Does DLP Help Solve HIPAA Concerns?
One of the most promising technologies for automatically enforcing compliance with sensitive data handling practices is Data Loss Prevention (DLP) technology and it is quickly gaining popularity and adoption across many industries. Does this mean that DLP is the answer to all sensitive information handling concerns? In short, I am sorry to say that while DLP offers excellent solutions within a limited range of data, such as payment cards, social security numbers, and other easily identifiable data, it does not offer great solutions for HIPAA compliance. Most recently a case of an employee being fired from Oakwood Hospital in Michigan has once again highlighted the utter impossibility of automatically enforcing HIPAA compliance. In this case, Cheryl James made some comments on Facebook which were interpreted as a violation of HIPAA requirements. This was not the case of medical records being leaked out, but rather a comment made by a medical professional. More information about the incident can be obtained here. (https://www.fiercehealthcare.com/story/hospital-worker-fired-over-facebook-comments-about-patient/2010-08-01) More and more people are using websites such as Facebook as a part of their everyday conversations with their friends and family. However, a comment made to a spouse in the privacy of one’s home is clearly not the same as posting that comment on Facebook. Since this is not the first time a comment made on a social networking website has landed a hospital employee in trouble, it’s clear that it will take some time before everyone fully realizes the risks of communication of sensitive data on social networking websites. Naturally the question that begs to mind is if there is anything that hospitals can do to prevent such incidents in the future. The advantage of DLP technology is that if you are able to define the pattern or a structure for the data that can be automatically identified as sensitive, the DLP technology will be able to prevent most inappropriate transfers of such data, including posting on social websites. However, with regard to healthcare, data that falls in the range of being considered PHI is very diverse and does not allow for automated identification. Therefore, techniques for reducing risks of inappropriate disclosure must fall back on the low-tech controls such as training and blocking high-risk websites like Facebook for all employees.
Explore more blog posts
Navigating Cybersecurity Regulations Across Financial Services
Learn about five areas businesses should consider to help navigate cybersecurity regulations, such as the Digital Operations Resiliency Act (DORA).
A New Era of Proactive Security Begins: The Evolution of NetSPI
Introducing The NetSPI Platform, the proactive security solution used to discover, prioritize, and remediate the most important security vulnerabilities. Plus, get a first look at NetSPI’s updated brand!
Penetration Testing: What is it?
Learn about 15 types of penetration testing, how pentesting is done, and how to choose a penetration testing company.