Phone Number +1-202-802-9399 (US)

ThycoticCentrify is now Delinea!

The Lockdown

Thycotic’s Cyber Security Blog

The Top Three Ways Personally Identifiable Information is Leaked in Healthcare

Written by Becca Stucky

March 3rd, 2015

Personally identifiable information (PII) related to healthcare data is 50x more valuable on the black market than credit card data according to Alert Logic. Forty three percent of all identity thefts in the United States in 2013 were accounted to medical related identity theft (Logic, 2014).

The healthcare industry knows they need to protect PII. It’s bad for business for PII to be exposed out into the wide world, both because it hurts customer relationships and carries heavy fines for violating HIPAA. But how is PII being distributed? What are the key points of risk for a breach?

There are three main ways PII is distributed, and they are all equally important to consider when ensuring you have a strong data protection strategy.

1.) A cyber-attack

A cyber security issue for any healthcare organization, attacks can be brought by anyone, and, as we like to say at Thycotic, an attacker only has to be successful once, but an organization has to be successful at blocking the attacks 100% of the time. An unfair distribution? Probably, but still true. Perimeter defense systems are important to protect against this kind of attack, as are network logging tools to detect anomalies. If that one, individual person is successful, it’s also important to make sure they cannot get past the threshold, so to speak. Make sure they cannot elevate their network privileges or move laterally within the network. To do this, changing privileged account passwords regularly is critical.

2.) An insider threat

Sometimes employees become upset with their organization. No one wants this to happen, but it can. Or, because healthcare data is so valuable, some employees look to PII as a   when they cannot think of another way to turn. There are a couple things you can do to limit this chance, like ensuring employees and contractors only have access to the level of information they truly need, and being able to immediately terminate access and change passwords when an employee leaves.

3.) A careless insider

They didn’t mean it. Maybe they left their company-issued phone in the taxi, or perhaps it wasn’t their fault at all, and someone stole a device from them. Either way, especially when it comes to healthcare data, doctors and other staff have significant amounts of remote access to PII and this is a big risk for fines, as we all know from Advocate Health Care who leaked 4 million patient records. Lost or stolen devices are a leading cause of unintentional breaches. Make sure staff use strong passwords on all of their devices and educate them to not text or e-mail sensitive information on unprotected devices.


What makes IAM, PIM, PAM and the other acronyms so confusing?

Get the answers—and check out our interactive ACRONYM DICTIONARY



Like this post?

Get our top blog posts delivered to your inbox once a month.