our best practice guide

Transcription

our best practice guide
Realization of Regulatory Compliance
within Commercial Healthcare
Clearswift Best Practice Guidance
for Critical Information Protection
November 2015
‘When one size can fit most’
CRITICAL INFORMATION PROTECTION. Competitive advantage for
Commercial Healthcare
Table of Contents
Executive Summary3
Data Loss Evolution4
Directives, Regulations and Standards4
Regulation Interpretation5
Data Field Applicability to Multiple Regulations5
Examples of PII, PCI and PHI Policies6
Adaptive Data Loss Prevention Adoption – Best Practices7
Strategic Alignment8
Report Notes:8
Crisis Management8
Planning8
Response9
Key Message Preparation9
Summary9
02
Appendix A: Hitech Act Compliance
10
Appendix B: Proposed Safe Harbor Reform
10
Appendix C: Data Fields Aligned to Obligated Regulations
12
Appendix D: Real-time ‘Stream Processing’ architecture schematics
14
Realization of Regulatory Compliance within Commercial Healthcare | October 2015
www.clearswift.com
Executive Summary
The global focus on Governance, Regulations and Compliance (GRC) has accelerated across regional boundaries as the
opportunity to expand commercial operations via technologies such as web 2.0, and mobile applications amongst others
is realized. Specifically, these new initiatives have to be considered alongside the traditional face-to-face operations
of stores, distribution centres and stakeholders including pharmacies, surgeries, hospitals etc.
Over the past decade cyber-attacks were primarily identified as the responsibility of external factors such as hackers, script
kiddies and cyber criminals, each using their skills to intentionally interrupt, inhibit and damage systems and/or extract critical
information from an organization. Today a further shift and re-focus has now been accepted by organizations and market
analysts, that ‘insider’ attacks are more prevalent than previously believed, making up over 65% of critical information loss.
Objective
This report provides an overview of the regulations that
commercial healthcare organizations particularly within
the US and UK, are / will be obliged to enforce compliance
either immediately or within the 2015-2017 timeframe.
In addition, best proactive implementation strategies are
recommended to ensure maximum data protection and
minimum business impact, whilst positively impacting
non-US operations
Situation Analysis
The primary regulations that commercial healthcare
organizations have to comply with by law include Safe
Harbor , European Data Protection Directive, HIPAA,
HITECH Act, PCI-DSS and EPCA (if using ISP service
providers). These regulations require the ability to
process, store and secure the communication of Personal
Identifiable Information (PII), Protected Health Information
(PHI) and Payment Card Industry (PCI) sensitive data to be
handled in accordance with the appropriate regulation(s)
Straightforward Strategy
The aim is to be able to comply with all six regulations
without the need to build extensive and resource intensive
separate policy groups. PCI-DSS, HIPAA and EU Data
Protection regulations would have individual policies, whilst
the data fields for Safe Harbor, HITECH Act and EPCA, can
be met with the policies from the other 3 regulations
03
Methodology
A progressive enforcement strategy ensures that
organizations can make calculated decisions for the
enforcement or monitoring for all incoming, outgoing and
internal sensitive data. This strategy allows each of the
different business units to experience the effects of policy
enforcement whilst in monitor mode. The implementation
of work-flow actions, allows line-management to experience
approval requests when the requisite adaptive and
proactive solution, implemented to protect critical
information, identifies a possible policy violation that
if ‘authorized’, requires 2nd level authorization by the
sender’s management.
Implement malware detection techniques immediately, as
a first line of defence. PII, PHI and PCI compliance polices
need to be developed and integrated into all areas where
the information is found and used, including email, web,
social and cloud collaboration applications. Minimize
resource overheads and the complexity of operational
management around compliance policies, but keep them
distinct. Execution of the policies must be managed as
part of the progressive enforcement strategy.
Realization of Regulatory Compliance within Commercial Healthcare | October 2015
www.clearswift.com
Data Loss Evolution
Over the past decade cyber-attacks were primarily identified as the responsibility of external factors such as hackers, script
kiddies and cyber criminals, each using their skills to intentionally interrupt, inhibit and damage systems and/or extract critical
information from an organization. Today a further shift and re-focus has now been accepted by organizations and market
analysts, that ‘insider’ attacks are more prevalent than previously believed, making up over 65%3 of critical information loss.
