For most healthcare institutions, navigating the path to HIPAA compliance regarding data security can be like navigating your living room without the lights on. You generally know where your furniture is located, but it still doesn’t stop you from feeling your way around so you don’t stub your toe or fall down completely. As the tools for safeguarding and monitoring private data leaving an enterprise come into existence while others are being redefined, compliance starts with illuminating the movement of the data in order to truly safeguard against breaches.
For most healthcare institutions, navigating the path to HIPAA compliance regarding data security can be like navigating your living room without the lights on. You generally know where your furniture is located, but it still doesn’t stop you from feeling your way around so you don’t stub your toe or fall down completely. As the tools for safeguarding and monitoring private data leaving an enterprise come into existence while others are being redefined, compliance starts with illuminating the movement of the data in order to truly safeguard against breaches.
For Kuakini Health System (KHS), protecting confidential information is a very important organizational commitment requiring tools to aid in the actualization of their data protection policies. KHS in Honolulu is made up of Kuakini Medical Center, Kuakini Support Services Inc. and Kuakini Foundation. Combined, Kuakini’s healthcare facilities have over 350 beds and more than 1,100 employees with nearly 700 of them potentially dealing with confidential patient and employee information on a daily basis.
KHS Information Management (IM) manager Ron Uno has been with Kuakini for 25 years, starting as a programmer and becoming IM manager five years ago. In order to comply with HIPAA regulations, Uno and KHS President and CEO Gary Kajiwara began researching possible data protection hardware and software in the fall of 2005. “As far as our internal network is concerned, we are well protected with our internal firewalls, but with data leaving the network we had no real system in place,” says Uno. “We’ve all been watching some of the security breaches happening at other facilities around the country and we didn’t want to become a statistic.”
According to Uno, HIPAA compliance was a primary driver, but there were other security issues KHS wanted to address at the same time. He explained that the areas where large amounts of data are being moved around include Payroll and Human Resources. “Most of our sensitive data is patient oriented such as names, financial numbers, birth dates and identification numbers, but we also wanted to address the protection of the same type of employee data,” says Uno. “At the time, we had no way of monitoring outgoing e-mail, let alone blocking outgoing data automatically.”
Searching for the Right Solution
PortAuthority Technologies of Palo Alto, Calif., approached KHS and made a formal presentation on its Information Leak Product (ILP), taking them through the software step by step. The PortAuthority ILP solution scans multiple forms of communication including company and Web e-mail (both outbound and internal) as well as printing end points, alerting administrators if those communications are determined to contain confidential information. “We were a little concerned with what at first appeared to be a significant learning curve with the technology, but the detailed demonstration showed that the software already had templates for the necessary policy management areas that we needed covered,” says Uno.
According to Uno, it is the system’s ability to invisibly tag all of the sensitive data within the enterprise databases via PortAuthority’s PreciseID technology that makes it a comprehensive solution. PreciseID targets confidential information and builds an information fingerprint–a mathematical representation of characters, words, sentences or data fields of the document, message or database that does not require tagging of the original data.
The information fingerprint is used in conjunction with other identification methods such as keywords, patterns, lexicons and regular expressions, so the monitoring portion of the system can watch for the transmission of sensitive data even if the information has been manipulated. “Every day we download information from our Hospital Information System (HIS) that includes patient demographic and financial data, and based on the policies that we write, the system compares the information leaving the organization with the HIS data, looking for any type of matches,” explains Uno.
Installation and Testing
In early 2006, Uno and Kajiwara made the decision to go with PortAuthority based on the comprehensiveness of the solution for their needs today as well as tomorrow. The installation process took several days, which mostly dealt with the wait for necessary hardware, as KHS had purchased their own IBM X Series server for enterprise applications before scheduling the PortAuthority 4.0 installation. “PortAuthority also scans outgoing e-mail attachments looking for sensitive data, which it will catch no matter what form it takes or how it has been manipulated. This means no one can hide sensitive data in attachments, or cut and paste information into a document without us being alerted,” explains Uno.
Uno and his department spent several more days running tests with mock data, then performed some minor tweaks with the policy identifications. Then, they went live to see what would show up. “We set up the platform for notification rather than blocking, and within the first week the system caught two incidents of outgoing sensitive data with one being a case of the sender not knowing that the data had been included,” says Uno.
Currently, and for the foreseeable future, only Uno and his technical support specialist Terri Hara are authorized to implement and receive alerts. “Terri was instrumental in setting up the policies with the product’s installer, while I primarily handled oversight in order to maintain control during the rollout phase,” says Uno.
With the ILP online at KHS for just under a year, there have been several more alerts that have safeguarded them from potential data breaches. These have primarily dealt with financial information rather than clinical information. Regardless of the type or frequency of alerts, Uno and his department remain proactive and test the system periodically by inputting mock data. In each instance, the ILP was able to catch the data transfer. “We are still in the early stages of using PortAuthority, and so far we haven’t had to put in additional policies, but we expect to add more as the enterprise changes and grows,” says Uno.
Following the Trail
Receiving the alerts regarding private information potentially leaving the enterprise is actually the first step in eliminating potential security leaks. Yet follow-up is equally important to determine the nature and reason for the data exchange by alerting and questioning the sender. If Uno deems the answer unsatisfactory according to data security policies, he brings the issue to the CEO for discussion and determination of the next course of action.
Uno conducts management level staff meetings where the IM department gives a report, and potential security breaches are discussed. This is intended to further drive home the point about how to deal with sensitive data according to KHS internal policies. “A significant part of prevention is actually making sure that people are aware that we are watching, so that they will be more careful and things don’t get to the level of an alert regarding potentially sensitive data security breaches,” says Uno.
Electronic data exchange is a primary avenue for potential security breachs, but printers and other endpoint devices present another area of concern. Uno plans to add an additional piece of available software from PortAuthority that can track, alert and block if necessary, any sensitive data being printed on any printers on the network. Uno sees the patient care floors as a particular area where this type of printing could happen, but stresses that it’s not about hampering the logical flow of information, but blocking the flow of unnecessary, or more importantly unauthorized, duplication of sensitive data. “Some employees might see that as ‘big brother,’ but our goal is to achieve 100 percent compliance with HIPAA and that isn’t possible unless we have a way to track the movement of all sensitive data in both electronic and printed forms. So, we’re really just trying to cover all of the bases,” says Uno.
Since the KHS purchase and installation of PortAuthority version 4.0, data protection in general and the company specifically have moved forward with even more comprehensive and “smart” technology upgrades. In order to maintain and even exceed HIPAA compliance in the future, KHS plans to upgrade to the PortAuthority 5.0 version some time this year.
As more light is shed on the potential solutions, practices and policies of data security, Uno expressed his thoughts on how end users and rule makers can keep up with changes without running into any problems in a dense regulatory world. “It is still a very difficult task for organizations and support groups who monitor and disseminate information on data protection relating to HIPAA because the regulations go far beyond e-mail transmissions, and therefore everyone must take a proactive approach in learning about and dealing with all areas of data protection within their enterprise and avoid dealing with leaks after the fact.”
For more information on Websense products,
www.rsleads.com/703ht-203
