by Hoala Greevy Founder CEO of Paubox
Article filed in
Email DLP (Data Loss Prevention) for HIPAA Compliance
by Hoala Greevy Founder CEO of Paubox
Email DLP (Data Loss Prevention) is a strategy for making sure that end users do not send sensitive or critical information outside of a corporate network. The term can also used to describe software that helps IT professionals control what data end users can transfer. It is included in Paubox Suite Premium.
Having the additional technical safeguard of a DLP solution can go hand-in-hand with administrative processes to ensure data protection from accidental or malicious release of protected health information (PHI).
Types of Data Loss Prevention software
Sometimes referred to as Data Leak Prevention, DLP products all work from the same core principal – using established business rules to identify and protect sensitive information from being shared without authorization.
How DLP software products achieve this is different and can be separated into areas based on if data is:
- In-use: Actions at the endpoints
- In-motion: Moving over the network
- At-rest: When stored on a server (like cloud services) or drive
Of all the ways data can be accessed and transferred without authorization, email messages is by far one of the biggest risks. This is especially true for healthcare with the push towards electronic health records (EHR) and interoperability.
Many healthcare organizations and third-party administrators (TPA) are sending hundreds of emails a day with sensitive content (such as personally identifiable information or financial information) as they collaborate to deliver health services.
While some email senders may use HIPAA compliant email encryption for data protection, there is still the risk that some information that should not be shared can be accidentally or maliciously sent. Having a good email DLP solution in place can help mitigate that risk and prevent data breaches.
Data Loss Prevention for Email
With a good email DLP solution possessing strong DLP features, business rules are created to classify and protect confidential and critical information. This prevents unauthorized end users from accidentally or maliciously emailing data whose disclosure could put the organization at risk.
For example, if a social security number (SSN) is not required to disclose to a third-party vendor who is billing the health plan, then a business rule could be created to identify a SSN in the body of the outgoing email and attachments.
If an employee then includes a SSN in the email, when it is sent the email DLP software will identify the SSN, stop the confidential information from being sent, and quarantine the email to be reviewed by an administrator.
This type of encryption solution is one your standard Gmail email address doesn’t offer.
Data Loss Prevention for HIPAA Compliance
DLP is not required for HIPAA compliance, but it can help prevent breaches and email data loss while being a core part of any compliance plan.
To maintain HIPAA compliance, organizations need to be sure they have the proper safeguards (Technical, Physical, Administrative) in place so PHI is secure and protected.
That means only authorized parties have access to patient data to carry out health care related services, from patient care and standard forms to collecting payments.
This includes policies that define what is appropriate to share and who has authorization to share PHI. DLP can help enforce those policies to limit accidental breaches where an employee sends something they weren’t supposed to.
While not necessarily a must-have, DLP is definitely worth considering for any organization that deals with PHI and other sensitive data on a regular basis.