Safeguarding Health Care Information- The Role of DLP
Health Care organizations collect and manage extremely sensitive information about individual patients and their practitioners. The information ranges from name and address to payment information and diagnoses. Since this is structured data, it is very easy to identify and target for theft. Patient and provider records are kept in an organized fashion with specific fields and defined record types in each field. Part of the difficulty with protecting these records comes from the fact that so many different people need to access it. Clerical staff needs to input records, medical providers need to review recent and historical case information.
Segmentation of Duty principles, in combination with very granular access rights, can provide an extremely secure barrier to preventing exfiltration of such patient and provider information. Let’s start with who needs access to what.
Clerical staff need to input patient information and send it to databases, but they do not need to receive information on diagnosis or payment details. Providers need to input and receive information on patient conditions, but they do not need information on payment or personal information. A good DLP system will be able to control which roles have access to what information. Going even further, a great system will be able to set policies based on sender and receiver clearance to have access to data.
The Information Security Enforcer provides the ability for health care organizations to create and enforce policies based on the specific role of each individual in the organization in combination with the specific information that they are permitted to use. This delivers tremendous accuracy and granularity of policies while ensuring that work will not be affected by inappropriate DLP controls.