This month's Q&A is a security related question that we often hear while working closely with healthcare organizations.
Certain types of information such as ePHI and other sensitive organizational data needs to be protected more strictly than standard data types. What technical controls should I implement to enhance the protection of this data and how can I find out where this data is in my environment?
Ultimately an organization must know the storage location and data flow of ePHI and other sensitive data to properly implement the technical controls necessary to protect this data and provide enhanced protections. Most organizations consider ePHI and other sensitive data to be everywhere in the environment. These data types should be protected using additional security controls such as full disk encryption, secure communication methods, and strict access controls. Audit logging requirements for systems that contain these data types must be configured to specifically capture all access attempts and actions that occur on these elements. For example, implementing access control lists or firewalls between network segments creating security zones will allow any organization to restrict access to only authorized workforce members.
Finally, an organization can utilize automated tools such as a data loss prevention solution that includes data discovery functionality to really understand where ePHI and other sensitive data lives and how it traverses the network infrastructure. This type of solution can help reduce the hours required to manually perform these actions.