With the insider attack there are both malicious and inadvertent attacks that occur, although both have the same result of
critical information falling into unauthorised hands. Around 73%4 of incidents are through inadvertent information sharing.
Dealing with this ‘everyday’ problem has the added benefit of dealing with the malicious insider who is trying to steal
information from the organization, as well as the inadvertent loss.
Known threats are complex and precise allowing the attacker to either execute in isolation or as part of an advanced attack:.
Threat
Information Type/Action
Critical Data Leakage to the Internet
Everything from PCI, PHI, PII, IP, M&A and more
Accidental Disclosures
Email content, cloud/web app data, doc revisions,
Phishing, big data, cross dept. disclosures
Advanced Threats
Active malicious code for immediate / delayed execution
Social Networks
Social engineering, defamatory content, active links
The assault on information comes from a new set of attack vectors, most common is the use of documents, attachments,
embedded executables, etc. to inadvertently or maliciously steal critical information or deliver malware
Directives, Regulations and Standards
This drive requires commercial healthcare organizations to honor their commitment to maintain a secure infrastructure for the
various genres of information/data that the global organization accumulates for primary and secondary processing purposes.
The global focus on Governance, Regulations and Compliance (GRC) has accelerated across regional boundaries as the
opportunity to expand commercial operations via technologies such as web 2.0, and mobile applications amongst others is
realized. Specifically, these new initiatives have to be considered alongside the traditional face-to-face operations of stores,
distribution centres and stakeholders including pharmacies, surgeries, hospitals etc.
The primary regulations5 that need to be complied with by law are outlined in Table 1. The evolution of the current European
Data Protection Directive in the European Union is due to be superseded in 2015/20162, becoming law within 2 years (~2017).
This document aims to enable commercial healthcare organizations to establish a position of compliance of the new EU General
Data Protection Regulation (EUGDPR) during the timeframe of compliance, without the need to revisit the old ‘directive’ that may
create an opportunity to be non-compliant and visible to the FTC, ICO and other regulatory organizations6.
http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf
Source: Forrester Business Technographics Global Security Survey, 2014
4
Source: Enemy Within Report, Clearswift, January 2015
5
For the purpose of this paper ‘Regulation(s) will refer to all directives, regulations and standards
6
F TC, ICO and other regulatory organizations. Federal Trade Commission (US), Information Commissioners Office (UK), Federal and regional
regulators (DACH), Dept. of Health and Human Services (US), Federal Data Protection and Information Commissioner (Switz), etc.
2
3
04
Realization of Regulatory Compliance within Commercial Healthcare | October 2015
www.clearswift.com
Table 1 - Primary Regulations
Regulation5
Data Included
Regulation Revision
Planned
Primary Region Focus
Safe Harbor
(See Appendix B)
PII, PHI
Yes (2015 - 2017)
US - Europe
US - Switzerland
EU Data Protection
Directive 1998
PII
Yes (2015 - 2016)
28 EU Member States
HIPAA
PHI
No
US
HITECH Act7
PHI
No
US
PCI-DSS
PCI
3.2 due 2016
Worldwide
Electronic Communications
Privacy Act
PII, PHI, PCI
No
US
Regulation Interpretation
Addressing the rash of regulations that global commercial healthcare organizations need to be compliant could appear to be
overwhelming and unmanageable. Approaching the regulations from a ‘One Size Can Fit Most’ approach reveals that many
of the regulations outlined in Table 1 overlap each other, so aligning the approach to the regulation with the highest level of
commonality minimizes repetition whilst assuring protection across all obligatory data genres
A combination of senior management support, realistic planning, employee awareness, staged rollout and an automated
technology solution can dispel the myths and beliefs that compliance is unachievable and resource intensive
Data Field Applicability to Multiple Regulations
Table 3 represents an analysis of the data fields required to achieve compliance of the regulations described in Table 2
(Regulation Legend). An extensive table of the data fields analysed can be found in Appendix C.
