NIST Privacy Framework : Our Essential Data Protection Guide

Close

CASE STUDY

Medical Billing Company Strengthens Security and HIPAA Compliance with Spirion

About Medical Billing Services Providers

Hospitals, physicians, laboratories, and other healthcare providers contract with medical billing service companies to process, submit, and follow up on health insurance claims on their behalf. If the claim is denied, they will submit appeals to receive payment for the services that have been rendered. Their services help their clients get paid more promptly, ensure compliant collections processes, and enable clients to focus on what they do best  ̶  manage their patents’ healthcare. 

After scanning on a single server and a one laptop, our team [with Spirion] was able to identify how much PHI was stored, where, who owned the documents, and how the owners could secure the PHI.” 

–CISO, Medical Billing Services Company 

Challenge 

After a competitor suffered a data breach that resulted in a $5 million lawsuit settlement, a leading healthcare billing services provider determined that they had similar gaps in their own data security posture. The breach occurred when an employee laptop was stolen that contained patients’ Protected Health Information (PHI) that included patient names, addresses, Social Security numbers, and medical billing and financial account information. The billing company realized that their company could easily have been breached in this same way. 

As an entity that collects, stores, and processes sensitive patient health information, the company is covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This federal law lays out three rules for protecting patient health information, covering Privacy, Security, and Breach Notification. 

The company also needed to maintain compliance with HITECH (Health Information Technology for Economic and Clinical Health), an act designed to urge healthcare authorities to implement electronic health records (EHRs) and incentivize healthcare organizations to maintain patient-protected health information in electronic format instead of paper files. 

To ensure compliance with HIPAA and HITECH, and, more importantly, to maintain the trust that their clients and their patients have placed in them, the billing company knew it needed to do more to protect patient data. As a result, executive management mandated an enterprise-wide audit of their sensitive data to include employee desktops and laptops, servers, and emails. 

The company has a large multi-domain network spanning five operating locations worldwide, with more than 200 telecommuting users. They faced numerous challenges in establishing guidelines for PHI loss prevention, including: 

  • Determining where unsecured PHI lies inside the network of servers, desktops, email, and storage 
  • Knowing which groups worked with the PHI and how to engage them to design and develop procedures 
  • Enforcing internal procedures for maintaining secured PHI  
  • Ensuring regular internal audits are performed to minimize PHI leak 

Solution 

The company required a solution that could deploy quickly, support laptop discovery, and deliver reports from all endpoints in the enterprise.  They engaged in a Proof of Concept (POC) with Spirion Sensitive Data Platform (SDP) to evaluate the solution’s ability to:  

  • Discover PHI in office and text documents, zip files, archives, and scanned PDF documents 
  • Encrypt, redact, and delete files based on location and file type  
  • Prompt a laptop owner to review and fix any PHI issues, such as a social security number on a spreadsheet that needs to be deleted  
  • Collect data centrally for reporting that could be used to define a PHI data loss prevention process  

After scanning a single server and a single laptop, the team was able to identify how much PHI was stored, where it was, who owned the documents, and how the owners could secure it.    

Based on the successful POC, they decided to implement Spirion Sensitive Data Platform (SDP). The software was quickly deployed and provided an inventory of enterprise PHI data on all servers, laptops, emails, and storage, including converted paper records that were stored as PDFs. The inventory was crucial for the team to engage different groups and determine the right processes for protecting PHI internally.  They were able to deliver a complete solution to meet their internal PHI data loss prevention mandate due to Spirion SDP’s abilities to:  

  • Scan all networked drives, servers, laptops and removable media to discover and classify PHI data  
  • Identify PHI data from scanned documents   
  • Minimize locations where PHI data is stored 
  • Automatically scan their internal network to protect PHI and report on improper behavior 

Results 

With the implementation of Spirion SDP, the team met their objectives to create an ongoing program to discover, classify, and protect sensitive data across the enterprise — even for remote workers. Through the centralized reporting and control Spirion provides, they have empowered end-users to remediate and enforce usage policies. The company can now rest easy that their data is properly protected and compliant and reduced the risks of a breach that would endanger the sensitive data that clients and patients have entrusted to them.