Where’s Your Patient Data Hiding?

By: Robbie Morris on Feb 6, 2018 8:27:26 AM

They were surprised, and you likely be will, too.

Of the hundreds of healthcare organizations I’ve helped document HIPAA and meet compliance requirements, most are unaware that their Patient Health Information (PHI) is exposed in some way. If a cyber attacker took advantage of this situation, it could cause damage to your patients, bring giant HIPAA fines, and a loss of reputation. 

How can you protect YOUR PHI if you don’t know where it lives?

Patient data can be stored in unlikely or unnoticed places. Here are a few hiding places I’ve helped organizations identify:

  • Shortcuts – The management at your office has been diligent about HIPAA compliance efforts. Your entire team knows the process for keeping patient data safe. But the managers don’t know about the folder on the desktop of their intake manager’s laptop. She’s been using it as a shortcut for getting patients into the system more quickly. A HIPAA audit today would find more than 300 patients’ PHI on this one laptop. Imagine the shortcuts taken by other employees in the organization - the amount of exposed data could be staggering.
  • Email - I know what you’re thinking. You know the email you send and receive is secure because that was a priority when your team was looking for the best email option. And I salute you for being so diligent! However, there is a piece that is often overlooked. At any given time, the Sent Folder on your email users' phones and PCs can be riddled with patient data that is not protected.
  • Scans - Some photocopiers automatically save copies of scanned documents on their hard drives. If a copier is returned to the leasing company without the data being properly removed, that’s a HIPAA violation.

[Discover your vulnerabilities with a risk assessment]

The OCR Knows

These opportunities for exposed PHI are not surprises for the Department of Health & Human Services’ Office for Civil Rights (OCR). That’s why they require a true Healthcare Security Risk Analysis, which includes a thorough risk assessment of patient data, review of policies and procedures, employee interviews for a HIPAA-HITECH audit, an analysis of operational threats, and more. And, remember, any business associate who comes in contact with your patient data is also accountable for protecting it. You have a responsibility to make sure those associates are also diligently protecting your PHI.

Robbie Morris is C Spire's VP of Healthcare and Security Solution Services. Contact him at

Request a Security Assessment

Topics: Healthcare, Cybersecurity Awareness Training

CONSIDER IT MANAGED. C Spire Business is the nation’s first full-stack managed solutions provider, capable of offering advanced connectivity, cloud, software, hardware, communications, professional services, cybersecurity, business continuity, and technology support in a single, seamless IT solution portfolio. The result is smarter. Faster. More secure. From desktop to data center, we meet you wherever you are and take on your biggest technology challenges.

Sign up for our monthly newsletter.

For the latest in technology trends, industry news, and C Spire updates.

Recent Posts

Sign up for our monthly newsletter

For the latest in technology trends, industry news, and C Spire updates.