The interpretation of Table 3 conveys:
•Organizations would be able to comply with Safe Harbor (1), HITECH Act (4) and EPCA (6), without the need to build
individual policies as all data fields for these regulations can be met with the policies for the other 3 regulations
•A set of policies aligned to the European General Data Protection Regulation (PII) would cover 46 data fields
and also enable compliance for a small number of other data fields for other regulations
•A set of policies aligned to HIPAA (PHI) would cover 12 data fields and also enable compliance for a small
number of other data fields for other regulations
• A standard set of policies aligned to PCI-DSS (PCI) would cover all of the data fields for PCI compliance
7
05
See Appendix A for requirements for compliance with Hitech Act for primary care providers and pharmacies
Realization of Regulatory Compliance within Commercial Healthcare | October 2015
www.clearswift.com
Table 2 – Regulation Legend
Identifier
Regulation
Data Included
1
Safe Harbor
PII, PHI
2
EU Data Protection Directive 1998
PII
3
HIPAA
PHI
4
HITECH Act
PHI
5
PCI-DSS
PCI
6
Electronic Communications Privacy Act
PII, PHI, PCI
Table 3 – Analysis of primary regulations to be enforced
Identifier Label
Regulation
2
3
PCI
5
Grand Total
7
7
PHI
2
5
7
PII
33
1
34
PII, PHI
11
6
17
Grand Total of Data Fields
46
12
7
65
Examples of PII, PCI and PHI Policies
The schematics found within Appendix D provide an overview of the simplicity of building and operating the ‘Mail Policy Route’
that outlines the stages that are executed akin to a real-time ‘Stream Processing’ architecture. In addition examples of the
tokens and policies for PII (2), PHI (3) and PCI-DSS(5) are also provided. Although it would be architecturally easy to combine
all lexical expressions required for PII, PHI and PCI into a single policy, Clearswift would advise against this due to the on-going
maintenance and exception checking as part of normal day to day activities. The policies will be built so that the Clearswift
Adaptive-Data Loss Prevention technologies can analyse and identify specific content that meets the regulatory requirements.
The policies will also apply differing levels of contextualization to ensure that a correct match is identified. The mixture of
content and contextualization ensures that false positives are minimized.
Clearswift’s unique Adaptive Redaction features; text redaction; meta-data redaction and active content redaction, ensures that
organizations are able to operationally differentiate between ‘out of context’ and/or unintentional content sharing exceptions
where only the expression is redacted, allowing the remaining content to proceed to the receiver, minimizing false positives and
business interruptions; and also intentional unauthorized collaboration into or out of a network for sensitive and active content
(Advanced Persistent Threats - APT)
06
Realization of Regulatory Compliance within Commercial Healthcare | October 2015
www.clearswift.com
Adaptive DLP Adoption – Best Practices
Clearswifts approach to the implementation of data loss prevention technologies has been developed over the past 20 years
to ensure that commercial healthcare organizations are in a position of awareness, control and remediation during all stages
of planning, implementation and operational management of the architecture.
Planning & Operations
The historical and on-going practice of engaging external consultancies to analyse and implement DLP solutions would not
enrich personnel with the advanced upskills necessary to enable them to maintain the architecture for on-going maintenance,
upgrades and integration. These perceived mandatory data loss prevention engagements require management to maintain
excessive on-going DLP budgets for operational maintenance, rather than enhancements to mitigate future data loss threats.
Clearswift has proven that an effective adaptive data loss prevention operation can be undertaken with the knowledge and
skills of existing personnel and implementation support engagement from Clearswift and any preferred reseller partner.
Initial Evaluation
DLP does not require excessive periods of upfront analysis to provide visibility of probable data loss exceptions.
Adaptive DLP Task
Elapsed Days
Identify a dedicated business unit or team to focus on the initial Proof of Concept
1
Identify a list of lexical expressions or pre-built tokens for policy enforcement
2
Implement an Email A-DLP product into the SMTP flow (In-Stream or Side-Car)
1
Initiate the A-DLP product in ‘Monitor’ mode against the target individual(s)/team(s)
1
Adjust and add policies into the A-DLP product during POC
14
Total Days to Review A-DLP Effectiveness
19 (3 weeks)
The 19 days totalled above would be a maximum period as all days are deemed as processing sequentially, whereas in reality
the first 4 tasks could be reduced to 2 days and the POC period (task 5) reduced to a shorter period based on initial results.
