Data loss prevention (DLP) in health care -- which mostly entails preventing patients' protected health information (PHI) from falling into the wrong hands -- requires well-conceived, well-enforced policies and
It would seem that DLP could be covered by either policy or technology; in fact, many hospitals leaned on policy at the expense of technology in the first decade and a half of the Health Insurance Portability and Accountability Act (HIPAA). But now that federal legislators recently enacted tough data breach disclosure rules and gave state attorneys general the power to prosecute HIPAA violations, they're looking into data encryption and transmission monitoring technology to aid in stopping data loss.
HIPAA compliance isn't the only driver behind rethinking data loss prevention strategies. Hospitals are expanding wireless networks too, to accommodate new equipment enabling doctors, nurses and technicians to deliver better patient care and to access much more data at the bedside. Furthermore, patients and visiting families demand Internet connectivity. So, while regulators seek better network security, more wireless is opening more points for potential PHI breaches.
Add to that the other patient expectation, assumed security. When patients' -- or their neighbors' -- identities get stolen from a health care institution, they can change health care providers in frustration. That affects a hospital's bottom line.
"Data security is extremely critical these days, both in terms of business downtime and business penalty," said Shubho Chatterjee, CIO of Miami Jewish Health Systems. "If a box breaks, I can fix it tomorrow. But if my network is breached -- or down -- that is the top worry I have."
Encryption, DLP software a good start
Encryption is the first line of defense for information that needs protection. Software vendors offer different flavors of DLP utilities, from network-based gateway systems to host systems that can monitor data traffic inside a network, as well as external communications.
Through analysis engines that look for keywords and other identifying markers, DLP software detects sensitive data -- in motion, at rest or in use -- and the encryption software shields it from unauthorized access. It can also stop disgruntled -- or opportunistic -- employees from transmitting PHI past the firewall, and notify IT staff about such attempts.
Kinder, gentler variations on that theme involve DLP software that queries employees about transmissions that run contrary to company rules. For example, a pop-up window might ask, "Hey, you're about to copy a patient record to a thumb drive; are you sure you want to do this?" and in some cases might require the employee to type in an explanation before the data transmission is allowed. While it might not stop data loss outright, such software can keep honest employees from committing innocent mistakes and refer them to the data protection policy explaining the problems with it.
Don't think of encryption just for data connected to the network. Consider it for backup tapes too. According to Michael Passe, a storage architect at Beth Israel Deaconess Medical Center in Boston, device-level encryption for tape backups is a lot easier to manage than the file-level alternative, which is complicated by key management.
Secure wireless infrastructure, clear the air
Wireless networks add to the vulnerability of data loss prevention systems, making access points potential gateways for unencrypted data to leak into hackers' hands -- or worse yet, providing access to the hospital intranet or individual workstations. Vendors offer a variety of wireless infrastructure management tools that shore up network security and monitor for rogue connections -- shutting down access points and paging IT staff when they are discovered. Rogues can get into wireless networks via misconfigured access points, as well as poorly configured wireless-enabled laptops.
Rogues are one problem. On top of that, there is the "friendly fire": patients and their families bringing in laptops and other wireless-enabled devices, such as the iPod Touch, that may be infected with malware. In Chatterjee's recent wireless deployment, the health care system set up a completely separate network to keep these users off the hospital's wireless infrastructure, he said.
Another way Miami Jewish utilizes technology to keep PHI under wraps is to use a Web portal instead of email to transmit medical records. This setup limits access to data that needs to be shared more effectively than email -- and keeps the data encrypted. When an outside specialist needs to see, for example, a digital X-ray image, the hospital refers the specialist to a URL inside the firewall, and decrypts the image after authenticating the user.
"Once the person is able to authenticate they are indeed who they say they are, then -- and only then -- does that information become visible to them," said Chatterjee, who oversees the network for the system's hospital, long-term care facility and ambulatory facilities, including a center for the treatment of Alzheimer's disease. All together it covers a 22-acre campus and six satellite locations.
