Data Loss PreventionData Protection (Part V): Data Loss Prevention

Patient Data Loss as a Result of Ransomware Attack FABEN Obstetrics and Gynecology was the vicitim of a ransomware attack that infected servers containing patient files from January 2007 through April 2017. A ransomware attack occurs when hackers gain access to a network, often encrypting files, and demand a sum of money for the return of files.
Although FABEN was able to restore much of their data, they failed to backup all of their data, resulting in the loss of some patient files. Patients that were seen between September 2014 and April 2017 files were permenantely deleted, affecting 6,092 patients. FABEN is currently conducting an investigation into the incident and affected individuals have been notified. 

What is Data Loss Prevention (DLP)?

The Health Insurance Portability and Accountability Act (HIPAA) set forth industry standards in which PHI must be handled, mandating physical, technical, and administrative safeguards to protect PHI.  As such, HHS guidance recommends that organizations backup their data, enabling organizations to have access to patient data, even when a breach occurs.

Data loss prevention (DLP) software plays an important role in the safeguarding of PHI. This software, once implemented, ensures that only authorized users have access to sensitive data, and that data is not lost or misused.

DLP software categorizes an organization’s data to identify which information is confidential or critical to business operations. Categorization priorities are determined either through a predefined policy pack, such as HIPAA, or by an organization’s policies. Once data has been categorized, the data loss prevention software is then able to detect violations and provide remediation alerts. The DLP software also encrypts sensitive data to prevent malicious or accidental sharing.
Data loss prevention software is also capable of filtering harmful data, monitoring and controlling endpoint activities (an endpoint is a device that connects to your internal network such as a laptop, smartphone, tablet, or a server in a data center), and monitoring data in the cloud.
DLP software identifies weaknesses in an organization’s data security practices, thus enabling incident response plans to be developed.  Lastly, in the event of a HIPAA audit, DLP software provides documentation demonstrating your “good faith effort” towards compliance.

Why Does My Practice Need Data Loss Prevention?

HIPAA requires organizations to safeguard PHI by controlling who has access to it, and by ensuring that those who need access, can access the PHI with ease. Data loss prevention allows for both control and ease of access. DLP software safeguards PHI, and provides for data visibility and IP protection.

  • Safeguards PHI: DLP software identifies, classifies, and tags sensitive information, to protect and monitor PHI.
  • Data Visibility: allows organizations to track data on endpoints, networks, and the cloud. Data loss prevention software gives you the ability to see how individual users interact with your organization’s data.
  • IP Protection: DLP software is capable of identifying trade secrets and intellectual property to protect against exfiltration of the data.

In 2018, there were 503 data breach incidents in the healthcare industry, affecting a total of 15.1 million patients. Healthcare organizations remain the largest target for these types of breaches. Failure to implement a system that safeguards PHI, such as data loss prevention, can be detrimental to your practice and can leave you vulnerable to data breaches and cyberattacks.

This is Part V of the XI-part blog series. You can also read Parts I to IV below:

Behavioral health practices handle protected health information (PHI) regularly, and as such, must take precautions to safeguard the sensitive information. The Department of Health and Human Services (HHS) recommends ten practices that anyone handling PHI needs to implement, the fifth of which is data loss prevention. (Each one of these XI HIPAA outlined practices will be examined in its own article, labeled Part I-XI for your convenience. This current article is Part V of that XI-part series.)