WHITE PAPER

PROTECTING PATIENT DATA IN THE CLOUD

BEST PRACTICES FOR MIGRATING AND PROTECTING PATIENT DATA IN THE CLOUD OVERVIEW

Healthcare and associated medical record WHAT ARE THE REQUIREMENTS TO handling organizations have been utilizing Data PROTECT PATIENT INFORMATION? Loss Prevention (DLP) as a cornerstone in The importance of managing patient medical meeting legal requirements to protect regulated information is dictated in the United States by patient health information within their network. Federal HIPAA/HITECH regulations familiar to Now, as organizations have increasingly begun to all healthcare organizations. These regulations utilize to store and share patient require, as just one example, that, whether information, questions have arisen as to how best data is encrypted or not, the organization must to extend proven DLP solutions to include cloud know where patient data is stored or sent. In storage as well. In this paper, best practices in other words, , alone, is not enough to applying DLP to the cloud are organized into the meet the necessary standards or to provide the major stages in the process: visibility required to govern this type of sensitive data. • Planning • Migrating to Cloud Storage This paper outlines the selection and use of • Ongoing Operation proper DLP to help address these requirements and significantly reduce the risks. The topics are directed toward organizations that may be considering DLP technology with WHAT IS AT STAKE FOR HANDLERS OF cloud storage for the first time. However, any PERSONAL HEALTH INFORMATION? healthcare executive involved with regulated The improper release of regulated patient healthcare information compliance will find value medical records can result in a drop in confidence here. by their patients and the general public as well as fines and penalties from the Health and Human WHY IS THE CLOUD VALUABLE TO Services regulatory agencies. Maintaining HEALTHCARE ORGANIZATIONS? compliance with these regulatory acts is a The cost and scalability benefits of the cloud vital concern for every organization handling are particularly substantial for many healthcare electronic health records. In September of 2013 organizations which may have limited IT the HIPAA Omnibus ruling took effect, which, resource. With appropriate security the cloud among other guidance, provided significant clarity may further enable more efficient and productive in spelling out what is required of the Business sharing of patient data between multiple care Associates of a healthcare organization. In a providers, their associates and the patients nutshell, they are required to provide the same themselves. However, concerns over the loss protection to personal health information as a of visibility of data in the cloud has prevented covered entity. many organizations from seeking these benefits. Healthcare IT professionals may ask “how can we protect sensitive data if we lose visibility of where it is?”

www.digitalguardian.com WHITE PAPER / 1 7 STEPS FOR PLANNING TO MOVE PATIENT DATA TO THE CLOUD

The following steps will help any healthcare should accomplish, and note any information organization make appropriate decisions prior requiring special protection and control. For to deciding if they are ready to move regulated example, a first step may be to identify and information to the Cloud. encrypt all records identifying patient names with their Social Security or hospital ID 1. Assess Current Information Policies - Insure numbers. that any existing information governance rules may be extended to cloud data. In 5. Involve the Stakeholders - Ensure the some cases it may be desired to apply more participation of those responsible for entering stringent controls on data in or intended for or accessing patient information and those cloud storage. responsible for adhering to HIPAA compliance requirements. All parties should understand 2. Assess Current Usage of Cloud Storage - the benefits being sought from cloud storage Determine the protection requirements and and the requirements for protecting sensitive status of any data already stored in the cloud. data expected to be placed there. Managers Investigate current personal cloud use by should understand the benefits and issues medical professionals or other employees. of the cloud storage as well as the policy It may be found that some patient data is enforcement capabilities provided by DLP. already being inappropriately stored in the These persons could include: cloud and creating data loss risks previously not known. An appropriate managed cloud −− Compliance and Privacy personnel capability will remove the perceived need for −− Professional medical staff any such practices by individuals. −− HR −− IT Security 3. Establish Credible Expectations - Cloud −− Executive management storage changes the available means of data −− Third party consultants specializing in visibility and control. In the absence of a well Data Loss Prevention communicated policy, medical professionals may use unsecured cloud services to store 6. Assess the Costs Involved - If DLP is being patient data in order to make it more easily acquired for the first time, resist buying accessible when traveling with their mobile features you will never use. Do a 5 year Total devices. A DLP solution appropriate for Cost of Ownership (TCO) analysis to compare cloud storage protection will facilitate the alternative possibilities, including the costs application of uniform policy across the for: the hardware, the software, maintenance, enterprise, including the cloud. In particular, training, and any professional services that an appropriate DLP solution will provide will be required. Understand any software means for educating every and licensing payment terms. preventing unauthorized actions when required by policy. 7. Test Any Proposed Solution On-Site - Insist on a short demonstration or Proof of Concept 4. Set Objectives Appropriate for the to evaluate ease of installation and usage. Organization - After gathering and reviewing This should be done in your environment existing policies and procedures concerning with the organization’s own data both inside the handling of sensitive information develop and outside of cloud storage. A system that agreement on what information is to be requires separate services only for cloud placed in the cloud, what that placement storage will be both inefficient and confusing www.digitalguardian.com WHITE PAPER / 2 in operation. Seek a DLP solution capable of management across the enterprise including comprehensive and consistent compliance the cloud.

