My first post in this series offered 7 steps for preparing to move patient data to the cloud. In my second, I covered 6 steps for moving patient data to the cloud securely using a cloud DLP solution. Of course, a security team’s work isn’t done once data has been migrated to the cloud. Once this process has been completed, security teams are tasked with keeping that information secure against loss or unintended exposure and securing any additional data that is created in or moved to the cloud. Here are steps to help guide this ongoing processes using your DLP solution:
1. Conduct Internal Audits
At any time, conduct a mock HIPAA compliance audit of the information in cloud storage. Not only will the organization be ready for any external audit demands, but this will force questions to be asked regarding where to focus next on risk mitigation strategies.
2. Filter and Audit New Information as it is Moved to the Cloud
As you continue using cloud storage and services, there will undoubtedly be new data that you need to move to the cloud. Apply DLP capabilities to inspect all data before it leaves the enterprise network and heads to the cloud. DLP tools will identify regulated information automatically and allow it to be removed, encrypted on the fly, or stopped for remediation according to policy for the particular information. This enables for information to be inspected at the final stage prior to migration rather than some previous point where there is still a window in which protections could be removed. These automatic processes reduce opportunities for error and audit trails provide visibility into information being transmitted.
3. Scan File Systems Planned for Cloud Storage
For efficiency it may sometimes be appropriate to scan entire file systems when there are uncertainties regarding content. Or, the file systems may be so large that it is desirable to scan them prior to the uploading transmissions, which will look at each record at a time. Employ your DLP solution to inspect all data poised for sending to the cloud. Sensitive data discovered will be controlled according to policies established by the enterprise:
- Before release to the cloud sensitive information may be denied passage or automatically encrypted
- Or, other prescribed remediation may be applied
4. Apply Remediation Selectively at Each Step
Depending on your own situation, it may not be most effective to encrypt everything sent to the cloud. Use your DLP solution to apply the appropriate remediation automatically according to your established policies for that particular information and where it is being stored or transmitted:
- Policies dictate action for specific data elements
- More efficient, speedier processing
- Alternatives may add burden of needless repetitive encryption and decryption
