Showing results for 
Search instead for 
Did you mean: 

PHI: The Real Crown Jewels

Level 1

One of the most common axioms we refer to at Veritas is that data is your most important asset, but in most instances it’s actually pretty difficult to quantify the value of your data.  While the burgeoning practice of Infonomics (shout out to Doug Laney) is just starting to take off, we know most organizations have little to no idea what the majority of their data is worth

One industry where that’s not exactly the case is the healthcare space…where each individual piece of Protected Health Information (PHI) is actively being pursued, stolen, and sold by cybercriminals for its inherent worth on the black market.  Industry experts have pegged medical records to be worth 10x more than credit card numbers because of the wide array of illicit activities that can be undertaken with someone’s healthcare data.  There’s also the flipside to this valuation, which is how much a stolen record costs an organization that has been breached. 

The 2017 Ponemon Cost of a Data Breach report reveals that Healthcare organizations have the most expensive per capita breach cost, at $380 per medical record stolen.  The global, cross-industry benchmark is $141.  Therefore, any way you cut it, medical records are incredibly valuable and need robust protections, because they are constantly under attack.

Earlier in January, Onco360 and CareMed Specialty Pharmacy revealed that three employee accounts were compromised and upon a detailed review of these accounts, “it was determined that a limited number of those e-mails may have contained demographic information, medication and clinical information, health insurance information and Social Security numbers of some of the patients receiving services from Onco360 and CareMed Specialty Pharmacy.”  Further analysis revealed that personal data from 53,173 patients was exposed as a result of the attack.  If you take Ponemon’s benchmark and multiply by the number of records stolen in the Onco360/CareMed attack, it will cost the organization somewhere in the range of $20.2 million, certainly cutting into their operating budget for the year and potentially damaging their relationship with existing customers, which could harm their prospects for future growth.   

One of the aspects about this breach that piqued my interest is the content that was so destructive was comprised of the messages and attachments that were in the employees’ email accounts.  Email is a common target of phishing attacks, but organizations have a relatively poor track record at understanding the content sitting within their employees’ email and managing it appropriately. 

At Veritas, we recommend that customers at all organizations, and especially in healthcare organizations, use data classification to help them understand where their sensitive data is so they can appropriately apply governance and security policies that will protect that critical information. 

Veritas’ Integrated Classification Engine classifies nearly all types of unstructured content, including emails, with a consistent set of policies that are pre-defined to meet the needs of the world’s strictest data privacy requirements.  Specific to healthcare, the Classification Engine comes preloaded with a HIPAA policy that brings together critical healthcare specific keywords and tags to ensure effective PHI controls are in place. 


To experience Veritas’ Integrated Classification Engine in action, we encourage you to experiment with our Risk Analyzer and classify our sample data set or your own personal data.  Additionally, we’re headed to HIMSS 2018 from March 5-9, and look forward to connecting with you in person. If you’re attending, join us to learn more about our 360 approach for visualizing, protecting, storing, and governing your data.