Realization of Regulatory Compliance within Commercial Healthcare

Table of Contents

Executive Summary
Data Loss Evolution
Directives, Regulations and Standards
Regulation Interpretation
Data Field Applicability to Multiple Regulations
Examples of PII, PCI and PHI Policies
Adaptive Data Loss Prevention Adoption – Best Practices
Strategic Alignment Crisis Management
Planning
Response
Key Message Preparation
Summary
Appendix A: Hitech Act Compliance
Appendix B: Proposed Safe Harbor Reform
Appendix C: Data Fields Aligned to Obligated Regulations
Appendix D: Real-time ‘Stream Processing’ architecture schematics

Executive Summary

The global focus on Governance, Regulations and Compliance (GRC) has accelerated across regional boundaries as the opportunity to expand commercial operations via technologies such as web 2.0, and mobile applications amongst others is realized. Specifically, these new initiatives have to be considered alongside the traditional face-to-face operations of stores, distribution centres and stakeholders including pharmacies, surgeries, hospitals etc. Over the past decade cyber-attacks were primarily identified as the responsibility of external factors such as hackers, script kiddies and cyber criminals, each using their skills to intentionally interrupt, inhibit and damage systems and/or extract critical information from an organization. Today a further shift and re-focus has now been accepted by organizations and market analysts, that ‘insider’ attacks are more prevalent than previously believed, making up over 65% of critical information loss.

Objective

This report provides an overview of the regulations that commercial healthcare organizations particularly within the US and UK, are / will be obliged to enforce compliance either immediately or within the 2015-2017 timeframe. In addition, best proactive implementation strategies are recommended to ensure maximum data protection and minimum business impact, whilst positively impacting non-US operations.

Situation Analysis

The primary regulations that commercial healthcare organizations have to comply with by law include Safe Harbor , European Data Protection Directive, HIPAA, HITECH Act, PCI-DSS and EPCA (if using ISP service providers). These regulations require the ability to process, store and secure the communication of Personal Identifiable Information (PII), Protected Health Information (PHI) and Payment Card Industry (PCI) sensitive data to be handled in accordance with the appropriate regulation(s).

Straightforward Strategy

The aim is to be able to comply with all six regulations without the need to build extensive and resource intensive separate policy groups. PCI-DSS, HIPAA and EU Data Protection regulations would have individual policies, whilst the data fields for Safe Harbor, HITECH Act and EPCA, can be met with the policies from the other 3 regulations.

Methodology

A progressive enforcement strategy ensures that organizations can make calculated decisions for the enforcement or monitoring for all incoming, outgoing and internal sensitive data. This strategy allows each of the different business units to experience the effects of policy enforcement whilst in monitor mode. The implementation of work-flow actions, allows line-management to experience approval requests when the requisite adaptive and proactive solution, implemented to protect critical information, identifies a possible policy violation that if ‘authorized’, requires 2nd level authorization by the sender’s management.

Implement malware detection techniques immediately, as a first line of defence. PII, PHI and PCI compliance polices need to be developed and integrated into all areas where the information is found and used, including email, web, social and cloud collaboration applications. Minimize resource overheads and the complexity of operational management around compliance policies, but keep them distinct. Execution of the policies must be managed as part of the progressive enforcement strategy.

Data Loss Evolution

Over the past decade cyber-attacks were primarily identified as the responsibility of external factors such as hackers, script kiddies and cyber criminals, each using their skills to intentionally interrupt, inhibit and damage systems and/or extract critical information from an organization. Today a further shift and re-focus has now been accepted by organizations and market analysts, that ‘insider’ attacks are more prevalent than previously believed, making up over 65%3 of critical information loss. With the insider attack there are both malicious and inadvertent attacks that occur, although both have the same result of critical information falling into unauthorised hands. Around 73%4 of incidents are through inadvertent information sharing. Dealing with this ‘everyday’ problem has the added benefit of dealing with the malicious insider who is trying to steal information from the organization, as well as the inadvertent loss.

Known threats are complex and precise allowing the attacker to either execute in isolation or as part of an advanced attack:

ThreatInformation Type/Action
Critical Data Leakage to the Internet Everything from PCI, PHI, PII, IP, M&A and more
Accidental Disclosures Email content, cloud/web app data, doc revisions, Phishing, big data, cross dept. disclosures
Advanced Threats Active malicious code for immediate / delayed execution
Social Networks Social engineering, defamatory content, active links

The assault on information comes from a new set of attack vectors, most common is the use of documents, attachments, embedded executables, etc. to inadvertently or maliciously steal critical information or deliver malware.

