Skip to content Skip to navigation

Hail your new digital gatekeeper

February 1, 2011
by root
| Reprints
How to protect residents' data with an ultra-intelligent guardian technology

Part one of a two-part series on data security measures

Whether or not it was ever intended, healthcare providers these days are responsible for watching over a vast amount of data on people-much of it sensitive and desirable to unlawful minds. Like the keepers of bank vaults, providers must ensure that this information is secured and inaccessible to protect the best interests of not only their customers, but of their own operational existences. At the same time, because of emerging technologies and networking mediums, communication to patients and potential customers has become open, prevalent, and unsecure. “The normal protections don't necessarily work anymore,” says Mac McMillan, CEO of CynergisTek Inc., an IT security consulting company. Long-Term Living Editor Kevin Kolus recently caught up with McMillan, who is also chair of the Healthcare Information and Management Systems Society's Privacy and Steering Committee, to discuss an increasingly popular form of data security that long-term care providers may not be aware of: Data Loss Prevention (DLP) technology.

What are the dangers long-term care providers have to be wary of when it comes to sharing data online?

McMillan: Most Web mail clients, whether it is Yahoo!, Gmail, Hotmail, or another generic Web mail product, have no filter associated with them to determine if certain information should be going out or not. They are not making judgment calls about whether Dr. Smith should be e-mailing protected health information (PHI). And if you allow Web mail in a long-term care setting, even if you have normal protections on your corporate mail, such as corporate encrypted Microsoft e-mail, that same encryption technology does not even see the Web mail because it's opening on a client that is outside of the organization. When healthcare providers allow internal users to access Web mail clients, basically what they are doing is allowing them to communicate in an anonymous fashion, and all of their protections are basically not of value-they are obviated.

The same is true of social media sites, like Facebook or MySpace. Again, when someone connects to that client, they are bypassing all of the normal protections that are afforded the network. Somebody could download a file, attach it to a message, and send it out via one of those mechanisms. If that message contained PHI, it just went out unencrypted. And actually it's even worse than that with social media because when you post something on Facebook, for instance, it doesn't go away. It gets proliferated.

Now, providers do want to enable these mediums because they may serve very useful purposes. For instance, Web mail can be practical to physicians who come to work at a long-term care setting because a lot of times that is their mail client back at the office. But that doesn't mean it's a good way to communicate sensitive data from your facility.

So how do providers take advantage of Web mail or social media while keeping sensitive data secure?

Mac mcmillan
Mac McMillan

McMillan: This is where data loss prevention comes in. DLP technologies sit inside the network. First, they go out and fingerprint all of the data in the environment. They crawl across the structured and unstructured data, identifying all the information that is out there, and build an index. Then somebody says there are rules around that data. So for instance one of the rules that we advise healthcare organizations to put in place is that PHI cannot be posted to a social media Web site. The DLP appliance then does another of its functions, called review. It actually reviews data on the fly so whenever somebody hits the send button, whether it's through e-mail, social media, etc., the DLP will scan that communication or that message and determine if there is any PHI contained within. And if there is, it does its third function, which is enforcement. It looks up the rule you have configured, and it sees what this person is trying to do. If they are sending an e-mail through the corporate mail structure, which is encrypted, and the e-mail has PHI in it, the DLP appliance says this is OK, let it go. But if that same person is trying to send a document with PHI attached through Web mail, which will bypass your encryption and protections, the DLP appliance says that's not allowed, and it stops the transmission. Depending on how you have it configured, it will either send a message back to the sender saying this is not authorized, or it will redirect the e-mail to the corporate mail, encrypt it, and then send it out to the intended recipient.

I can see how the technology scans attachments, but how does it know in a unique message that a user is making on Facebook or in Web mail that there is protected health information being communicated?

McMillan: When it does this fingerprinting function, it basically scans every document in the system and it looks for protected content, building this huge index of sensitive data that has rules to protect it. When somebody constructs an e-mail, it can have as few as 100 characters related to a patient's record. When that mail gets sent, the DLP technology has the ability to read it line by line and identify content related to any document that's been fingerprinted.

If a provider has organized its electronic documents poorly, will the technology have a harder time of creating that fingerprint?

Pages

Topics

Comments

Donations of GTB technologies Inc's, Enterprise Data at Rest Scanners are currently underway to Non-Profit Cancer Centers in the United States. The Data at Rest Scanner is a Data Discovery tool that searches an enterprise network for HIPAA violations as well as PHI and PII data. The system runs over the network and does not require an agent. It searches any file format on Windows and UNIX file-Shares and reports the files location, the file owner, the actual violating data and other metadata.

This donation is in memory of Leslie Cohen, a sister of one of the GTB founders. Leslie, may she rest in peace was diagnosed with Stage II cancer in the Spring of 2002 and unfortunately after a brutal fight, succumbed to the disease on March 8, 2006 a few days shy of her 48th birthday. Leslie, as well as the entire GTB Technologies' organization have been supporters of various Cancer Research and Treatment causes, both before and after her diagnosis.

Earlier this month, news came out that the US Department of Health and Human Services (HHS) started penalizing health care organizations for HIPAA privacy violations. So in order to help avoid any penalties and instead spend valuable funds on research and care, GTB Technologies is making this donation offer.

Any Non-Profit Cancer Center may request a free copy of the Data at Rest Scanner by emailing DARS@GTTB.COM. This donation includes future support and maintenance upgrades.

Pages