NIST Privacy Framework : Our Essential Data Protection Guide

Close

CASE STUDY

Healthcare Services Company Protects Mobile Workforce PHI with Spirion

About the Company

Offering revenue activity management services to healthcare providers offers unique challenges for this company with a multi-domain network spread over five locations around the world. That’s a lot of customer PHI in their care and as one of their competitors found out, a breach of sensitive data could be very costly. Adding further complications, the company has more than 200 telecommuting users with mobile devices and an ongoing initiative to digitize paper records. They turned to Spirion to protect this vital information no matter where it lives.  

Challenge 

A medical services company helps healthcare providers manage their revenue activities, including patient registration, insurance and benefit verification, medical treatment documentation and coding, and bill preparation and collections. Their customers include hospitals, community healthcare systems, medical centers, clinics, and affiliated physician practice groups.  

Because of HIPAA compliance, the company already had multiple secure systems and protocols to secure Protected Health Information (PHI) for their customers. When a competitive billing services company experienced a data breach due to a stolen laptop— resulting in a $5M settlement— the focus on protecting PHI became even greater. The medical services company’s executive team mandated an internal audit for PHI and created a policy and procedures plan to further protect sensitive data within their network.  

With a multi-domain network spanning five operating locations worldwide, more than 200 telecommuting users with mobile devices, and an ongoing initiative to digitize paper records through office MFPs, the company faced numerous challenges in establishing guidelines for PHI loss prevention, including:  

  • Determining where unsecured PHI lies inside the network of servers, desktops, email and storage.  
  • Knowing which groups worked with PHI and how to engage them to design and develop procedures.  
  • Enforcing internal procedures for maintaining secured PHI.  
  • Performing regular internal audits to minimize a PHI leak.  

Solution 

The medical services company required a Data Security Posture Management (DSPM) solution that could deploy into the enterprise quickly, support laptops, and deliver reports from all endpoints in the enterprise. They engaged in a proof of concept with Spirion to evaluate the solution’s ability to:  

  • Discover PHI in office, text, and scanned documents; zip files; and archives. 
  • Encrypt, redact, and delete files based on location and file type.  
  • Prompt a laptop owner to review and fix any PHI issues, such as a SSN on a spreadsheet that needs to be redacted.  
  • Collect data centrally for reporting that could be used to define a PHI loss prevention process.  

Spirion is the best in the world at accurate, automated, and continuous discovery, classification, and remediation of at-risk sensitive data. The company was impressed with Spirion’s Privacy-Grade™ capabilities that offered the ability to continuously find any sensitive data type anywhere it resides and automate protections around it.

Results 

After only a few hours of scanning one server and laptop, the company identified the quantity of PHI, where it was stored, the owners, and how to secure it.  

Their POC stage laid the groundwork for enterprise deployment as Spirion’s packaged install fit seamlessly into their software deployment process. Within just a few days, the Spirion DSPM solution was live and provided an inventory of enterprise PHI on all servers, laptops, emails, and storage— including converted paper records. The reports were crucial for the company’s team to engage different groups and determine the right processes for protecting PHI internally. The medical services company— which its customers trusted to protect extremely sensitive data— was able to deliver a complete solution to meet an internal PHI loss prevention mandate due to Spirion’s abilities to:  

  • Productively scan all networked drives, servers, laptops, and removable media to discover and classify PHI. 
  • Identify PHI from scanned documents.  
  • Minimize locations where PHI is stored. 
  • Automatically scan the company’s internal network to protect PHI and report on improper behavior. 

Thanks to Spirion’s DSPM solution, this medical services company was able to find every single byte of unknown data then classify and remediate it for seamless compliance and client protection. Spirion also provided the best return for their security dollar. After implementing the Privacy-Grade™ capabilities, the rest of their existing data protection investments all worked better.