Directives, Regulations and Standards

This drive requires commercial healthcare organizations to honor their commitment to maintain a secure infrastructure for the various genres of information/data that the global organization accumulates for primary and secondary processing purposes.

The global focus on Governance, Regulations and Compliance (GRC) has accelerated across regional boundaries as the opportunity to expand commercial operations via technologies such as web 2.0, and mobile applications amongst others is realized. Specifically, these new initiatives have to be considered alongside the traditional face-to-face operations of stores, distribution centres and stakeholders including pharmacies, surgeries, hospitals etc.

The primary regulations that need to be complied with by law are outlined in Table 1. The evolution of the current European Data Protection Directive in the European Union is due to be superseded in 2015/20162 , becoming law within 2 years (~2017). This document aims to enable commercial healthcare organizations to establish a position of compliance of the new EU General Data Protection Regulation (EUGDPR) during the timeframe of compliance, without the need to revisit the old ‘directive’ that may create an opportunity to be non-compliant and visible to the FTC, ICO and other regulatory organizations.

Image 1

Regulation Interpretation

Addressing the rash of regulations that global commercial healthcare organizations need to be compliant could appear to be overwhelming and unmanageable. Approaching the regulations from a ‘One Size Can Fit Most’ approach reveals that many of the regulations outlined in Table 1 overlap each other, so aligning the approach to the regulation with the highest level of commonality minimizes repetition whilst assuring protection across all obligatory data genres.Regulation Interpretation

A combination of senior management support, realistic planning, employee awareness, staged rollout and an automated technology solution can dispel the myths and beliefs that compliance is unachievable and resource intensive.

Data Field Applicability to Multiple Regulations

Table 3 represents an analysis of the data fields required to achieve compliance of the regulations described in Table 2 (Regulation Legend). An extensive table of the data fields analysed can be found in Appendix C.

The interpretation of Table 3 conveys:
• Organizations would be able to comply with Safe Harbor (1), HITECH Act (4) and EPCA (6), without the need to build individual policies as all data fields for these regulations can be met with the policies for the other 3 regulations
• A set of policies aligned to the European General Data Protection Regulation (PII) would cover 46 data fields and also enable compliance for a small number of other data fields for other regulations
• A set of policies aligned to HIPAA (PHI) would cover 12 data fields and also enable compliance for a small number of other data fields for other regulations
• A standard set of policies aligned to PCI-DSS (PCI) would cover all of the data fields for PCI compliance

Image 2

Examples of PII, PCI and PHI Policies

The schematics found within Appendix D provide an overview of the simplicity of building and operating the ‘Mail Policy Route’ that outlines the stages that are executed akin to a real-time ‘Stream Processing’ architecture. In addition examples of the tokens and policies for PII (2), PHI (3) and PCI-DSS(5) are also provided. Although it would be architecturally easy to combine all lexical expressions required for PII, PHI and PCI into a single policy, Clearswift would advise against this due to the on-going maintenance and exception checking as part of normal day to day activities. The policies will be built so that the Clearswift Adaptive-Data Loss Prevention technologies can analyse and identify specific content that meets the regulatory requirements. The policies will also apply differing levels of contextualization to ensure that a correct match is identified. The mixture of content and contextualization ensures that false positives are minimized.

Clearswift’s unique Adaptive Redaction features; text redaction; meta-data redaction and active content redaction, ensures that organizations are able to operationally differentiate between ‘out of context’ and/or unintentional content sharing exceptions where only the expression is redacted, allowing the remaining content to proceed to the receiver, minimizing false positives and business interruptions; and also intentional unauthorized collaboration into or out of a network for sensitive and active content (Advanced Persistent Threats - APT).

Adaptive DLP Adoption – Best Practices

Clearswift's approach to the implementation of data loss prevention technologies has been developed over the past 20 years to ensure that commercial healthcare organizations are in a position of awareness, control and remediation during all stages of planning, implementation and operational management of the architecture.

