Protected Health Information were detected on the system

Protected Health Information were detected on the system

Risk: high

Description

Under the Health Insurance Portability and Accountability Act (HIPAA), Protected Health Information includes any part of the patient\'s medical record of payment history.

PHI that is linked based on the following list of 18 identifiers must be treated with special care:

• Names
• All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
• Dates (other than year) directly related to an individual
• Phone Numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health insurance beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers
• Web Uniform Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Biometric identifiers, including finger, retinal and voice prints
• Full face photographic images and any comparable images
• Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

Recommendation

Apply the following recommendations to ensure the safe handling PII and PHI data:

• Securely delete PHI when there is no longer a business need for its retention on the device
• Do not cache sensitive data
• Minimize the frequency of asking for user credentials.
• Minimize the use of APIs that access sensitive or personal user data
• Consider a logical way to hash and de*anonymize the user data
• Some jurisdictions may require you to provide a privacy policy for accessing personal information.

Links

• HIPAA Security Rules
• Practices for Protecting Electronic Restricted Data: A Quick Reference
• CWE-200: Information Exposure
• CWE-359: Exposure of Private Information ("Privacy Violation")

Standards

• OWASP_MASVS_L1:
  • MSTG_ARCH_12
• OWASP_MASVS_L2:
  • MSTG_ARCH_12
• GDPR:
  • ART_5
  • ART_25
  • ART_32
  • ART_35
• PCI_STANDARDS:
  • REQ_2_2
  • REQ_3_2
  • REQ_3_3
  • REQ_3_6
  • REQ_3_7
  • REQ_6_2
  • REQ_6_3
  • REQ_11_3