Meeting Data-at-Rest Discovery and Classification Requirements for HIPAA HITECH Act Compliance
HIPAA legislation requires Health Care providers, Health Plans, Health Care Clearinghouses, and those who carry out tasks on their behalf to handle personal healthcare data responsibly and securely.
Two key pieces of US Federal legislation define security compliance requirements for healthcare providers to protect data at rest:
HIPAA – The US Health Insurance Portability and Accountability act (HIPAA) of 1996. The HIPAA Security Rule requires covered organizations to implement technical safeguards to protect all Electronic Personal Healthcare Information (ePHI), making specific reference to encryption, access controls, encryption key management, risk management, auditing and monitoring of ePHI information. The HIPAA Security Rule then goes on to set out numerous examples of HIPAA encryption methods which can be employed and the factors to consider when implementing and ensuring the success of a HIPPA encryption strategy. It also mandates that breaches of unsecured protected health information are reported.
HITECH – Health Information Technology for Economic and Clinical Health (HITECH) Act – enacted as a part of the American Recovery and Reinvestment Act (ARRA) of 2009. The HITECH act then expands the compliance requirement set, requiring the disclosure of data breaches of “unprotected” (unencrypted) personal health records (PHR), including those by business associates, vendors and related entities. And finally, the “HIPAA Omnibus Rule” of 2013 formally holds business associates liable for compliance with the HIPAA Security Rule.
Spirion provides a solution to help organizations discover, classify, monitor and respond in order to meet HIPAA Security Rule and HITECH compliance requirements transparently – without changes to operational processes and the daily work of healthcare professionals. Spirion provides technical safeguards to automatically identify and classify electronic protected health with an easy-to-deploy, centrally managed solution that integrates with your existing security infrastructure. Spirion’s open APIs allow integrations with your existing DLP tools, encryption software, data-archiving and storage solutions offered by leading technology providers such as Symantec, Intel Security and others to help increase the benefits from existing spend on these data security solutions.
Spirion Key features
Search everywhere and identify with zero false positives
- Reliable discovery results with industry leading accuracy and precision
- Searches local/shared/removable drives, cloud storage, e-mail servers, databases, web servers, SharePoint sites, Windows/Mac/Linux workstations, web sites and file servers.
- Searches within all file types structured and unstructured – Office files, text, images, scanned images, e-mail messages and attachments, archives, deleted files, Outlook archives, and compressed files.
Classify results persistently
- Classifies sensitive data by category and priority to amplify the need for administrators and/or data owners to manage and protect results. Embed classifications directly into files.
Secure unprotected information
- Secures results using a file shredder (based on DoD standard), redaction, encryption, or quarantine to a safe location.
Monitor and manage data operations centrally
- Identifies unprotected results as compared to what employees have already secured for trending analysis.
- Notifies data owners automatically
- Empowers employees to sanitize their data environment and monitors their progress with automated alerts and notifications without the extra staff burden.
Make employees part of the process
- Give employees access to classification add-ons in popular collaboration suites such as MS Office and Adobe Acrobat.
Highly scalable, flexible and secure architecture
- Highly scalable, open architecture that accommodates the growth of staff, processes and information across the enterprise.
- Enables organizations to scale and grow by providing the ability to orchestrate administrative and compliance processes consistently and globally.
- Integrates with Active Directory to simplify policy designation and group reporting
- Within an hour start seeing sensitive data results.
- Within a day create an inventory of sensitive data on all systems.
- Within a week implement a data loss prevention strategy for continuous data protection.