Planning & Operations

The historical and on-going practice of engaging external consultancies to analyse and implement DLP solutions would not enrich personnel with the advanced upskills necessary to enable them to maintain the architecture for on-going maintenance, upgrades and integration. These perceived mandatory data loss prevention engagements require management to maintain excessive on-going DLP budgets for operational maintenance, rather than enhancements to mitigate future data loss threats. Clearswift has proven that an effective adaptive data loss prevention operation can be undertaken with the knowledge and skills of existing personnel and implementation support engagement from Clearswift and any preferred reseller partner.

Initial Evaluation

Image 3

DLP does not require excessive periods of upfront analysis to provide visibility of probable data loss exceptions.

The 19 days totalled above would be a maximum period as all days are deemed as processing sequentially, whereas in reality the first 4 tasks could be reduced to 2 days and the POC period (task 5) reduced to a shorter period based on initial results.

On-going Operational Usage

Operational implementations of DLP are not a ‘One Size For All’ or require extensive policies to cover every eventuality approach. Existing DLP implementations operate on a negative ROI, with any presupposed value coming from ‘Cost Mitigation’ in the event of a breach. Clearswift have found from existing A-DLP clients that a positive ROI and business contribution can be achieved if clients ensure that they utilize a flow of policy implementations dependent on the approach that the business requires and immediacy of regulatory compliance. Each organization should review the different DLP enforcement flows.

Progressive Enforcement

Progressive enforcement ensures that businesses can achieve a rapid risk reduction whilst making calculated decisions for the enforcement or monitoring for all incoming, outgoing and internal sensitive data. This strategy allows each different business unit to experience the effects of policy enforcement whilst in monitoring mode. A progressive strategy will ensure that new policies can be run in monitoring mode, alongside similar policies that are actively enforcing data movement. The implementation of workflow actions, allows line-management to experience approval requests when the Clearswift A-DLP solution identifies a possible policy violation that requires 2nd level authorization by the sender’s management, before proceeding to the intended recipient.

Clearswift believe that from previous implementations, should organizations approach their regulatory compliance utilizing Clearswift Adaptive-Data Loss Prevention solutions, with the progressive enforcement strategy, they would achieve:

• 100% immediate visibility of policy enforcement effects, prior to execution

• <80% reduction in known or projected false positives in the first 12 months

• <100% alignment to enforced regulations and compliance in the first 12 months

• 100% immediate visibility of data breach mitigation by department and/or individual

• <50%> immediate decrease in the amount of time it takes to resolve quarantine/breach issues

• 100% return on investment calculated against tangible savings and mitigated data breaches using industry enforced penalties, reputational damages and increased employee security awareness.

Strategic Alignment

Executing the Clearswift best practice adoption for regulatory compliance in conjunction with Clearswift Adaptive Data Loss Prevention solutions, will ensure that a commercial healthcare organization’s obligation to conform to global regulatory compliance, maintains the maximum simplicity of implementation superseding the complexity of the regulations, allowing the business to focus on continuous operational growth with the knowledge that the organization is compliant with the most stringent regulations. This alignment protects all stakeholders from malicious and unintentional data loss, increases employee security awareness, therefore mitigating the financial and reputational penalties incurred by organizations that have not taken a pro-active position.

Crisis Management

This document is focused on the progressive implementation for protection of critical and sensitive data and does not specifically cover any guidance on Crisis Management. It is essential that moving forwards, organizations should always plan for the ‘unforseen’ event and review their crisis management processes, so they are able to react positively and minimize the effect to their business. A few areas of reflection have been included below:

Planning

Crisis prevention, at its best, is the organizational equivalent of a medical full body scan.

Crisis Document Audit — A simple review of existing client documents related to crisis preparedness and response, such as crisis communications plans, emergency response policies, disaster plans, etc. This audit includes creation of a written evaluation with recommendations for improvement.

Executive Session Vulnerability Audit — The executive team should undertake a series of educational and thoughtprovoking discussions to uncover and begin to address organizational vulnerabilities that could escalate to crises.

Comprehensive Vulnerability Audit — A series of interviews with employees at all levels of an organization, each conducted in complete confidence, so that the interviewee feels comfortable disclosing information he/she might not otherwise discuss. This is often complemented by interviews with representative members of key external audiences.

Crisis Communications Plans — Based on some level of vulnerability audit, creation of a response structure and written plan that will guide and optimize reaction to future crises. This includes ensuring there is close coordination between the teams involved in the operational and communications aspects of crisis response.

