The healthcare market has been generating much attention lately. Everyone from individuals to corporate executives is focused on the changes and provisions as they relate to health insurance.
Well, almost everyone. The information security professionals in the healthcare industry are still focused on data security and how to best protect sensitive patient records from exposure through data breaches. Since 2009, there have been more than 700 breaches of unsecured protected health information affecting 500 or more individuals. Unintended data exposure is likely to continue as more healthcare service providers transform their paper-based records into digital form in order to qualify for Medicare/Medicaid payment incentives.
The exposure of Protected Health Information (PHI) and especially detailed electronic health records (EHRs) is a serious concern. According to Larry Ponemon, president of the Ponemon Institute, “All of the evidence suggests that a healthcare record is in fact much, much more valuable than a financial record. It can be used for financial ID theft crimes, or a medical ID theft or both. It provides a dossier of personal information so bad guys can do more and better stuff like create passports, and visas, and because they have physical characteristics as well as information, it’s a big deal. And I see in a number of our studies that it is substantially more valuable than other types of records.”
Protect only what’s important
When it comes to protecting sensitive files from loss or theft, many healthcare providers are taking a sledgehammer approach: full disk encryption of the hard drives where files are stored. While this is a vast improvement over storing PHI in the clear, it’s a pretty generalized and expensive approach to a specific kind of problem.
In the healthcare arena and other industries as well, only specific files must be protected; not everything on the hard disk is considered sensitive. What’s more, full disk encryption may not protect sensitive files when they leave the originating organization or circulate among colleagues. For example, when hospitals have to send confidential patient files to local doctors, they have no idea who actually has access to the files in the doctors’ offices. This is a big problem in the face of patient privacy laws.
Covertix is attacking this problem from a different angle. Rather than taking the tack of “encrypt everything,” Covertix simply assigns permanent security to a company’s most sensitive files. An analogy the company makes is that full disk encryption is like guarding the gate, whereas the Covertix solution is like assigning a bodyguard to any type of file where the bodyguard never leaves its post. This approach allows organizations to confidently send sensitive private information knowing that only the intended recipients can have access to it.
Covertix is one of many Information Rights Management (IRM) companies. Microsoft’s suite of IRM tools will provide similar protections for Office Documents. EMC’s Documentum IRM is another such set of tools.
Covertix has developed technology it calls SmartCipher. The technology attaches a set of user-defined policies to any type of file, including digital diagnostic images and even videos. The policies stay with the file for life, no matter how it is transmitted, where it goes, or where it is stored—inside or outside of the originating organization. The policies allow the file to be shared among colleagues or third-parties with confidence and control by setting who can do things like open, view, edit, print, and copy from or paste to the file.
SmartCipher permits 22 types of activities that can be monitored and controlled after the file leaves the originating organization. What’s more, use of the file can be tied to a specific domain, location, device and/or context, and there are unique watermarks for each person who views the file.
Protection is embedded into the file
The Covertix technology embeds a small 16k set of policies in any type of file. Even though the original file is now “genetically modified,” it can still travel under the radar of antivirus programs so that it’s not considered to be a Trojan horse or malicious file. When the file is sent to an authorized third-party recipient and the person tries to use it, the allowable uses and privileges about the file itself are defined within this set of policies.
For instance, a medical lab could simply attach a secure file containing test results to an email message and only the authorized recipient – perhaps the patient or his doctor – could view the file based on the policy.
Hospitals occasionally have an issue with famous or wealthy patients that come into the hospital and expect their sensitive files to be protected against prying eyes. There have been instances where hospital staff snooped through the files of famous patients and then turned around and sold the information to the tabloids. Covertix’s solutions prevent those occurrences from happening and keep the hospital out of the limelight and out of the courtroom.
Implementation options
To protect files using Covertix’s solutions, administrators can select the best way to implement IT policy—whether it would be by creating rules for specific users, groups of users, keywords found in the data or domain names. The file protection process is transparent to the file creator; the attributes are simply assigned without any intervention on the user’s part.
Covertix offers a hospital or a network of hospitals the ability to control and protect any type of file. Only authorized users can access the files according to specified policy embedded within the file, whereas unauthorized users cannot access the files at all. Covertix’s solutions prevent viewing/copying/pasting/printing any kind of file and the restrictions can be location specific. So for example if an authorized hospital employee wants to print a file pertaining to a patient who was admitted to that location, they can. But if they want to print the patient’s file from the hospital’s remote location, they cannot. Even if the file is stored in the cloud, the cloud provider cannot access the file.
Reduce exposure of sensitive data
Using Covertix in a healthcare setting can reduce the likelihood of exposure of sensitive data in the event of a breach. Suppose a medical facility’s laptop is lost or stolen, or a hacker breaks into a facility’s server. In these instances, the most sensitive files are locked down with the strength of encryption as well as the policies defined per file. Moreover, the policies are enforced on the files no matter where they go or who has authorization to accesses them.
Healthcare providers using this level of file security meet the requirements of both the Health Information Technology for Economic and Clinical Health Act, better known as the HITECH Act, and the Health Insurance Portability and Accountability Act (HIPAA). With stiff penalties for violations of these laws, healthcare providers need to ensure strong protection for their most sensitive files.