4 Ways DLP Can Help You Meet More Stringent HIPAA Compliance

Learn why data loss prevention is a powerful tool for healthcare systems.

With HHS’ Office of Civil Rights dramatically stepping up HIPAA enforcement it’s more important than ever to make sure you have the right people, processes and technology in place. Done right, Data Loss Prevention (DLP) is a proven technology for effective HIPAA compliance. Here are 4 ways DLP addresses specific statute requirements.

 

HIPAA Statute

HOW DLP HELPS

1

Statute 164-306, Security standards: Requires a Covered Entity to ensure the confidentiality, integrity, and availability of all electronic protected health information the Covered Entity creates, receives, maintains, or transmits.

An appropriate Data Loss Prevention solution will help with the confidentiality portion of this safeguard in ways such as: 

  • Detect and Prevent Email containing PHI from being transmitted to the internet 
  • Detect and Prevent Network transmissions containing PHI from leaving the Covered Entity’s network (including email or access to webmail providers such as Gmail) 
  • Detect and secure any unencrypted PHI found on workstations, laptops or network file shares with inadequate controls 
  • Detect and Prevent PHI from being copied to USB devices (or burned to DVD/CD)

2

Statute 164-308, Administrative safeguards, section A, Risk Analysis: Requires a Covered Entity to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the Covered Entity

An appropriate Data Loss Prevention solution will provide a mechanism to continuously assess potential confidentiality risks to PHI held by a Covered Entity by providing the following capabilities: 

  • Continuously scan all network traffic (including email, webmail and other traffic) destined for the internet to identify and block potential external transmission of unencrypted PHI 
  • Periodically asses unencrypted PHI on workstations, laptops, and file systems to determine if any data is being stored in locations without proper controls 
  • Monitor all data copied to USB and prevent any PHI from being copied without adequate encryption controls

3

Statute 164.312, Technical Safeguards: 

Requires a Covered Entity, in accordance with §164.306, implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).

A Data Loss Prevention solution addresses this safeguard by providing mechanisms to: 

  • To Discover unencrypted PHI on systems with inadequate controls. The discovery process will scan File Shares, Workstations, SharePoint Servers and Databases for confidential information 
  • To detect PHI about to be written to USB, CD or DVD.

4

Statute 164-312 (e)(1), Technical safeguards: Transmission Security 

Requires a Covered Entity to implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

An appropriate DLP addresses this safeguard with a comprehensive mechanism, called Network DLP, to detect unencrypted PHI leaving an organizations network destined for the internet. This capability has specific mechanisms: 

  • For the detection and prevention of PHI sent via email 
  • For the detection and prevention of PHI over HTTP/HTTPS 
  • To audit that patient data is not being sent via any other protocol

Why Data Loss Prevention for Healthcare Systems

DLP Can Provide A Simple Compliance Framework To Prevent The Loss Of PHI 

Why Data Loss Prevention for Healthcare Systems Data Loss Prevention is a powerful tool to ensure compliance with regulations such as the HIPAA Security Rule, Joint Commission, and state privacy regulations. It can help you analyze the risks to PHI, educate employees on security polices in real-time and assess areas for improvement. According to a recent 451 Research survey of IT professionals, DLP is one of their top priorities in 2015-2016.

dlp-for-healthcare-systems-graphic

Analyze Potential Risks To Electronic PHI

Protection starts with understanding your risks. The best DLP tools provide a number of mechanisms to analyze risks to PHI per the HIPAA Security Rule and limit PHI access to the “Minimum Necessary”.

Discover PHI stored on laptops, workstations, and servers that are unencrypted

Measure PHI being emailed out of your organization

Detect PHI being transferred out of your organization in unencrypted FTP

Audit PHI being copied to USB devices or burned to CDs or DVDs

Track and control PHI in, or being uploaded to, the cloud

Educate Care Providers On Security Policies — In Real Time

Employees are your biggest risk. Data Loss Prevention tools prevent user actions that put your organization at risk and educate users in real time on the appropriate handling of PHI.

Prompt a user for justification when PHI is copied to removable media

Notify a user when a file containing PHI is attached to an email leaving your organization

Notify an administrator when a file containing PHI is copied to an unprotected share

Move a potentially sensitive file trying to be uploaded to the cloud to a protected folder

Periodically Assess Security Policies

You can’t improve what you don’t measure. Data Loss Prevention tools provide a mechanism to continuously assess security policies and procedures

Inspect every email and web transaction for the presence of PH

Measure effectiveness of other controls by monitoring where PHI is moved once it leaves your central EHR system

Get daily, weekly, and monthly reports measuring incidents of interest and potential loss trends

Related Solutions
Compliance HIPAA
Related Content