DLP Strategies for Securing Healthcare Data

This article appears in the November 2012 issue of HealthLeaders magazine.

Securing the healthcare enterprise is a many-layered endeavor. Electronic locks on doors keep out intruders and help track who is coming and going. Network access control technology acts as the locks on the computer networks behind the doors. Firewalls and anti-malware technology keeps at bay the vandalism of the wild public Internet. But like some 1960s spy movie, one of the biggest threats comes from the ordinary comings and goings of authorized personnel, and the information they carry.

To address this risk, healthcare leaders turn to a layer known as data-loss prevention, or DLP.

"For what it's doing for our organization, the cost of DLP is really minimal, as compared to the benefits," says Shane Molacek, CIO of Valley County Health System, which operates a 16-bed critical access hospital located in the north central town of Ord, Neb., some 180 miles from Lincoln.

Molacek uses technology that scans each email being sent from Valley County for protected health information, which under HIPAA must be protected from unauthorized disclosure.

"IT's job is to make sure that the doors stay open and that we don't have either breaches in content or information that shouldn't be getting out of here," Molacek says.

When Molacek arrived at Valley County about three years ago, it was building a $27 million facility to replace a critical access hospital built in the 1970s. DLP was on a list of to-dos that started with implementing a disaster recovery strategy. "The fact that we hadn't suffered any kind of PHI loss or any HIPAA breach to any level really was caused more by dumb luck than by anything we had put in place," he says.

Drawing upon previous experience performing risk assessments, Molacek acquired backup appliances and an offsite disaster recovery service provider. Flash drives became read-only thanks to software acquired from GFI EndPoint Security, Molacek says.

For DLP, he chose a combination encryption and monitoring solution from ZixCorp, which Molacek and others characterize as providing an increasingly common platform among healthcare providers.

That commonality matters. From its origins in the Internet more than 30 years ago, the basic email in use does not bring along an agreed-upon layer of security present in every computer and device that creates and reads email.

Instead, software such as Zix works by encrypting sensitive email, then sending a recipient a pointer to a secure Web portal where he or she can open that email securely.

It's a necessary inconvenience to these recipients, and as electronic medical records proliferate, more and more patients are familiar with the ritual of visiting secure email portals. But if the emails are flowing from provider to provider, or provider to payer, and so on, the inconvenience becomes a nightmare. ZixCorp and others who would provide secure email are able to offer their customers an alternative, provided that sender and recipient share the same DLP security layer. Each system can recognize that the other is using similar security technology and arrange it so the emails in question flow straight into the recipient's mailbox, rather than being sent to a separate portal.

ZixCorp has added so many partners, "it makes that process easier; the likelihood is that we're going to have a partner that just delivers end to end, mailbox to mailbox," Molacek says. Currently Zix boasts more than 32 million members in its ZixDirectory, which the company bills as "the world's only shared email encryption community."

So far, electronic medical record software being rapidly adopted by providers does not offer this provider-to-provider capability, Molacek says.

Data-loss prevention offers some set-and-forget features. But even at Valley County, Molacek has a HIPAA compliance officer who scrutinizes information and sets policy for any data exchange that would break PHI, HIPAA, or Payment Card Industry guidelines.

Email and computers' data ports used to be the primary concern of DLP managers, but the advent of cloud computing put emphasis on the potential for new services to be a source of data breach. One strategy employed at many institutions is to simply block newer cloud-based data exchange services such as Dropbox. "We do not feel comfortable at this time to allow access to any online storage," says Hussein Syed, director of IT security at Barnabas Health in Livingston, N.J. "We have no relationship with those entities."

Employing DLP technology from Symantec, Syed is able to set custom policies as needed. The software can scan for medical record numbers that fit a particular profile: so many digits, with leading characters such "MR." But that can be just the start of a process as his staff works to educate others at the health system about proper handling of PHI or PII (personally identifiable information) not just during transmission, but also as the data is made available for any number of analytical tasks.

Barnabas Health has nearly 18,500 employees, 4,700 of whom are physicians. "We continuously sit down with the business units and try to talk to them and say, 'Look, we're watching all this happening. Do you really have a need for a Social Security number to be moved around in this manner? Do you really need date of birth or address or insurance information of a patient if you're doing all this analysis,'" Syed says.

"In many cases they just decide when they get the data from the system, they redact it in a form that it's not identifiable data. If they really need it for financial reasons, like a lot of collections and billing, then we just tell them you can't put it on your local computer. It has to be on a locked-down file share, where it's protected," he says.

That sort of policy can also reduce data breach exposure in one of the most common breach categories today: the theft or loss of a laptop.

"You can't just install a product and let it do all the tricks," Syed says. "Somebody has to be assigned to it on a part-time or full-time basis, to continually look at the data and see what decisions need to be made in terms of data at rest or data in motion."