6 STEPS TO MOVING PATIENT DATA TO THE CLOUD

Once the decision is made to proceed with the asset. An appropriate Data Loss Prevention cloud and DLP solution the following steps should (DLP) Discovery scan should be employed be taken to prepare for and execute the migration to carefully assess and, perhaps, remediate of data to cloud storage. An appropriate DLP specific information assets prior to migrating Discovery tool capable of performing these them to cloud storage. An example might be actions will ensure that regulated information will to encrypt any files containing identifiable be properly identified, categorized and protected, personal health information. or, removed before it may be uploaded and exposed to access in the cloud: 4. Review Any Regulated Data Found - The DLP 1. Scan Data Already in Cloud Storage - Use the Discovery scan will produce a list of potential DLP Discovery tool to inspect all previously regulated or sensitive information on each stored information in the cloud to bring it information asset. This output will help under the same policy levels as will be applied determine the actions required before moving to the newly migrating data. This will assure the data on a particular information asset to uniformity that newly adopted policy rules will the cloud. be applied to any older data already placed in the cloud. Note that this important cloud 5. Remediate Any Regulated Data as Discovery capability is not a feature offered Appropriate - An appropriate DLP Discovery by every DLP provider. solution will include the ability to remediate 2. Identify Assets for Migration to the potentially sensitive data both during and Cloud - Identify information assets that after the discovery scan. These include: are candidates to move the cloud. This will moving files to secure vaults, deleting files, or require identifying and categorizing the applying rights management. If the objective information on all storage under control of is to move an information asset to a cloud the organization, including file servers, file storage provider then all regulated data shares, SAN, SharePoint servers, user home should be moved to a secure area or simply directories, work-stations and in removed altogether from that asset prior to order to determine the best candidates to moving the information. move the cloud. For example it might be an easy decision to consider moving a marketing 6. Move the Information to the Cloud - Once file to the cloud to facilitate sharing with an the information asset has been sanitized external design agency. it is ready for migration to a cloud storage provider. If the data has not already been 3. Scan the Identified Assets for Regulated sanitized then apply DLP to scan and block Data - Once candidates have been selected any regulated data found as it is in flight to the for cloud migration the next step is to cloud. identify any potential regulated or other sensitive information on that information

www.digitalguardian.com WHITE PAPER / 3 4 STEPS TO KEEPING PATIENT DATA IN THE CLOUD PROTECTED

By selecting a DLP solution that provides 3. Scan Files Systems Planned for Cloud coverage uniformly across the enterprise Storage - For efficiency it may sometimes including cloud storage, the organization’s be appropriate to scan entire file systems ongoing management of regulated or other when there are uncertainties regarding sensitive information is greatly simplified. content. Or, the file systems may be so large Policies will be enforced with consistency and that it is desirable to scan them prior to the from single administrative control. Here are uploading transmissions, which will look at steps to help guide the ongoing processes: each record at a time. An appropriate DLP solution may be employed to inspect all data 1. Audits - At any time, conduct a mock HIPAA poised for sending to the cloud. Sensitive data compliance audit involving the information in discovered will be controlled according to cloud storage. Not only will the organization policies established by the enterprise: be ready for any external audit demands, but this will force questions to be asked regarding −− Before release to the cloud sensitive where to focus next on risk mitigation information may be denied passage or strategies. automatically encrypted −− Or, other prescribed remediation may be 2. Filter and Audit Information as it is Moved to applied the Cloud - Apply Network DLP capabilities to inspect all data before it leaves the 4. Apply Remediation Selectively at Each enterprise network and heads to the cloud. Step - It may or may not be most effective DLP tools will identify regulated information to encrypt-everything sent to the cloud. An and allow it to be removed, encrypted on the appropriate DLP will allow, at every stage fly, or stopped for remediation according to in the process, the appropriate remediation policy for the particular information. Note to be automatically applied according to the that this provides for information to be policies established by the enterprise for that inspected at the final stage rather than some particular information and where it is being prior point where remedies could be undone stored or transmitted: at a later point. These automatic processes reduce opportunities for error and audit −− Policies dictate action for specific data trails provide visibility into information being elements transmitted. −− More efficient, speedier processing −− Alternatives may add burden of needless repetitive encryption and decryption

IT’S ALL ABOUT THE DATA

Data Loss Prevention has proven to be an There are many resources to assist organizations invaluable resource in protecting regulated in sorting out the options available for data personal health data as advances in technology protection. But, the most important criteria for has migrated information from secure data a healthcare organization is to evaluate solutions centers to distributed file servers to the desktop that will apply consistent and uniform policy and to mobile computing devices. Now, with enforcement to patient data across the entire appropriate tools, this technology may be applied enterprise, no matter where it is stored, including to data in the cloud as well. cloud storage. A good way to see this in action is to ask for proof of concept on site. www.digitalguardian.com WHITE PAPER / 4 No single tool is capable of addressing every substantially reduce the risks to the healthcare security issue; however, an appropriate DLP organization as a key component of its overall implementation will, by accurately identifying strategy. regulated data wherever it may be stored or sent,

ABOUT DIGITAL GUARDIAN

Digital Guardian is the only data aware security their most valuable assets with an on premise platform designed to stop data theft. The Digital deployment or an outsourced managed security Guardian platform performs across traditional program (MSP). Our unique data awareness and endpoints, mobile devices and cloud applications transformative endpoint visibility, combined with to make it easier to see and stop all threats to behavioral threat detection and response, let you sensitive data. For more than 10 years we’ve protect data without slowing the pace of enabled data-rich organizations to protect your business.

CORPORATE HEADQUARTERS 860 Winter Street, Suite 3 Waltham, MA 02451 USA [email protected] 781-788-8180 www.digitalguardian.com

Copyright © 2016 Digital Guardian, Inc. All rights reserved. Digital Guardian and Security’s Change Agent are trademarks of Digital Guardian, Inc. in the U.S. and other countries. All other trademarks are the property of their respective owners.