TokenEx can tokenize, and thus de-identify, individually identifiable health information–a subset of protected health information—that includes demographic information collected from individuals, such as social security number, patient number, and medical images, as well as non-health data such as IP addresses and postal codes. In some cases, tokenization can be used to tokenize and de-identify the entire data set. Unlike payment card and financial information, ePHI is very complex and includes many deviations across disparate systems. TokenEx helps solve this dilemma by being able to tokenize any data set using consistent schemas to protect data integrity.
In today’s diverse healthcare environments, it is common to encounter systems that cannot be adequately protected with preventative security controls. It may be legacy medical equipment that requires Windows XP to function or a vendor-managed system that for technical reasons is required to be configured in an insecure manner. Lacking the ability to apply basic security hardening configurations to these systems, healthcare organizations are relying more on system isolation controls to limit the damage of a breach of these highly vulnerable systems. Tokenization of data stored on these highly vulnerable systems can be a Covered Entity’s saving grace, protecting the organization of risk that these systems pose if breached. A compromise of these systems will only expose the tokenized data to an attacker and not the underlying ePHI.
Tokenization can also be used to limit the risk posed by rogue system administrators. System administrators are the most highly privileged users in IT organizations, yet they usually do not have the need to view protected health information. A rogue system administrator—whether their intent is malicious in nature or simply driven by curiosity—can abuse their privilege and view sensitive PHI about a targeted individual. Tokenization of the data will prevent unauthorized access of ePHI by rogue system administrators. A database administrator, for example, will only see tokenized data instead of the identity patient’s personal health record.
TokenEx has successfully de-identified ePHI data for organizations using tokenization. These organizations securely send identifiable data to the TokenEx Data Security Platform where the identifiable elements of the sensitive data are tokenized and returned to the organization for research, analysis, storage, and other uses.