Individually identifiable health data, due to its sensitive nature, has always been considered a special category of personal data, and it invariably falls under the jurisdiction of strict data protection regulations. In the US, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) are two regulations that together protect the personal health information of patients.
With organizations subject to HIPAA and HITECH facing regulatory fines of up to $1.5 million per year for non-compliance, violations can come with severe consequences. As hackers continue to target the healthcare industry with cyberattacks like ransomware and phishing, electronically stored PHI is particularly vulnerable. Data leaks, data breaches, and data theft incidents in healthcare regularly make media headlines.
To help with compliance programs, the cybersecurity tech sector has many different types of data security solutions. Among these, Data Loss Prevention (DLP) software has emerged as an essential component of compliance strategies to ensure data privacy and information security. Here are the ways in which DLP tools help with HIPAA compliance.
A Brief HIPAA Overview
The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) enforces HIPAA. The regulation outlines the lawful use and disclosure of protected health information (PHI) and guarantees its privacy, security, and integrity.
PHI refers to any personal information, such as names, addresses, social security numbers, medical records, etc., that, if known, can result in the identification of a patient or a client of an organization subject to HIPAA. Unlike GDPR, HIPAA is not extraterritorial, which means that it only applies to patients being treated within the United States.
Electronic data falls under the special electronic protected health information category (ePHI), which was included in the HIPAA Security Rule. This addendum to HIPAA addressed advancements in the field of medical technology.
Companies required to be HIPAA-compliant are of two kinds
- Covered entities: this includes any organization that collects, creates, or transmits PHI (healthcare providers, health insurance providers etc.)
- Business associates: organizations or individuals that encounter PHI while providing services they have been contracted to provide by covered entities. For example, an accountant provides services to a covered entity and requires access to PHI while providing these services.
HIPAA gained further momentum with the introduction of HITECH, which introduced violation-based tiered fines that significantly increased the penalties the OCR could impose. At the same time, HITECH legally bound business associates, until then only contractually bound to HIPAA, to protect both physical and electronic PHI.
DLP for HIPAA Compliance
DLP works by monitoring, detecting, and blocking sensitive data from leaving an organization’s endpoints, cloud services (including SaaS apps), and other exit points. The available functionality differs between various solutions. For helping with HIPAA compliance, look for the following features at a minimum:
- The ability to scan for and identify PHI on systems for full visibility into sensitive data assets, including the extraction of metadata from numerous file types to assist with data classification.
- Enforcement of security policies through remediation actions, like encrypting or deleting data at rest.
- Content awareness that contextually scans data leaving endpoints through cloud applications, USB sticks, or e-mail and ensures that data in motion doesn’t breach HIPAA rules.
End users, both from human error and insider threats, are a significant source of data leakage and exfiltration incidents that lead to large fines for HIPAA violations. DLP tools that secure sensitive information on the endpoint systems that these end users interact with every day are especially useful.
1. PHI monitoring and reporting
DLP solutions allow companies to monitor ePHI in real-time. Software such as Endpoint Protector offers predefined HIPAA profiles, which include databases for FDA-recognized drugs, pharmaceutical firms, ICD-10 and ICD-9 codes, and diagnosis lexicons along with personally identifiable information (PII) such as Health Insurance Numbers, Social Security Numbers, addresses, etc.
Using these policies, sensitive health data can be continually monitored, whether it is simply at rest on employees’ endpoints or in transit. Based on the findings, controls can be set in place to restrict transfers.
2. Blocking internet transfers of PHI
HIPAA requires that all PHI be secured and only accessible on a need-to-know basis. It cannot leave an organization’s premises unless it is encrypted or transmitted to secure, authorized channels. With the rising use of unauthorized third-party services for data transfers, whether through popular instant messaging applications, email, cloud storage, or one-time web transfer services, the risk of non-compliance is high.
This is where DLP solutions come into play. Not only do they monitor PHI through predefined policies, but they can also effectively control data movement. By scanning documents before they are transferred, DLP tools identify sensitive data as defined by policies and can block those transfers. DLP even detects HIPAA-protected content in the body of emails (Outlook, IBM Lotus Notes).
3. Restricting access to PHI
Through its eDiscovery capabilities, DLP software can scan all the endpoints on a company network and identify where PHI is being stored. When found on unauthorized personnel’s computers, remediation actions such as deletion or encryption can be taken.
In this way, companies can limit the number of people who have access to PHI, which helps to enforce HIPAA’s need-to-know rule. The need-to-know rule is formally known as the minimum necessary standard. This rule is similar to the principle of least privilege in that it says PHI access should be restricted to those who need access to the information to carry out their job duties.
4. Controlling the transfer of PHI on portable devices
Another easy way in which sensitive data can be misappropriated is through the use of portable devices. DLP solutions give companies the possibility to limit or completely block their use based on criteria such as device type or serial number. Devices can also be assigned various levels of trust and access. Some may be allowed read-only access, while others can have full access.
5. Ensuring encryption of PHI
Even when it comes to trusted devices used by authorized staff, there is still the danger of PHI loss or theft as, through their very portability, USBs pose a risk. To ensure incidents such as forgotten or stolen portable devices do not jeopardize HIPAA compliance, some DLP solutions offer automatic encryption of data transferred onto USB drives.
While DLP solutions form an important part of a comprehensive, successful strategy for HIPAA and HITECH compliance, you should complement DLP with both traditional security tools such as antivirus software, firewalls, etc., and more advanced modern solutions such as encryption and Mobile Device Management
Whether your organization must comply with HIPAA to protect PHI or PCI DSS to secure credit card numbers, DLP is becoming a must-have solution for any compliance workflow. Not only can you avoid costly fines, but one of the main positives of DLP tools is how they increase the level of trust in customers that you’re adequately protecting their confidential data at all times.
Frequently Asked Questions
HIPAA is a federal Unites States law that sets national standards for protecting sensitive patient health information from being disclosed. The regulation works by introducing three key rules:
1) A Privacy Rule that sets boundaries on the use and release of health records and establishes appropriate safeguards that healthcare providers and others must achieve to protect the privacy of health information.
2) A Security Rule that sets specific protection measures for individually identifiable health information held or transferred in electronic form.
3) An Enforcement Rule that increases compliance with the above rules by giving HHS’ OCR the power to impose penalties for violations. The penalties levied depend on the nature and scope of the violations.
Download our free ebook on
A comprehensive guide for all businesses on how to ensure GDPR compliance and how Endpoint Protector DLP can help in the process.