My first post in this series offered 7 steps for preparing to move patient data to the cloud. In my second, I covered 6 steps for moving patient data to the cloud securely using a cloud DLP solution. Of course, a security team’s work isn’t done once data has been migrated to the cloud. Once this process has been completed, security teams are tasked with keeping that information secure against loss or unintended exposure and securing any additional data that is created in or moved to the cloud. Here are steps to help guide this ongoing processes using your DLP solution:
1. Conduct Internal Audits
At any time, conduct a mock HIPAA compliance audit of the information in cloud storage. Not only will the organization be ready for any external audit demands, but this will force questions to be asked regarding where to focus next on risk mitigation strategies.
2. Filter and Audit New Information as it is Moved to the Cloud
As you continue using cloud storage and services, there will undoubtedly be new data that you need to move to the cloud. Apply DLP capabilities to inspect all data before it leaves the enterprise network and heads to the cloud. DLP tools will identify regulated information automatically and allow it to be removed, encrypted on the fly, or stopped for remediation according to policy for the particular information. This enables for information to be inspected at the final stage prior to migration rather than some previous point where there is still a window in which protections could be removed. These automatic processes reduce opportunities for error and audit trails provide visibility into information being transmitted.
3. Scan File Systems Planned for Cloud Storage
For efficiency it may sometimes be appropriate to scan entire file systems when there are uncertainties regarding content. Or, the file systems may be so large that it is desirable to scan them prior to the uploading transmissions, which will look at each record at a time. Employ your DLP solution to inspect all data poised for sending to the cloud. Sensitive data discovered will be controlled according to policies established by the enterprise:
- Before release to the cloud sensitive information may be denied passage or automatically encrypted
- Or, other prescribed remediation may be applied
4. Apply Remediation Selectively at Each Step
Depending on your own situation, it may not be most effective to encrypt everything sent to the cloud. Use your DLP solution to apply the appropriate remediation automatically according to your established policies for that particular information and where it is being stored or transmitted:
- Policies dictate action for specific data elements
- More efficient, speedier processing
- Alternatives may add burden of needless repetitive encryption and decryption
Read more from this series
Data Protection Security Audit Checklist
Are you ready for your next security audit? Our checklist has 12 questions to help you prepare.
Related ArticlesHealthcare Security: Understanding HIPAA Compliance and its Role in Patient Data Protection
After the "year of the healthcare breach," many healthcare organizations are taking steps to improve their data protection strategies to meet regulatory requirements and secure health information against costly data breaches. Here's an overview of the data protection requirements for compliance and beyond.Insiders Responsible for 58 Percent of Healthcare Breaches
58 percent of PHI data loss incidents from 2016 to 2017 involved internal actors according to Verizon's new Protected Health Information Data Breach Report.Following Ransomware Attack Indiana Hospital Pays $55K to Unlock Data
A hospital paid 4 BTC (Bitcoin) - roughly $55,000 - to regain access to its computer systems over the weekend.