Hail your new digital gatekeeper

Part one of a two-part series on data security measures

Whether or not it was ever intended, healthcare providers these days are responsible for watching over a vast amount of data on people-much of it sensitive and desirable to unlawful minds. Like the keepers of bank vaults, providers must ensure that this information is secured and inaccessible to protect the best interests of not only their customers, but of their own operational existences. At the same time, because of emerging technologies and networking mediums, communication to patients and potential customers has become open, prevalent, and unsecure. “The normal protections don't necessarily work anymore,” says Mac McMillan, CEO of CynergisTek Inc., an IT security consulting company. Long-Term Living Editor Kevin Kolus recently caught up with McMillan, who is also chair of the Healthcare Information and Management Systems Society's Privacy and Steering Committee, to discuss an increasingly popular form of data security that long-term care providers may not be aware of: Data Loss Prevention (DLP) technology.

What are the dangers long-term care providers have to be wary of when it comes to sharing data online?

McMillan: Most Web mail clients, whether it is Yahoo!, Gmail, Hotmail, or another generic Web mail product, have no filter associated with them to determine if certain information should be going out or not. They are not making judgment calls about whether Dr. Smith should be e-mailing protected health information (PHI). And if you allow Web mail in a long-term care setting, even if you have normal protections on your corporate mail, such as corporate encrypted Microsoft e-mail, that same encryption technology does not even see the Web mail because it's opening on a client that is outside of the organization. When healthcare providers allow internal users to access Web mail clients, basically what they are doing is allowing them to communicate in an anonymous fashion, and all of their protections are basically not of value-they are obviated.

The same is true of social media sites, like Facebook or MySpace. Again, when someone connects to that client, they are bypassing all of the normal protections that are afforded the network. Somebody could download a file, attach it to a message, and send it out via one of those mechanisms. If that message contained PHI, it just went out unencrypted. And actually it's even worse than that with social media because when you post something on Facebook, for instance, it doesn't go away. It gets proliferated.

Now, providers do want to enable these mediums because they may serve very useful purposes. For instance, Web mail can be practical to physicians who come to work at a long-term care setting because a lot of times that is their mail client back at the office. But that doesn't mean it's a good way to communicate sensitive data from your facility.

So how do providers take advantage of Web mail or social media while keeping sensitive data secure?

McMillan: This is where data loss prevention comes in. DLP technologies sit inside the network. First, they go out and fingerprint all of the data in the environment. They crawl across the structured and unstructured data, identifying all the information that is out there, and build an index. Then somebody says there are rules around that data. So for instance one of the rules that we advise healthcare organizations to put in place is that PHI cannot be posted to a social media Web site. The DLP appliance then does another of its functions, called review. It actually reviews data on the fly so whenever somebody hits the send button, whether it's through e-mail, social media, etc., the DLP will scan that communication or that message and determine if there is any PHI contained within. And if there is, it does its third function, which is enforcement. It looks up the rule you have configured, and it sees what this person is trying to do. If they are sending an e-mail through the corporate mail structure, which is encrypted, and the e-mail has PHI in it, the DLP appliance says this is OK, let it go. But if that same person is trying to send a document with PHI attached through Web mail, which will bypass your encryption and protections, the DLP appliance says that's not allowed, and it stops the transmission. Depending on how you have it configured, it will either send a message back to the sender saying this is not authorized, or it will redirect the e-mail to the corporate mail, encrypt it, and then send it out to the intended recipient.

I can see how the technology scans attachments, but how does it know in a unique message that a user is making on Facebook or in Web mail that there is protected health information being communicated?

McMillan: When it does this fingerprinting function, it basically scans every document in the system and it looks for protected content, building this huge index of sensitive data that has rules to protect it. When somebody constructs an e-mail, it can have as few as 100 characters related to a patient's record. When that mail gets sent, the DLP technology has the ability to read it line by line and identify content related to any document that's been fingerprinted.

If a provider has organized its electronic documents poorly, will the technology have a harder time of creating that fingerprint?

McMillan: No, that's the beauty of it and that's really where DLP solutions got their start because businesses were terrible at data retention. People had a hard time developing data retention rules, they had a hard time classifying documents, they had a hard time organizing them and creating organized data stores and shares-everything, really. A DLP solution does not rely on any structure from the organization. All it says is, “Point me to where all your data is,” and it does a 100% fingerprint of everything. Then it utilizes detailed lexicons of terms that are considered sensitive. For healthcare, there are established lexicons out there of somewhere upwards of 15,000 medical terms that these tools have embedded in them, as well as financial lexicons for things like social security numbers, bank accounts, credit cards.

Some organizations are looking at Safe Harbor or HITECH as an encryption problem, so their response is to go out and encrypt everything, which is a bad decision quite frankly, for several reasons.

In addition to all of that, if the organization has any unique terms or numbers, they can add those to the lexicons. Then you can activate any of the lexicons within the system. The DLP appliance sits there in real time and watches all the data as it moves across the network as packets, and it inspects those packets to see what is inside and where they are going. Another thing it does is it looks at who is sending and who is receiving. It can be configured to allow a certain person to send this kind of information to this location, but not permit another individual from the same behavior. You can make it as smart as you want it to be by teaching it new rules and workflows that are appropriate for your organization.

What are some popular DLP solutions out there that healthcare providers are either turning to or that you are advising them to turn to?

McMillan: One I would advise most long-term care organizations, except for the very largest, to go with is one called Code Green Networks. It works very well in small- to medium-sized organizations that do not have large IT staffs. Vontu [acquired by Symantec] is another one that is very popular, but only popular in the very largest organizations. It is a very complex and difficult solution to implement.

There are really only two kinds of DLP. There are solutions that do true DLP, and solutions that don't. Code Green, Vontu, Reconnex, and Symantec are what we call true DLP solutions and what that means is that they actually do the fingerprinting, review, and enforcement, and they do it at a granular level, meaning entire documents, not just headers or metadata, are indexed. In true DLP solutions they have 100 points of reference for a single document so that any part of the document that gets cut out or copied and pasted somewhere else still gets recognized as part of that document. Like on the police dramas, when they say they have a partial print and that's enough to identify a person, the reason for that is even a partial print is unique to that particular print, and it's the same thing with how true DLP technology indexes documents.

The Health Information Technology for Economic and Clinical Health (HITECH) Act placed great importance on data security. Where do DLP technologies fit in?

McMillan: In HITECH, under the breach notification rule, there is this thing called Safe Harbor where if you have a data breach, the only way you can avoid having to notify is to have everything encrypted properly or not accessible. Some organizations are looking at Safe Harbor or HITECH as an encryption problem, so their response is to go out and encrypt everything, which is a bad decision quite frankly, for several reasons. First, it's very costly. Second, it's very maintenance and administrative heavy. Third, every time the encryption algorithm changes in the regulation, you're going to have to change your solution. It has potential operational impacts, performance impacts on systems, and it absolutely impacts users' workflow. However, if you combine DLP with your other point solutions like encryption and you are using DLP to limit where PHI can go, you can limit how much you have to encrypt. So DLP actually works as a cost saver when it comes to the issue of managing breaches. LTL

Like on the police dramas, when they say they have a partial print and that's enough to identify a person, the reason for that is even a partial print is unique to that particular print, and it's the same thing with how true DLP technology indexes documents.

Part two of this series on data security will feature Ohio Presbyterian Retirement Services, a large organization that realized its disaster recovery measures for data loss were fundamentally inadequate-a reality that may be familiar to many providers. The organization's CIO explains how this shortfall was corrected.

Long-Term Living 2011 February;60(2):36-38