What Are the Best Ways to Safeguard PII and PHI?

| Posted on |

What Are the Best Ways to Safeguard PII and PHI?

Most Orlando businesses have to comply with at least one data privacy regulation, and many with more than one.

If you take credit or debit cards, then you have to protect that data according to the Payment Card Industry Data Security Standard (PCI DSS). If you handle any type of patient information, then compliance with the Health Insurance Portability and Accessibility Act (HIPAA) is required.

Penalties for exposure of personally identifiable information (PII) or protected health information (PHI) can be stiff and go beyond the fines you might get from a regulatory authority.

A HIPAA violation can result in a fine of between $100 to $50,000 per violation.

Costs from a data breach and exposure of PII or PHI don’t only come in the form or violation penalties. Companies experience loss of trust with customers or patients whose data was exposed. A breach can cost companies both current and future business.

Protecting the sensitive personal information your company collects or processes is important and it can be done with a multi-layered strategy, which includes some of the following safeguards.

Perform a Data Privacy Risk Assessment

You can’t properly protect PII and PHI if you don’t have a roadmap that tells you were vulnerabilities might be.

A data privacy risk assessment looks at things like:

  • Why is data being collected?
  • Where is data being stored?
  • Who has access to data?
  • What security systems are in place to protect data?
  • What vulnerabilities are there for a breach?

The goal is to identify and address all areas of risk for exposure of sensitive data that is handled by your company so you can address vulnerabilities and ensure proper security.

Use the Rule of Least Privilege

Not all employees need access to all the PII/PHI that may be collected by your company. You can keep that data more secure by restricting access to as few people as possible.

Approximately 90% of data breaches are caused by human error, so restricting access reduces your risk of data leakage or exposure due to an employee mistake.

The Rule of Least Privilege is simple, it states that you should give employees the lowest possible access level in your IT and data systems that still allow them to do their daily tasks.

Use Systems that Encrypt Data

Data encryption helps keep data secure while it’s in transit from one system to another and can help keep a laptop thief from being able to access any personal data on a device.

Encryption can be done using technologies like virtual private networks (VPNs) and device-level encryption applications. Wherever PII or PHI is stored, the storage should also be encrypted to prevent exposure.

Ensure All Devices Follow Cybersecurity Best Practices

Breaches of protected information often happen at the device level. If a hacker is able to gain access to a network endpoint, they can often then breach a network server that device has access to, and which could hold PII/PHI.

Make sure you protect all devices (including tablets and smartphones) using standard IT security best practices. These include:

  • Managed antivirus/anti-malware
  • Timely OS, firmware, and software updates
  • DNS filtering
  • Device firewall
  • Email phishing/spam filtering
  • Passcode-protected screen lock

Implement Standard Security Policies

Employees can often cause a breach of PII or PHI accidentally because there is not standard security policy in place that they’ve been trained on.

For example, a new employee might write down a customer’s credit card number on a sticky note as they’re receiving it over the phone, then toss the note in the trash after they’ve placed the sale in your system. That note could then be found later by someone else who now has access to the customer’s credit card number.

Clear data security policies help prevent mistakes like that from happening by giving clear guidelines on all handling of sensitive information and PII/PHI. For example, in the case above the protocol might be to shred any paper with sensitive information before throwing it away.

Automate Data Security Where Possible

The more you can automate your security protections, the less you leave to chance or human error. There are many ways to automatically encrypt, watermark, or otherwise protect data using technology.

Such as sensitivity labels in Microsoft 365. Once set up, these labels can be required on all documents and emails and attach certain levels of security to each that stick with and follow that document through the system.

They can include automatic do-not-copy, encryption, access restriction, and more.

Next-Gen Firewall With Advanced Threat Protection (ATP)

Your first line of defense from intrusions is your network firewall. Next-gen firewalls with ATP are able to detect advanced threats and take automated actions immediately to neutralize them and protect your network from being breached.

They will also include proactive threat hunting capabilities to help detect malicious code before it has a chance to materialize into a data breach.

Schedule a Data Privacy Risk Assessment Today

C Solutions can help your Orlando area business with a data privacy risk assessment to identify where you may be vulnerable to a breach.

Schedule a free consultation today! Call 407-536-8381 or reach us online.