Disaster/Incident Response Planning and Training — Also based on a vulnerability audit, ensuring an organization is prepared for the operational response to a crisis, complementing its crisis communications planning.

Senior- and Mid-Level Staff Training About Crisis Management Fundamentals and Best Practices — Prevention and/or response, from one-hour luncheon presentation to multi-day sessions.

Media Training — Comprehensive instruction and practice on camera, enhancing spokespersons’ abilities to optimize results from both “good news” and crisis-related interviews.

Response

Using effective strategy and tactics to avoid, or at least minimize, the negative impact of pending or breaking crises. In essence, fire-fighting. Crisis response addresses the needs not only of external stakeholders, but also of employees — because every employee is a PR representative and crisis manager for your organization, whether you want them to be or not. Activities that are a subset of crisis response include:

Key message preparation

• Preparation of draft and/or final versions of internal and external communications with all of a client’s important audiences, including media (usually “behind the scenes” but on rare occasion serving as spokesperson for a client).

• Creation and/or coordination of Internet-based crisis-response activities, to include social media crisis management (more on that later).

• On- or off-site oversight of client crisis response activities to the extent clients do not have specific capabilities in this area.

• Situation-specific media and presentation training.

• Close coordination with legal counsel when litigation or possible litigation is involved, to ensure all tactics and messages are compatible with legal strategy.

Summary

Addressing the raft of regulations that global healthcare organizations need to be compliant with could appear to be overwhelming and unmanageable. Approaching the regulations from a ‘where one size can fit most’ perspective reveals that many of the regulations overlap each other, so aligning to the regulation with the highest level of commonality minimizes repetition whilst assuring protection across all obligatory data genres.

Understanding the regulations and the types of information effected is critical to creating an effective protection strategy. Further steps in the process include understanding of where the information is located, especially when it is extracted from databases in the form of reports or in email, so this may be on laptops or mobile devices, or with partners who are part of the value chain from supplier to citizen; enabled by the flow of information.

When this initial discovery work has been completed, then a technology solution strategy can be created to ensure that the information remains safe at all times. New Adaptive Data Loss Prevention technologies can be used to ensure that critical information is always protected, while enabling improved continuous collaboration.

Appendix A: Hitech Act Compliance

The first steps in achieving meaningful use are to have a certified electronic health record (EHR) and to be able to demonstrate that it is being used to meet the requirements. Stage 1 contains 25 objectives/measures for Eligible Providers (EPs) and 24 objectives/measures for eligible hospitals. The objectives/measures have been divided into a core set and menu set. EPs and eligible hospitals must meet all objectives/measures in the core set (15 for EPs and 14 for eligible hospitals). EPs must meet 5 of the 10 menu-set items during Stage 1, one of which must be a public health objective.

Full list of the Core Requirements and a full list of the Menu Requirements.

Core Requirements:

1. Use computerized order entry for medication orders.

2. Implement drug-drug, drug-allergy checks.

3. Generate and transmit permissible prescriptions electronically.

4. Record demographics.

5. Maintain an up-to-date problem list of current and active diagnoses.

6. Maintain active medication list.

7. Maintain active medication allergy list.

8. Record and chart changes in vital signs.

9. Record smoking status for patients 13 years old or older.

10.Implement one clinical decision support rule.

11.Report ambulatory quality measures to CMS or the States.

12.Provide patients with an electronic copy of their health information upon request.

13.Provide clinical summaries to patients for each office visit.

14.Capability to exchange key clinical information electronically among providers and patient authorized entities.

15.Protect electronic health information (privacy & security.

Menu Requirements:

1. Implement drug-formulary checks.

2. Incorporate clinical lab-test results into certified EHR as structured data.

3. Generate lists of patients by specific conditions to use for quality improvement, reduction of disparities, research, and outreach.

4. Send reminders to patients per patient preference for preventive/ follow-up care

5. Provide patients with timely electronic access to their health information (including lab results, problem list, medication lists, allergies)

6. Use certified EHR to identify patient-specific education resources and provide to patient if appropriate.

7. Perform medication reconciliation as relevant

8. Provide summary care record for transitions in care or referrals.

9. Capability to submit electronic data to immunization registries and actual submission.

10.Capability to provide electronic syndromic surveillance data to public health agencies and actual transmission.

