assisted examination and diagnosis
Aims to secure telemedicine technologies and communications :

Protect patients and business partners

Good business practice to maintain confidentiality of patient information

Laws such as Health Insurance Privacy and Accountability Act (HIPAA) require implementation of
security measures to protect protected health information (PHI)

Information security (InfoSec) is not just about confidentiality
Measures the are specified for telemedicine security :
The techniques used to secure telemedicine services are not, in general, unique to telemedicine
HIPAA, for example, does not specify specific information security technologies



Technology is always advancing
Hackers are always looking for vulnerabilities
Organizations must implement reasonable and appropriate administrative, technical and physical
controls to safeguard PHI
Cybersecurity is all about controlling access to prevent unauthorized access to computers, networks and data
while allowing authorized access for those that need it.
Technology Considerations for the Rest of 2020 :
Cybersecurity
(Risks and Vulnerabilities Update)
At the onset of the COVID-19 pandemic, there was a dramatic increase in phishing email campaigns directed
toward the health care sector. These emails are cloaked under the guise of important information related to
COVID-19. They make fake promises of retailers selling N95 masks and raise false hope for lifesaving
ventilators—but instead are often laden with malware and malicious links
Cyber-attacks that disrupt patient care service and pose a risk to patient safety, such as ransomware
attacks,are of the greatest concern. Successful ransomware attacks can cripple a health care provider by
preventing access to medical records and disabling mission critical systems, resulting in a delay of care for the
patient. There are ramifications for the providers as well. Ransomware attacks cause an interruption and loss
of revenue. Remedying and recovering from an attack can also be very expensive. Further, attacks create legal
and regulatory exposure and reputational harm. Unfortunately, during the pandemic we have a seen a
significant increase in successful ransomware attacks targeting small and large providers. With the onset of
EHR and health information technology interconnectivity to support clinically integrated care, we have seen
attacks on individual providers cause a disrupting ripple effect among many providers, including physician
offices, hospitals, ambulatory surgery centers, labs, pharmacies, and imaging centers.
Vulnerabilities like medical practices and hospitals should request routine updates from their health
information technology vendors or security professionals. Network security requires the use of technology and
policies to keep that technology up to date. Below, you’ll find a list of questions to ask your vendors to help
ensure you’re staying on top of your network security needs.
Privacy
Physicians are responsible for the privacy and security of PHI under the Health Insurance Portability and
Accountability Act of 1996 (HIPAA). Among other things, HIPAA requires the physicians and hospitals to
comply with following requirements:

Enter into BAAs with third-parties using, storing, transmitting, or otherwise managing PHI on behalf
of the physician or hospital to ensure PHI is appropriately handled by the third-party

Conduct a Security Risk Analysis to identify and evaluate what may expose PHI to inappropriate use or
disclosure and take steps to address vulnerabilities

Develop and implement policies and procedures to help ensure proper confidentiality and security of
PHI
Telehealth
The Health Resources and Services Administration (HRSA) of the U.S. Department of Health and Human
Services (HHS) defines telehealth as the use of electronic information and telecommunications technologies to
support and promote long-distance clinical health care, patient and professional health-related education, and
public health and health administration. Technologies include videoconferencing, the internet,
store_and-forward imaging, streaming media, and landline and wireless communications.
Telehealth services may be provided, for example, through audio, text messaging, or video communication
technology, including videoconferencing software. For purposes of reimbursement, certain payors, including
Medicare and Medicaid, may impose restrictions on the types of technologies that can be used Those
restrictions do not limit the scope of the HIPAA Notification of Enforcement Discretion regarding COVID-19
and remote telehealth communications.
Health industry cybersecuritysecuring telehealth and telemedicine
Associated Cybersecurity Risk
Expanding use of remote technology in healthcare, including for telehealth and telemedicine, has been
accompanied by a substantial increase in connectivity and exposure. According to a recent study by
SecurityScorecard and DarkOwl LLC, the rapid adoption and onboarding of telehealth vendors has led to a
significantly increased digital footprint and attack surface, leaving both provider and patient data at risk?.
Consequently, hackers and criminal groups are able to exploit these vulnerabilities and easily infiltrate a
network for financial gain or operational disruption. For example, in 2020 according to the study, telehealth
providers have experienced a nearly exponential increase in targeted attacks as popularity skyrocketed.

117% increase in website/IP malware security alerts

65% increase in security patching of known vulnerabilities

56% increase in endpoint vulnerabilities that enable data theft

16% increase in patient-accessed web application vulnerabilities

42% increase in file transfer protocol vulnerabilities that expose information travelling between a
client and a server on a network

27% increase in remote desktop protocol security issues given the widespread adoption of remote
work
The Major Types of Attacks Against Telehealth Systems
Compromise of Confidentiality

Theft of PII or PHI

Credential harvesting

Data exfiltration
Compromise of Integrity

Exploitation of financial transaction system

Manipulation of clinical data
Compromise of Availability

Ransomware

Denial of Service
Non-exhaustive list of some of the best practices to keep health information secure:

Continually educate all users of a system about cybersecurity threats and about how to use the
healthcare information system securely.

Always follow the rule of least privilege necessary when allowing access to healthcare information

Always patch security vulnerabilities on an urgent basis.

Keep your system as simple as possible - more complexity makes it harder to secure and maintain

Document your policies, procedures, risk assessments and security incidents, etc.

Maintain a regularly updated copy of your healthcare information system data on air gapped
media/systems.

Disable employee access to healthcare information systems immediately when they leave the
organization

Encrypt healthcare information in transit and at rest • Make effective use of the security features of the
technology that your organization uses

Use multi-factor authentication for access to healthcare information systems

Use malware prevention and mitigation technologies, label emails from external sources

Know where your organization stores its patients’ PHI/PII and know the details of how it is
communicated.

At a minimum require involvement of your organization’s Chief Information Security Office and HIPAA
Privacy Officer in all projects involving healthcare information security.

Utilize firewalls, intrusion preven
Cybersecurity framework:
The five Functions included in the Framework Core are:

Identify

Protect

Detect

Respond

Recover
Make Security of Your Organization’s PHI including its Telemedicine and Telehealth Communications
“SIMPLER”

Scalable

Integral

Managed

Pro-active

Layered

Effective

Responsive