In January of this year, the HIPAA Omnibus Final Rule was published, implementing more specific requirements for protecting PHI data and steeper penalties for failing to comply. With a final deadline of September 25, 2013, many organizations that create or handle PHI are scrambling to find a solution.
It should not be surprising that there has been an increased focus on PHI regulations, as the percentage of healthcare organizations reporting a data breach is skyrocketing. 94% of healthcare organizations have had at least one data breach in the past two years, and the annual cost to the healthcare industry could soon reach an estimated $7 billion, according to research from the Ponemon Institute.
Healthcare is one of the US’s worst industries in security effectiveness and preventing breaches. Since the PCI industry has instituted sweeping protection requirements of payment card data, it has left unprotected PHI data, including insurance information, prescription details and medical files, prime targets for commoditized insurance fraud. The 2013 Data-breach-investigations-report from Verizon disclosed that over 90% of breaches go unnoticed by internal resources. The Omnibus legislation can institute penalties of up to $1.5 million per breach.
The most effective form of PCI data security, tokenization, is steadily increasing in use over encryption. The high levels of security, flexibility and transparency provided by tokenization have proven results. PCI audit scope and length can be dramatically reduced, applications require few changes to process data, and over the last year, tokenization users had 50% fewer security-related incidents than non-users according a recent Aberdeen study.
Due to its inherent advantages, tokenization has also recently seen a surge in organizations using it for information other than card holder data. Nearly 47% of respondents to a recent Aberdeen study are using tokenization for something other than cardholder data. As tokenization can be applied to any structured data, it follows naturally that organizations looking to protect PHI data could benefit greatly by implementing a tokenization solution. In conjunction with best practices such as file encryption, policy-based access controls, and central monitoring and auditing, the healthcare industry could see the same effective results that the payment card industry is realizing today.
With more stringent data security requirements and regular audits on the horizon, in addition to increasing attacks on PHI data, organizations should act now to protect their data, before it’s too late.