Less than a generation ago, data protection was seldom front page news. Over the last few years around the world, a series of embarrassing and potentially harmful security breaches in areas from defence and tax to welfare and statistics has put the spotlight firmly on the confidentiality of electronic records. This is especially true in healthcare organizations, which have the richest repository of personal information of any industry in the form of care records and other confidential patient data/electronic Patient Health Information (ePHI). As the availability of patient records in electronic format continues to grow with healthcare modernization efforts, it is fundamental that this data is protected from both accidental and malicious disclosure.
Data protection legislation is evolving at different speeds across the world. For example, in the UK, NHS Trusts are anxiously awaiting the first significant fine from the Office of the Information Commissioner (ICO) regarding the loss of patient data, which means that Trust Information Governance communities are actively investing in Data Loss Prevention (DLP) processes and technology.
eWeek Europe recently reported that the NHS has been responsible for almost a third of all recorded data breaches in the UK for the last three years, according to the ICO. It was involved in 305 of the 1,007 reported incidents with 116 caused by stolen data and hardware and a further 87 by lost data and hardware. The NHS was also not helped by the fact that 43 breaches were due to data being disclosed in error. The ICO also said that 17 NHS breaches came from information that was lost in transit, 17 from technical/procedural failure, 13 from non-secure disposal, and 12 from other causes. We all know that mistakes can happen but, the fact is that human error is behind a high proportion of security breaches that have been reported to us, said David Smith, deputy commissioner of the ICO. Extra vigilance is required so that peoples personal information does not end up in the wrong hands.
UK companies have already been warned by the ICO to tighten up their security systems, according to eWeek Europe. The ICO now has the power to issue large fines for any serious data breaches, and companies that fall foul of the data breach laws, for example, now risk a maximum fine of 500,000. And if that was not enough, the ICO has recently said that it is pushing for prison sentences to be introduced for professional data thieves.
Meeting Obligations
Care records are now available for access by providers from general purpose computing systems, such as desktops and laptops. Even with data being secured through access control, authorized users can copy and download data from client/server applications, patient healthcare portals and databases. Once this data is in the possession of the authorized user, that user may transport this data via email, web applications and USB storage devices. In other words, while patient data loss risks existed in the world of paper records, electronic records have dramatically increased these risks.
Consequently, many aspects of existing operations must be changed to address the requirements of the Data Protection Act or its equivalents such as the HITECH Act in the USA. New process planning, implementation and communication are central to compliance, for example, the Health Insurance Portability and Accountability Act (HIPAA) in the US. So the result is a significant and sometimes, costly programme requiring new technology, reengineered processes and employee education.
Compliance is typically interpreted as protecting data from malicious activity with remediation and control measures focusing on intrusion detection, disgruntled employees and phishing scams. The greater risk, though, is from accident and error. Data leaks can compromise compliance controls more easily than data theft, and leaks are more likely to occur. Quite simply, employees make mistakes but an honest mistake could still expose a healthcare trust to regulatory enforcement, patient lawsuits, and negative press. After a leak, insurance companies respond with stricter criteria and a higher premium.
In the Unites States, ePHI is now available for access by providers from general purpose computing systems, such as desktops and laptops. Even with data being secured through access control, authorized users can copy and download data from client/server applications, patient health care portals and databases. Once this data is in the possession of the authorized user, that user may transport this data via email, web applications and USB storage devices. In other words, while ePHI data loss risks existed in the world of paper records, electronic records have dramatically increased these risks.
Data leaks can compromise HIPAA controls more easily than data theft, and leaks are more likely to occur. Yet, businesses implement elaborate safeguards against external threats and virtually ignore the salient risk that the company has the ability to mitigate. Auditors may look to the external threat first, and it is possible to attain HIPAA compliance on paper with only minimal leak prevention controls. However, the risk and cost of just one leak in the United States can cause reputation damage, customer notification costs, legal fees, and control remediation expenses that exceed millions of dollars. After a leak, the auditors will return with stricter criteria and a higher price tag.
Questions that Should be Asked
To address these strides in legislation and regulation, trusts need to adopt a practical and realistic DLP strategy that includes policy, education and technology and fits into existing business processes. Based on real-world deployments, it is estimated that an organization that employs technology and training can reduce the volume of data loss by 50% or more, just by issuing notifications. If a manager learns that their employee is leaking data, you will see about a 10% reduction in incidents. If you inform the employee directly that he or she is responsible for leaking data, a 50% reduction is likely.
The initial questions for any organization must include:
- Where is my confidential data stored, and what is being done to secure its use and transmission?
- What are my users doing with this data when they are on the enterprise network, mobile or working remotely?
- How would we know that a data breach has occurred?
- How could a breach be prevented?
- If there is an audit, will there be a way to demonstrate an audit trail of all data disclosure instances?
All these questions point to the need for understanding ePHI/care record usage scenarios, which in most enterprises includes common business activities. Workforce members upload confidential data to social networking sites and also email unencrypted, confidential data to partners. The problem of data loss is exacerbated by the increase in mobile computing, the widespread use of peripheral storage devices, and easy access to client software with file download and file-sharing capabilities.
A Comprehensive DLP Strategy
When planning a comprehensive DLP strategy, the following practices can reduce the risks of malicious threats, save costs associated with data management and security and help meet regulatory compliance.
- Identify, Monitor and Protect: It is important to identify what data is confidential, monitor where the information is going and then implement protection controls to ensure it is only going to the proper individuals. For example, we recently worked with one large US hospital to help audit and monitor HIPAA-regulated data. The IT department at the hospital was shocked to discover that nurses would type patient notes into Google Docs using laptops as they were doing their rounds. Later, they would return to the nursing station and copy and paste the notes into the hospitals secure system. The nurses were simply trying to be more efficient at their jobs, but the practice violated HIPAA regulations.
- Web and Email Content Control: Implement a technology solution that can inspect and control content over the web and emailthe two primary communication channels. Data loss via the web is four times more likely than email. When you email, you are mostly emailing your peers at work but, on the web, every transaction or communication is outside your organization. For a security or IT team to be efficient and successful at protecting against these types of data loss, it is also important to look for ways to consolidate your monitoring protocols and have a single inspection gateway.
- Understand the Regulations Where you Conduct Business: It is essential to understand the data laws and regulations not just where a healthcare business resides, but where it operates. This is critical since operating in a specific country or region may subject an organization to its laws, even if there is no office present. Therefore, it is important to be cognizant about the content in use and the context, and consider the capacity of the solution to create this awareness and enforce data policies which are sensitive to their environment.
Reality Check
Kuakini Health system (KHs), one of Hawaiis largest private acute care hospitals caught two potential leaks before they could become a problem within a week of deployment of a solution by WebSense. The comprehensive approach to information leak prevention gives us the confidence we need that the organization and our patient records are protected from exposure over internal and external email and web, says KHs manager of information management, Ron Uno.
TLC Vision, a provider of eye-care tools and technologies in North America, is another such solution user that has to protect the confidential information of more than 1 mn patients and physicians. When a TLC user sent confidential information, the email is automatically encrypted and the user notified of the companys security policy for future communications. For director of technology services, Roger McIlmoyle and his staff, this functionality mitigated hours of enforcement decisions and manual notifications. Within the first few weeks we saw a good number of emails encrypted because they contained confidential information. It didnt take long before the number of encrypted communications decreased significantly, as users became more and more aware of our policies and began to ask themselves, Do I really need to send this?
Arbel Lior
The author is an expert in Data Loss Prevention (DLP) related to healthcare at WebSense
maildqindia@cybermedia.co.in