DLP Strategies for Securing Healthcare Data
Barnabas Health has nearly 18,500 employees, 4,700 of whom are physicians. "We continuously sit down with the business units and try to talk to them and say, 'Look, we're watching all this happening. Do you really have a need for a Social Security number to be moved around in this manner? Do you really need date of birth or address or insurance information of a patient if you're doing all this analysis,'" Syed says.
"In many cases they just decide when they get the data from the system, they redact it in a form that it's not identifiable data. If they really need it for financial reasons, like a lot of collections and billing, then we just tell them you can't put it on your local computer. It has to be on a locked-down file share, where it's protected," he says.
That sort of policy can also reduce data breach exposure in one of the most common breach categories today: the theft or loss of a laptop.
"You can't just install a product and let it do all the tricks," Syed says. "Somebody has to be assigned to it on a part-time or full-time basis, to continually look at the data and see what decisions need to be made in terms of data at rest or data in motion."
Syed estimates that DLP tools perform 40% of what needs to be done to enforce HIPAA regulations. "The other 60% is really policy, education, and perseverance in making sure it keeps working."
At Barnabas, software known as the Symantec Endpoint Agent sits on each staffer's PC. If it's an independent physician who is affiliated with Barnabas and is using his or her own PC, that physician would access PHI through a virtual Citrix software session, which would handle the DLP duties, Syed says.
Part of DLP's configurability can also cut down on alert fatigue, already a concern with electronic medical records. Different thresholds can be set and adjusted so the DLP only triggers an alert when a predetermined amount of sensitive information is moving, Syed says.
- As Retail Clinics Surge, Quality Metrics MIA
- Providers' Push to Consolidate Roils Payers
- Medicare Cost, Quality Data Tools Weak, Says GAO
- No Employee Satisfaction, No Patient-Centered Culture
- RN Named Chief Patient Experience Officer
- Former NQF Co-Chair Linked to Conflicts of Interest in Journal Probe
- Population Health Pays Off for NY Collaborative
- How Simple Data Analytics is Driving Physician Incentives
- AMA Pushes Lame Duck Congress for SGR Repeal
- In PCMH, the 'P' is Not for 'Physician'