To address breach-via-email threats, healthcare organizations should complement their existing data-protection solutions with outbound email-screening technologies and best practices.
Healthcare organizations cannot afford the problems associated with a breach that exposes patients’ protected health information (PHI) or other personally identifiable information (PII). Beyond penalties and fines, which have been substantial in several recent cases, other consequences include bad publicity and lost confidence from patients, investors and board members.
While there are many ways for PHI and PII to be exposed, over the last few years there have been a growing number of incidents where email was the conduit.
Unfortunately, potential email data exposure problems are only going to get worse as new healthcare exchanges are established and doctors incorporate new ways to communicate with their peers and patients. For instance, a 2012 industry survey found that about 62 percent of doctors were already using tablet computers to conduct work. Most used their mobile devices to read medical news, research symptoms and access drug reference databases from companies such as Epocrates and WebMD. They also prescribe medication electronically. And a smaller number of doctors were found to be using apps to access electronic health records (EHRs) and lab results. Any of this information could easily be emailed from a mobile device using the organization’s email system, or the non-secure system of a cloud email provider.
To address such evolving breach-via-email threats, healthcare organizations should complement their existing data-protection solutions with outbound email-screening technologies and best practices. Specifically, they need solutions that use next-generation screening techniques, such as exact matching, which prevent PHI and other personal data from leaving the organization in an unencrypted state.
Next-generation technologies are needed because traditional screening solutions can generate many false-positive alerts, flagging data that legitimately could otherwise be transmitted with no complications. In some cases, an improperly flagged email might be prevented from reaching its intended recipient. In other cases, the message might be unnecessarily encrypted, forcing the recipient to take additional steps to read its content. With either situation, a large number of content-filtering false positives interrupts business operations and upsets doctors, nurses, employees and patients. This compels some IT departments to turn off the filtering to appease their staff.
This is obviously not the way to operate.
The problem with earlier-generation solutions is that they utilize basic pattern-matching techniques that evaluate the content of outbound email messages and attachments. Unfortunately, pattern matching alone is often not granular enough to differentiate real confidential data from similar-looking information. For example, any message with a nine-digit number might be flagged or blocked, even though only a small fraction of those messages contained a person’s social security number.
Exact matching avoids the false-positive problem. With exact matching, the specific information that needs to be safeguarded is used to scan outgoing email. That information is placed in a flat file list, and the file is used to make comparisons. So rather than searching for nine-digit numbers, the solution looks for patients’ SSN or ID numbers.
For exact matching to be effective and not time consuming to use, there are a number of best practices to follow and solution capabilities to look for. To start, creation and incorporation of the list used for matching must be automatic. Most back-end systems, such as patient information-management systems, allow the export of fields to a file. So building a comparison database for exact matching would be a matter of outputting a specific field containing a patient identifier. An appropriate filtering solution must be able to ingest this dynamically generated information on a pre-set schedule or whenever there is a change.
Application of these technologies and techniques prevents disruptions in communications and results in more accurate identification of emails containing sensitive data – thus helping healthcare organizations better ensure HIPAA compliance and reduce the chance of a data breach via email.
Secure data delivery in the healthcare industry is needed now – and the demand is quickly increasing with the emergence of meaningful-use Stage 2 and “The Direct Project.” The key is to implement processes and solutions that secure PII and other sensitive data without impeding operations that will cause doctors, nurses and other medical staff to find insecure workarounds. As the volume of data deemed sensitive and in need of filtering continues to skyrocket, leveraging exact matching functionality to tame the false-positive problem is a great start to achieving security, compliance and productivity.
About the author
Bob Janacek is CTO and founder of DataMotion. For more on DataMotion, go to www.datamotion.com.