For ease of operation within the healthcare industry and associated fields, actions pertaining to the creation, maintenance or transferring of patient information and related documentation have become largely digital. For ensuring sufficient privacy and protection of electronic Patient Health Information (ePHI), the Health Insurance Portability and Accountability Act of 1996 was established.
It is required for covered entities (CEs) such as those directly involved with creating or storing health information (ex. hospitals, clinics, health insurance companies) and their business associates which include those that deal with ePHI on behalf of CEs for administrative purposes (Cloud Service Providers, MSPs, data processing companies) to be HIPAA compliant.
To aid in meeting HIPAA compliance stipulations, Endpoint DLP Plus is a robust data loss prevention solution that can be leveraged to increase privacy surrounding PHI and remediate insider risks in order to avert data disclosure and preserve the integrity and availability of patient information.
The privacy rule under HIPAA necessitates that subjects be given the right of access, right to request amendment of PHI, right to accounting of disclosures, right to request restrictions of PHI, right to request confidential communications, and right to complain of Privacy Rule violations.
Using the data discovery capabilities of Endpoint DLP Plus, all managed computers within the network can be quickly scanned for health care-related information which includes both archived and recently added data. Separating ePHI from the numerous other forms of information within endpoints increases data awareness so critical data is prioritized and protected better and also when subjects require right of access or a copy of their PHI documents, it can be identified and retrieved easily.
In order to find specific types of PHI efficiently, Endpoint DLP Plus also has advanced data classification capabilities. For optimal safety, documents that should be found and classified are ones that contains HIPPA identifiers which constitute personal identifiable information (PII) and also those that include potentially sensitive markers such as FDA recognized drugs, names of pharmaceutical companies, diagnosis codes from the International Classification of Diseases (ICD) index.
Endpoint DLP Plus provides myriad pre-defined templates that enable the swift identification and categorization of the following identifiers:
Other pertinent information covered by HIPAA such as patient name, addresses and terms related to diagnosis, treatment, medical prescriptions, device numbers can also be classified using Endpoint DLP Plus by creating custom templates using mechanisms such as keyword search, RegEx and document matching. Once the relevant data is identified, it will also be continuously monitored and any attempted disclosure of sensitive items can be stopped and admins as well as users can be notified immediately.
The security rule of HIPAA requires that organizations ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain or transmit; Identify and protect against reasonably anticipated threats to the security or integrity of the ePHI and protect against reasonably anticipated, impermissible uses or disclosures. Endpoint DLP Plus is a powerful endpoint data loss prevention tool that aids administrators in deploying extensive policies that mitigate the risk of internal threats as well as prevent disclosure of critical PHI information through the following exit routes: cloud, email, peripheral devices, social media and messaging software or using copy/paste clipboard actions.
With Endpoint DLP Plus, users will be prohibited from uploading files containing HIPAA related identifiers or ePHI to third-party cloud services or web domains not authorized by the administrator. If a website or cloud application or browser is insecure, prohibiting users from transferring PHI to these entities can prevent unsolicited actors from accessing, stealing, tampering with sensitive content through hidden exploits.
Administrators upon their discretion can permit just certain email domains can be permitted to receive PHI content such as IDs or Outlook addresses belonging to law firms, health insurance companies or users they know to be authorized to handle healthcare information. By default, users will be blocked from sending attachments or content to all other email addresses to preemptively block leakage of information via mail.
The data containerization scheme within Endpoint DLP Plus allows admins to label certain applications as trusted and they can also confine ePHI to these applications only. If users try to copy and paste information from trusted apps to unverified ones like SNS software, they will be immediately stopped.
In order to protect the leakage of healthcare information via in-built and external peripheral devices like USB drives or even printers, admins can label specific devices as trusted and only allow those to access PHI on a need-to-know basis. This prevents users from transferring large volumes of sensitive data to devices and also stops them from printing physical copies without permission.
All actions by users will be logged and continuously monitored. Any attempted policy infraction will be immediately stopped and relevant parties such as IT administrators and technicians will be notified. Audit data will be compiled and made available for analyzing so that all gaps within policies can be closed and suspicious users can be found and scrutinized to ensure optimal data confidentiality and proactive neutralization of insider threats.
Disclaimer:
Fully complying with the HIPAA requires a variety of solutions, processes, people, and technologies. As mentioned above, endpoint security and management serves as the foundation for complying with the HIPAA. Together with other appropriate solutions, processes, and people, endpoint management not only helps reinforce your IT security but also prevent data breaches. This material is provided for informational purpose only and should not be considered as legal advice for HIPAA compliance. ManageEngine makes no warranties, express, implied, or statutory, as to the information in this material.