One of the most recent cases of a data breach comes from what, on the surface, may appear to be an unlikely source – powerpoint charts derived from ePHI-rich source data, embedded in a professional presentation, posted on the websites of two medical associations, by one of the world’s leading cancer centers, Memorial-Sloan Kettering. See the full story here.
While that may seem like a complicated “it cannot happen to us” scenario, think again. How many of your esteemed clinicians conduct research, present, and publish? Not so many? Let’s try another scenario then. How many of your employees create, access, use, manipulate, analyze, or transmit ePHI to perform their duties? Have you implemented technical controls that prohibit your employees from moving ePHI from what may be fortified assets to less fortified assets, like a USB drive or workstation hard drive? In our ten years, we have not met a client yet that is not struggling to understand just how distributed ePHI has become in their environment and gain control over it.
The HIPAA Security Rule is clear – Covered Entities need to have control of their ePHI and safeguard it appropriately. To gain control, one has to know where it is first. For many, the challenge lies within unstructured data on employee workstations, file shares, portable media – documents, spreadsheets, databases that employees have created. Such is the story with Memorial-Sloan Kettering. But it could very likely be your organization’s story too.
Manual efforts to locate ePHI across the enterprise are fraught with inefficiency and inaccuracy. As introduced in this follow up article, Data Loss Prevention (DLP) solutions cannot only help organizations effectively discover ePHI across the enterprise but enforce rules and policies to prevent data loss and data leakage.
For nearly three years, CynergisTek has offered clients a structured and affordable way to discovery ePHI across the enterprise and measure data loss/data breach risk by monitoring data-in-motion for a defined period of time. Contact us for more information or to request a quote for this service.