Another consideration: Mobile devices might enable better health care, but they also are data-loss vulnerability points. Some hospitals find that locking down -- or limiting attachments to -- physician smartphone email makes sense for their loss-prevention efforts.
Data protection policy gives technology its backbone
Data loss prevention does not stop with hardware and software. Technology can alert IT leaders to problems, but only a sound data policy can seal leaks that the software detects. The health care world offers unique challenges that might not necessarily be found in retail, financial services or other traditional environments.
IT leaders responsible for security and HIPAA compliance need to spell out what can and cannot be done. An effective written data protection policy includes the following components:
• A baseline risk analysis and continued periodic reviews of where unencrypted or otherwise unauthorized transmission of PHI and other sensitive data occurs or might occur. Don't be afraid to hire a consultant or outside auditor to do a baseline analysis or even a review if there have been big changes in the network, such as bringing a wireless network online, installing new systems or opening a data facility.
• A list of potential vulnerabilities uncovered in risk analyses, and documentation covering how they are solved.
• Employee guidelines. The risk analysis should uncover vulnerabilities and identify the culprits putting PHI in jeopardy. Guidelines cover what can and cannot be done, based on what the risk analysis finds. For example, if it's not safe for a physician to email a patient record to his Yahoo email account so he can work from home on a weekend, spell that out. Train employees on the requirements, test for comprehension, provide regular refreshers and email updates to the guidelines.
• Data backup and transmission-monitoring policies that protect PHI yet make data accessible in case the primary source is compromised.
• Policies covering scanning, limiting or even outright banning such portable media as thumb drives.
• Beefed-up physical data center security. Beth Israel Deaconess has 24/7 guards, video cameras and monitors -- plus it requires people to sign in and out, and limits who can come and go.
• A system to ensure that hard drives and paper documents labeled for shredding really do get destroyed, and that the actions are documented. Chatterjee's facility goes as far as to mandate Department of Defense-certified vendors.
The process of hard-drive shredding, said Beth Israel Deaconess's Passe, is under review at his facility. The facility entrusts a contractor to do it, but is considering bringing it back in-house or at minimum, increasing the documentation required of the contractor.
"There's been some discussion [surrounding], 'Should we shred our own dead devices?'" Passe said. "Everyone knows that even if a device is marked 'dead,' there's still data on it, and the platter can be read if you go through some extraordinary measures."
It's important to enforce policies. The No. 1 data loss vulnerability in health care, according to Symantec Corp.'s market research, is broken business processes, where an employee oblivious to the consequences takes liberties with data (such as emailing an image to someone outside the firewall).
Data loss prevention advice for solo docs
All this might seem overwhelming to a solo physician or doctor in a small ambulatory care clinic, neither of whom might have the IT or financial resources to implement some of the above-mentioned technology, but are nonetheless required to comply with HIPAA regulations.
Data security is extremely critical these days, both in terms of business downtime and business penalty.
Shubho Chatterjee, CIO, Miami Jewish Health Systems
On the policy side, tackle one piece of risk reduction at a time instead of doing everything all at once. First, shore up the biggest data loss culprits, which tend to be email, Universal Serial Bus drives and Web transmissions. Don't start by attempting to classify every piece of data and assigning it a confidentiality level -- defer the data loss prevention effort until you've finished reducing other kinds of risk. That kind of data analysis is important, but the problem is that it rarely gets completed. Start by shoring up the main avenues for loss. Then take on the data analysis, fine-tuning data loss prevention as you uncover leaks.
On the technology front, some laptops on the market come with "poison pill" software, Passe pointed out. When the computer is lost or stolen, the owner can activate the software from a website; the next time the laptop connects to the Internet, it shuts down, locks or otherwise becomes inoperable by the thief. His advice to physicians who don't have an army of IT staff members backing them up: Buy computers with this type of security baked in, because it can come in handy when they go missing.
Let us know what you think about the story; email Don Fluckinger, Features Writer.
This was first published in November 2010