Top 5 Ways DLP can help with HIPAA compliance
Health data, due to its sensitive nature, has always been considered a special category of data and invariably falls under the jurisdiction of data protection regulations. Under the EU’s new General Data Protection Regulation (GDPR), it is explicitly classed as a special category of personal data under article 9 which requires the strict application of the regulation’s requirements. In the US, health data falls under the incidence of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), two interconnected acts which together guarantee its protection.
Regulated by the Department of Health and Human Services (HHS), HIPAA is enforced by the Office of Civil Rights (OCR), outlines the lawful use and disclosure of protected health information (PHI) and guarantees its privacy, security and integrity.
PHI refers to any personal information such as names, addresses, social security numbers, medical records etc. that, if known, can result in the identification of a patient or a client of an organization subject to HIPAA. Electronic data falls under the special electronic protected health information category (ePHI) which was included in the HIPAA Security Rule, an addendum to HIPAA which addressed advancements in the field of medical technology.
Companies required to be HIPAA compliant are of two kinds: so-called covered entities which include any organization that collects, creates, or transmits PHI (healthcare providers, health insurance providers etc.) and business associates, namely organizations that encounter PHI while doing work they have been contracted for by covered entities.
HIPAA gained momentum with the introduction of the HITECH which introduced violation-based tiered fines that significantly increased the penalties the OCR could impose, while at the same time legally binding business associates, until then only contractually bound to HIPAA, to protect both physical and electronic PHI.
With organizations subject to HIPAA and HITECH facing fines of up to $1.5 million per year for non-compliance, both covered entities and business associates have turned to the tech sector for ePHI protection solutions. Among these, Data Loss Prevention (DLP) software has emerged as an essential component of compliance strategies. Here are the ways in which it helps:
1. PHI monitoring and reporting
DLP solutions allow companies to monitor ePHI in real-time. Software such as Endpoint Protector offer predefined HIPAA profiles which include databases for FDA recognized drugs, pharmaceutical firms, ICD-10 and ICD-9 codes and diagnosis lexicons along with personally identifiable information (PII) such as Health Insurance Numbers, Social Security Numbers, addresses, etc.
Using these policies, sensitive health data can be continually monitored, whether it is simply at rest on employees’ endpoints or in transit. Based on the findings, controls can be set in place to restrict transfers.
2. Blocking internet transfers of PHI
HIPAA requires that all PHI be secured and only accessible on a need-to-know basis. It cannot leave an organization’s premises unless it is encrypted or transmitted to secure, authorized channels. With the rising use of unauthorized third-party services for data transfers, whether through popular instant messaging applications, email, cloud storage or one-time web transfer services, the risk of noncompliance is high.
This is where DLP solutions come into play. Not only do they monitor PHI through predefined policies, but they can also effectively control data movement. By scanning documents before they are being transferred, they can identify sensitive data as defined by policies and block its transfer. They can even detect HIPAA-protected content in the body of emails (Outlook, IBM Lotus Notes) and block it.
3. Restricting access to PHI
Through its eDiscovery capabilities, DLP software can scan all the endpoints on a company network and identify where PHI is being stored. When found on unauthorized personnel’s computers, remediation actions such as deletion or encryption can be taken. In this way, companies can limit the number of people who have access to PHI, enforcing HIPAA’s need-to-know rule.
4. Controlling the transfer of PHI on portable devices
Another easy way in which sensitive data can be misappropriated is through the use of portable devices. DLP solutions give companies the possibility to limit or completely block their use based on criteria such as device type or serial number. Devices can also be assigned various levels of trust and access. Some may be allowed read-only access, while others can have full access.
5. Ensuring encryption of PHI
Even when it comes to trusted devices used by authorized staff, there is still the danger of PHI loss or theft as, through their very portability, USBs pose a risk. To ensure that incidents such as forgotten or stolen portable devices do not jeopardize HIPAA compliance, some DLP solutions offer automatic encryption of data transferred onto USB drives.
While DLP solutions form only part of a successful strategy for HIPAA and HITECH compliance and need to be complimented by both traditional security tools such as antivirus software and firewalls and more advanced modern solutions such as encryption and Mobile Device Management, they provide an effective tool to track and control PHI and help companies deal with non-compliance issues that might arise internally from employee ignorance or negligence.