Part one of a two-part series on data security measures
Whether or not it was ever intended, healthcare providers these days are responsible for watching over a vast amount of data on people-much of it sensitive and desirable to unlawful minds. Like the keepers of bank vaults, providers must ensure that this information is secured and inaccessible to protect the best interests of not only their customers, but of their own operational existences. At the same time, because of emerging technologies and networking mediums, communication to patients and potential customers has become open, prevalent, and unsecure. “The normal protections don't necessarily work anymore,” says Mac McMillan, CEO of CynergisTek Inc., an IT security consulting company. Long-Term Living Editor Kevin Kolus recently caught up with McMillan, who is also chair of the Healthcare Information and Management Systems Society's Privacy and Steering Committee, to discuss an increasingly popular form of data security that long-term care providers may not be aware of: Data Loss Prevention (DLP) technology.
What are the dangers long-term care providers have to be wary of when it comes to sharing data online?
McMillan: Most Web mail clients, whether it is Yahoo!, Gmail, Hotmail, or another generic Web mail product, have no filter associated with them to determine if certain information should be going out or not. They are not making judgment calls about whether Dr. Smith should be e-mailing protected health information (PHI). And if you allow Web mail in a long-term care setting, even if you have normal protections on your corporate mail, such as corporate encrypted Microsoft e-mail, that same encryption technology does not even see the Web mail because it's opening on a client that is outside of the organization. When healthcare providers allow internal users to access Web mail clients, basically what they are doing is allowing them to communicate in an anonymous fashion, and all of their protections are basically not of value-they are obviated.
The same is true of social media sites, like Facebook or MySpace. Again, when someone connects to that client, they are bypassing all of the normal protections that are afforded the network. Somebody could download a file, attach it to a message, and send it out via one of those mechanisms. If that message contained PHI, it just went out unencrypted. And actually it's even worse than that with social media because when you post something on Facebook, for instance, it doesn't go away. It gets proliferated.
Now, providers do want to enable these mediums because they may serve very useful purposes. For instance, Web mail can be practical to physicians who come to work at a long-term care setting because a lot of times that is their mail client back at the office. But that doesn't mean it's a good way to communicate sensitive data from your facility.
So how do providers take advantage of Web mail or social media while keeping sensitive data secure?
McMillan: This is where data loss prevention comes in. DLP technologies sit inside the network. First, they go out and fingerprint all of the data in the environment. They crawl across the structured and unstructured data, identifying all the information that is out there, and build an index. Then somebody says there are rules around that data. So for instance one of the rules that we advise healthcare organizations to put in place is that PHI cannot be posted to a social media Web site. The DLP appliance then does another of its functions, called review. It actually reviews data on the fly so whenever somebody hits the send button, whether it's through e-mail, social media, etc., the DLP will scan that communication or that message and determine if there is any PHI contained within. And if there is, it does its third function, which is enforcement. It looks up the rule you have configured, and it sees what this person is trying to do. If they are sending an e-mail through the corporate mail structure, which is encrypted, and the e-mail has PHI in it, the DLP appliance says this is OK, let it go. But if that same person is trying to send a document with PHI attached through Web mail, which will bypass your encryption and protections, the DLP appliance says that's not allowed, and it stops the transmission. Depending on how you have it configured, it will either send a message back to the sender saying this is not authorized, or it will redirect the e-mail to the corporate mail, encrypt it, and then send it out to the intended recipient.
I can see how the technology scans attachments, but how does it know in a unique message that a user is making on Facebook or in Web mail that there is protected health information being communicated?
McMillan: When it does this fingerprinting function, it basically scans every document in the system and it looks for protected content, building this huge index of sensitive data that has rules to protect it. When somebody constructs an e-mail, it can have as few as 100 characters related to a patient's record. When that mail gets sent, the DLP technology has the ability to read it line by line and identify content related to any document that's been fingerprinted.
If a provider has organized its electronic documents poorly, will the technology have a harder time of creating that fingerprint?