Syed estimates that DLP tools perform 40% of what needs to be done to enforce HIPAA regulations. "The other 60% is really policy, education, and perseverance in making sure it keeps working."

At Barnabas, software known as the Symantec Endpoint Agent sits on each staffer's PC. If it's an independent physician who is affiliated with Barnabas and is using his or her own PC, that physician would access PHI through a virtual Citrix software session, which would handle the DLP duties, Syed says.

Part of DLP's configurability can also cut down on alert fatigue, already a concern with electronic medical records. Different thresholds can be set and adjusted so the DLP only triggers an alert when a predetermined amount of sensitive information is moving, Syed says.

A broad theme among DLP users is to get staff to think before they share. For instance, at Texas Health Resources, providers are advised to include the word "secure" in the email subject line, and that email will be encrypted and sent securely, says Chief Security Officer Ron Mehring.

If they don't put that word in the subject line, and the DLP technology detects PHI in the message, the provider is notified that he or she has  violated the policy, Mehring says. "They now have to interact with the privacy and security offices to resolve that issue, and now that becomes somewhat of a distraction for them," he says.

Texas Health Resources serves a geographic area of north Texas larger than the state of Maryland. The system includes 25 hospitals (17 of which are acute care), more than 21,100 employees, 5,500 physicians with staff privileges, and 3,800 licensed hospital beds. "We have pretty good service management processes in place where they interact with our overall set of IT processes to resolve those issues, and we try to resolve them pretty quickly so escalation works, but you've got to have a structure around it. DLP can't exist in a vacuum. It's got to integrate real cleanly into your overall IT service management practices."

Don't let technology dictate your goals, Mehring says. "I can't imagine a single shortcut when it comes to DLP," he says. "It's a tough solution. You've got to have the dedicated staff for it. You've got to have the talent, and you've got to have the support."

Smaller organizations can take fewer steps, he says. "Encrypt everything," he says. "Make sure users know not to keep data on devices."

Mehring also challenges the coalescence of DLP standards around vendor-specific solutions. "My challenge to vendors is, 'Why are you making me do that?' " he says. "When vendors do that to us they put us in a box, and it's
not appropriate."

A vendor-independent solution is transport-layer security standards, and they are emerging now. "How do I get a transaction from Point A to Point B in a secure manner, and how do I ensure it's going to the right person?" Mehring asks.

Auto-negotiation of transport-layer security, irrespective of vendor or service provider, is something Texas Health is able to achieve today, with some exceptions. "The underlying protocol does that, so my email servers are set up to auto-negotiate transport-layer security," he says. "As long as the other system has that ability to do the same and configure the same, it'll negotiate that secure transport.

"Every once in a while we get a health system that pops up where they're using a different system in a different configuration, and we have to take a kind of a one-off approach in how we're going to get data to them securely," Mehring says.

Data-loss prevention's next hurdle is fast approaching, however, as providers widely embrace health information exchanges.

"Our data-loss prevention systems are really kind of a very internal function," Mehring says, adding that "health information exchanges imply the sharing of information. Just moving DLP into that environment will be extremely difficult.

"We're going to be relying on a lot of nontechnical ways to control information in those environments. If we're using vendors to provide the health information exchange capabilities, they're building in robust technologies to control information as it sits in the exchanges. I think we're going to be relying on a lot of that," Mehring says. "Of course you are passing out information to folks that really kind of goes beyond the trust boundary and trust negotiated through participation agreements and things like that, which are all very nontechnical approaches."

Those nontechnical approaches include strong information security and privacy policies, standards, procedures, and training, built using a risk-management approach, Mehring says.

And the DLP technology solution, as good as it is, also has to evolve to cope with the evolution of the cloud-based services the network providers use. Providers can bring their own devices to Texas Health, and may have data network access through a carrier's 4G network rather than the internal healthcare network, bypassing network policy blocking Dropbox and its ilk.

"If they really wanted to, staff could go ahead and screen-capture that data and things like that, where we might not have full control of that device to control that interaction," Mehring says. "That happens quite often. I think most health systems are struggling with that today, on how much authoritative control they can take over these personal devices, which we do in many cases. When they're accessing data definitely they have the ability to potentially move that data onto their device. We'll take active control of that through our security solutions.

"But of course there's always the devices that kind of come and go. They come in, they access data, and then they go away, but they never really became a formal part of the actual infrastructure. We try to get in the middle of that interaction in all cases through our internal DLP solution and interrogate that transaction before it leaves, but like I said, there's always things like shadow IT or the shadow transaction, right? Everyone struggles with that, I think."

Reprint HLR1112-7

This article appears in the November 2012 issue of HealthLeaders magazine.