What is ePHI?
Electronic protected health information (ePHI) is any identifiable information generated, processed, stored, or transmitted electronically by healthcare facilities, including hospitals, hospices, and health insurance agencies. Examples of ePHI include patient demographics like names, addresses, and email addresses, and healthcare data like prescriptions, blood test reports, and biometric identifiers.
ePHI and HIPAA
In the US, the Health Insurance Portability and Accountability Act (HIPAA) mandates stringent security standards for storing, sharing, and managing protected health information. Neglecting to comply with these security standards or failure to protect patients' privacy can result in heavy financial penalties and damage to reputation. Organizations that adhere to HIPAA are required to closely monitor accesses and modifications to files that contain ePHI, and prevent its leak and theft. A HIPAA compliance tool can be used to help with maintaining stringent data security standards.
Some of the major cybersecurity requirements based on technical controls mandated by HIPAA for securing ePHI include:
Tracking all unauthorized file changes to ensure data integrity is preserved. (Sections 10.5.5 and 11.5)
Detecting crucial file and folder activity with the help of timely notifications, which is necessary to track potential data leaks or theft. (Section 164.312)
Analyzing security permissions for the files containing ePHI to ensure that only the right personnel have been granted access to the data. (Section 164.312)
Responding to mass file access events promptly to prevent malware infections or data breaches. (Section 164.312)
How to secure ePHI
ePHI, like all other sensitive information, has to be secured with the most stringent measures. Personal data stored in file servers, cloud storage, or other repositories can be discovered and located using a data discovery tool. It should then be processed by a data classification tool so the correct priorities can be applied for the right level of security control.
Once located and classified, sensitive data needs to be secured in all instances—file server, cloud storage, and endpoints—to prevent manipulation or theft. Deploy a data leak prevention solution to monitor and control endpoint activity, including copy actions on files classified as sensitive. Use cloud protection software to monitor user access to web applications and incoming traffic from the internet.