Appendix B: Proposed Safe Harbor Reform

The following reform has been proposed prior to the ruling by the Court of Justice of the European Union, 6 October 2015

‘The Court finds that Safe Harbour denies the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals. The Court holds that the Commission (Irish supervisory authority (the Data Protection Commissioner)) did not have competence to restrict the national supervisory authorities’ powers in that way. For all those reasons, the Court declares the Safe Harbour Decision invalid.

On Oct. 15, 2015, the Article 29 Working Party (the Working Party) – the umbrella organization that encompasses the Data Protection Commissioners of the 31 EEA Member States – published its initial reaction to the CJEU ruling. The Working Party confirms that the invalidation of the Safe Harbor Program is effective immediately. In addition, it warns that if, by January 2016, the U.S. and the EU have not reached a satisfactory agreement that incorporates certain elements identified in the Working Party’s statement, the EEA Data Protection Authorities will commence enforcement actions against illegal cross-border data transfers.

The Working Party identifies key points that should be addressed in these intergovernmental negotiations. In the Working Party’s opinion, these solutions should include clear and binding mechanisms that incorporate at least obligations on:

• Oversight of access by public authorities;

• Transparency;

• Proportionality;

• Redress mechanisms; and

• Data protection rights.

These negotiations are viewed as crucial by the members of the Working Party. If an appropriate solution that meets the criteria described above is not found by January 2016, the Working Party warns that EU Data Protection Authorities may start taking all actions that they may deem necessary, including coordinated enforcement actions

EU concern with the adequacy of the Safe Harbor framework intensified after the June 2013 disclosure of PRISM, the US government surveillance program under which the NSA is reported to have secretly monitored the personal data of EU citizens whose data transfers to US online service providers was made possible by these providers’ self-certified Safe Harbor compliance. Prodded largely by this discovery, the European Commission cited a host of alleged deficiencies in the Safe Harbor self-certification and enforcement procedures and recommended to the European Parliament and European Council Safe Harbor reforms consisting of the following 13 requirements:

• Self-certified companies should publicly disclose their privacy policies on their websites in clear and conspicuous language.

• The privacy policies of self-certified companies’ websites should include a link to the Department of Commerce Safe Harbor website that lists all current Safe Harbor-compliant companies.

• Self-certified companies should notify the Department of Commerce and publish the privacy conditions of any contracts they enter into with subcontractors.

• The Department of Commerce should clearly flag on its website all companies that are no longer currently fulfilling Safe Harbor requirements and hold these companies to an obligation to continue to apply the Safe Harbor requirements for data that has been received under Safe Harbor.

• Safe Harbor-compliant companies’ websites should include a link in their privacy policies to either or both of the companies’ chosen alternative dispute resolution (ADR) provider and EU panel to allow EU data subjects to contact this intermediary immediately in case of data privacy or security problems.

• ADR should be made readily available and affordable to EU data subjects to resolve complaints under the Safe Harbor.

• The Department of Commerce should monitor ADR providers more systematically regarding the transparency and accessibility of information they provide about their procedures and the follow-up they give to complaints (including the publication of findings of non-compliance as a mandatory sanction for non-compliance).

• Following their certification or recertification under the Safe Harbor, a certain percentage of companies should be subject to regulatory investigation of the compliance of their privacy policies with Safe Harbor requirements.

• Whenever a complaint or investigation results in a finding of Safe Harbor non-compliance, the non-compliant company should be subject to a follow-up investigation after one year.

• The Department of Commerce should inform the competent EU data protection authority of any doubts or pending complaints about a company’s compliance.

• False claims of Safe Harbor adherence should continue to be investigated by the relevant US regulatory authorities.

• Privacy policies of self-certified companies should include information on the extent to which US law allows public authorities to collect and process data transferred under the Safe Harbor and, in particular, when the company applies exceptions to the Safe Harbor Principles to meet national security, public interest or law enforcement requirements.

• A national security exception to the Safe Harbor requirements should be invoked only to an extent that is strictly necessary or proportionate to the protection of national security.

Appendix C: Data Fields Aligned to Obligated Regulations

Image 4

Image 5

Appendix D: Real-time ‘Stream Processing’ architecture schematics

Image 6

Image 7

Tags: Whitepapers, Data Loss Prevention