Keeping Privacy Afloat During a Pandemic

Chalice Beam, Senior Manager, Health & Life Sciences, Coalfire

It’s our responsibility to protect the privacy of patients’ health information.

The world is navigating uncharted digital waters and facing evolving challenges to maintain patient privacy. Protected Health Information (PHI) is a ship sailing in a sea of digital risks and vulnerabilities. Humans wreak havoc at every turn – not always intentionally – and actions during times of uncertainty will have long-term effects.

Today, we are all facing a pandemic with limited healthcare resources and limited connection opportunities, while at the same time quickly evaluating new ways to diagnose. Through this transformation, PHI becomes too easily and inadvertently shared or leaked if we do not stay on course. This means that before we share PHI, we must ask: “can we?” We can easily remember this using the acronym “C.A.N.” in the following steps:

  • Confirm – that the information we are sharing is relevant – am I only sharing what is relevant?
  • Allow – make sure that the information is allowed to be shared with the individual/organization – is what I’m sharing allowed to be shared with or without authorization?
  • Necessary – verify it is necessary – is it required that I share the information?

When we maintain this “minimum necessary” mentality, we strengthen the integrity of our vessel. We humans are our first line of defense, which means being vigilant, not clicking emails and links, going to the source of truth (e.g., directly to the CDC/government websites), and only giving out information where appropriate (remember: Confirm, Allow, Necessary). When we leak PHI or give out information to those who do not have a need-to-know business reason, we’re taking water on our ship.

This also applies to employers who can implement some small privacy best practices, such as providing security and privacy reminders to employees on topics like:

  • Social engineering:
    • Phishing emails (Don’t click on links or attachments!)
    • Phone calls (Don’t give out information over the phone!)
  • Management:
    • Ask C.A.N. before sharing information about an individual who may be infected at your organization.

Not protecting PHI results in sinking our ship, and failing our patients, employees, and organizations that trust us with their information. This is a ripe time for the “bad guys” to steal identities, so our privacy practices must be stealthy and steady. As the professionals, we have a responsibility to keep the ship afloat and be more vigilant than ever.

Additional resources:

Chalice Beam


Chalice Beam — Senior Manager, Health & Life Sciences, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS