Looking For A Cure: IT Security And Compliance In Healthcare

By Paul LaPorte, Director of Products, Metalogix

A Global Crisis

Every day we hear about new struggles in healthcare. One ongoing concern is the Zika virus, a growing problem that the World Health Organization recently deemed a global public health emergency and has caused the CDC to issue travel alerts. But there is another problem plaguing healthcare that affects every single one of us, every day — the security of the information infrastructure that enables modern healthcare to exist.

So, what does this mean for you, the trusted advisor and solutions provider?

Security Risks Require New Treatments

For IT organizations, managing data security and adhering to the myriad of compliance needs presents a challenge as daunting as developing a new vaccine. It is crucial to do, hard to manage, and requires specialized tools that didn’t exist in our medical bag a few years ago. And like a virus, the problem is growing and evolving at a rapid rate, as seen in this collection of the world’s largest data breaches and the FBI investigation of a dramatic outage at a Maryland hospital chain thought to have been started by an intentional fast-spreading virus.

New Government Mandates

On top of the internal challenges facing most organizations in navigating the maze of security and compliance, governments are stepping in and increasing the stakes with new laws and requirements. The European Union is in the process of introducing the General Data Protection Regulation (GDPR). Other countries will likely augment with additional laws. There is no time to spare. Being ill prepared for what is to come holds serious ramifications; the worst of which being a complete business shutdown.

Keeping Protected Health Information (PHI) Secure

Across all areas of healthcare, organizations are storing patient health records and health information that contains sensitive content for thousands of people. From doctors to health insurance providers and large hospital corporations, employees and customers; Protected Health Information (PHI) is everywhere. When a data breach containing patient information does occur, such as the 80 million record Anthem breach in February 2015, there is mass controversy and outcry. PHI is so important laws continue to be introduced to protect the public, ensure the integrity of health systems, and make sure critical data is as secure as possible.

Navigating Regulations

In the U.S., many states have strict laws on the security of PHI content, mandating proper archiving, record keeping, and security. The U.S. has implemented several key laws that impact healthcare organizations and the IT teams that support them, namely the HIPAA and HITECH Acts. In the European Union, a big part of GDPR concerns PHI and health card data, not solely Personally Identifiable Information (PII) or credit card numbers. All impose severe, but arguably necessary, fines for companies found not to be in compliance for the proper safeguarding or retention of healthcare data, i.e. patient records. Those fines have the power to completely shut down the institution or provider. If the fines aren’t deterrent enough, the damage due to negative publicity could result in an equally damaging loss of public trust.

IT First Responders

Clearly there is a vital need for constant attention and vigilance… an inoculation… a cure. So, what does this mean to you — the trusted advisor and solutions provider?

Most of your clients are likely well aware of the need to comply. For many however, the critical question is: “How?” In seeking solutions for this healthcare security crisis, one of your first orders of business should be to help your clients discover where their organization has sensitive and at risk content stored, so that they can regulate its use and access. There are a couple of key techniques in use for spotting sensitive content and it is important that you understands and are able to communicate the differences and limitations.

The traditional approach to identifying sensitive content is an expression-based, or regular expression, search. Expression-based search matches known patterns to actual data. This method is a black-and-white approach and has a lot of holes. This limits results to only being as good as the known patterns; if patterns are wrong or not thorough, identification will never be corrected.

By comparison, newer approaches that utilize advanced technologies such as machine learning are not limited in this way. Machine learning is a newer and a more flexible approach, as it constantly learns and adjusts to the data stream it analyzes. Over time, results from a machine learning approach become more accurate and adjust to the uniqueness of a specific organization’s data. For example, when analyzing information, a date in and of itself is not sensitive but a date-of-birth is protected information. Machine learning can discern the difference by analyzing the context of the information, thus leading to highly accurate detection and action.

Critical Elements Of A First Responder Tool Kit

Equip your clients’ organizations to protect against an unknown future. As you investigate identifying and securing your clients’ healthcare data, and complying with all the regulatory hurdles, it is important to seek flexible, accurate solutions that adapt to whatever challenges tomorrow may hold.

Raising the bar for data loss prevention (DLP). Organizations operating in challenging environments including regulatory oversight and highly public data breaches result in requirements for properly identifying and securing terabytes of content. The complexity of governing, tracking, and securing this content has been magnified due to the growth of content management systems, like Microsoft SharePoint, which enable content collaboration on an enterprise-wide scale. Preparing your client with a solid DLP solution foundation provides wide ranging content detection, classification and actions to support comprehensive enterprise-wide security, governance and compliance strategies.

Machine learning driven. DLP needs have grown, necessitating new strategies to manage sensitive PII, PHI, and PCI data both on-premises and in the cloud. Advanced machine learning surpasses existing data protection strategies and provides a far higher degree of accuracy for context aware identification, filtering and classification of content. Traditional DLP solutions employ rules and techniques that amount to little more than “Ctrl + F” to find sensitive information, whereas DLP based on machine learning provides a forensic analysis of the true nature of your clients’ content.

Confidently detect sensitive information. DLP solutions are starting evolve, with the most advanced providing a highly accurate and flexible out of the box solution for detecting sensitive information such as PII, PHI and PCI inside enterprise content management systems that can also be customized to meet specific client needs. The combined solution will allow clients to identify, track, and secure documents using advanced neural network powered machine learning, which enables a more robust level of contextual content awareness inside increasingly complex enterprise environments. In other words, the large numbers of “false positive” results that cause other DLP solutions to grind to a halt can now be a thing of the past.

Take action. Upon detection of sensitive information that exceeds permissible thresholds, an ideal DLP solution can alert, isolate, or remove policy violating files. Custom workflows can be architected with ease to enforce corporate governance strategies while reducing the workloads on IT administrators, content owners and compliance officers.

Comprehensive policy enforcement. A key capability of a successful DLP solution is to enforce policies using the full range of permissions management, auditing and user activity reporting to content containing PII. With on-demand scanning, administrators can flag specific content for content discovery or enable a real-time content shield to perform analysis of files as they are created, modified, moved, or destroyed.

Superior approach, superior results. The combination of the complexity of content collaboration and the risks associated with security breaches results in a need for far more sophisticated security and compliance solutions. Next generation machine learning provides a deeper level of insight and analysis into the location and nature of sensitive content.

Real-time content shield. Machine-driven DLP automatically provides near instantaneous detection of sensitive information within new content. Upon detection of content containing PII, PHI or PCI, the upload can be blocked or quarantined until approved by designated content reviewers. For documents containing information such as social security numbers, this kind of solution infuses a higher level of real time trust and content awareness to prevent the mishandling of this sensitive data.

Ready to go out of the box. A robust solution based on new machine learning technologies provides a ready to go option from day one. That’s great for the client — and great for you! Lengthy consultative configuration exercises such as rule configuration can now be a thing of the past. With your expert guidance, your client enjoys instant protection and an immediate start and fast return on investment (ROI).

Am I the only one hearing the Superman Movie theme song playing in the background?

Paul LaPorte is an expert in security, business continuity, and disaster recovery (DR). He is Director of Products at Metalogix and co-author of SharePoint RBS for Dummies, 2013 edition. Prior to Metalogix, he served as global manager for SaaS solutions at Proofpoint, a publicly traded email and data security company, principle strategist for Continuity Research, and a senior executive at Evergreen Assurance, a pioneer in real-time DR for mission critical applications. He holds a BS in Aerospace Engineering from MIT and an MBA from Georgetown University.