Barnabas Health has nearly 18,500 employees, 4,700 of whom are physicians. "We continuously sit down with the business units and try to talk to them and say, 'Look, we're watching all this happening. Do you really have a need for a Social Security number to be moved around in this manner? Do you really need date of birth or address or insurance information of a patient if you're doing all this analysis,'" Syed says.
"In many cases they just decide when they get the data from the system, they redact it in a form that it's not identifiable data. If they really need it for financial reasons, like a lot of collections and billing, then we just tell them you can't put it on your local computer. It has to be on a locked-down file share, where it's protected," he says.
That sort of policy can also reduce data breach exposure in one of the most common breach categories today: the theft or loss of a laptop.
"You can't just install a product and let it do all the tricks," Syed says. "Somebody has to be assigned to it on a part-time or full-time basis, to continually look at the data and see what decisions need to be made in terms of data at rest or data in motion."
Syed estimates that DLP tools perform 40% of what needs to be done to enforce HIPAA regulations. "The other 60% is really policy, education, and perseverance in making sure it keeps working."
At Barnabas, software known as the Symantec Endpoint Agent sits on each staffer's PC. If it's an independent physician who is affiliated with Barnabas and is using his or her own PC, that physician would access PHI through a virtual Citrix software session, which would handle the DLP duties, Syed says.
Part of DLP's configurability can also cut down on alert fatigue, already a concern with electronic medical records. Different thresholds can be set and adjusted so the DLP only triggers an alert when a predetermined amount of sensitive information is moving, Syed says.