On-going Operational Usage
Operational implementations of DLP are not a ‘One Size For All’ or require extensive policies to cover every eventuality
approach. Existing DLP implementations operate on a negative ROI, with any presupposed value coming from ‘Cost Mitigation’
in the event of a breach. Clearswift have found from existing A-DLP clients that a positive ROI and business contribution can
be achieved if clients ensure that they utilize a flow of policy implementations dependent on the approach that the business
requires and immediacy of regulatory compliance. Each organization should review the different DLP enforcement flows.
Progressive Enforcement
Progressive enforcement ensures that businesses can achieve a rapid risk reduction whilst making calculated decisions
for the enforcement or monitoring for all incoming, outgoing and internal sensitive data. This strategy allows each different
business unit to experience the effects of policy enforcement whilst in monitoring mode. A progressive strategy will ensure
that new policies can be run in monitoring mode, alongside similar policies that are actively enforcing data movement.
The implementation of workflow actions, allows line-management to experience approval requests when the Clearswift
A-DLP solution identifies a possible policy violation that requires 2nd level authorization by the sender’s management, before
proceeding to the intended recipient.
07
Realization of Regulatory Compliance within Commercial Healthcare | October 2015
www.clearswift.com
Clearswift believe that from previous implementations, should organizations approach their regulatory compliance utilizing
Clearswift Adaptive-Data Loss Prevention solutions, with the progressive enforcement strategy, they would achieve:
• 100% immediate visibility of policy enforcement effects, prior to execution
• <80% reduction in known or projected false positives in the first 12 months
• <100% alignment to enforced regulations and compliance in the first 12 months
• 100% immediate visibility of data breach mitigation by department and/or individual
• <50%> immediate decrease in the amount of time it takes to resolve quarantine/breach issues
•100% return on investment calculated against tangible savings and mitigated data breaches using
industry enforced penalties, reputational damages and increased employee security awareness.
Strategic Alignment
Executing the Clearswift best practice adoption for regulatory compliance in conjunction with Clearswift Adaptive Data
Loss Prevention solutions, will ensure that a commercial healthcare organization’s obligation to conform to global regulatory
compliance, maintains the maximum simplicity of implementation superseding the complexity of the regulations, allowing
the business to focus on continuous operational growth with the knowledge that the organization is compliant with the most
stringent regulations. This alignment protects all stakeholders from malicious and unintentional data loss, increases employee
security awareness, therefore mitigating the financial and reputational penalties incurred by organizations that have not taken
a pro-active position.
Crisis Management
This document is focused on the progressive implementation for protection of critical and sensitive data and does not
specifically cover any guidance on Crisis Management. It is essential that moving forwards, organizations should always plan
for the ‘unforseen’ event and review their crisis management processes, so they are able to react positively and minimize the
effect to their business. A few areas of reflection have been included below:
Planning
Crisis prevention, at its best, is the organizational equivalent of a medical full body scan.
• Crisis Document Audit — A simple review of existing client documents related to crisis preparedness and response, such
as crisis communications plans, emergency response policies, disaster plans, etc. This audit includes creation of a written
evaluation with recommendations for improvement.
•Executive Session Vulnerability Audit — The executive team should undertake a series of educational and thoughtprovoking discussions to uncover and begin to address organizational vulnerabilities that could escalate to crises.
•Comprehensive Vulnerability Audit — A series of interviews with employees at all levels of an organization, each conducted
in complete confidence, so that the interviewee feels comfortable disclosing information he/she might not otherwise discuss.
This is often complemented by interviews with representative members of key external audiences.
• Crisis Communications Plans — Based on some level of vulnerability audit, creation of a response structure and written
plan that will guide and optimize reaction to future crises. This includes ensuring there is close coordination between the
teams involved in the operational and communications aspects of crisis response.
•Disaster/Incident Response Planning and Training — Also based on a vulnerability audit, ensuring an organization
is prepared for the operational response to a crisis, complementing its crisis communications planning.
•Senior- and Mid-Level Staff Training About Crisis Management Fundamentals and Best Practices —
Prevention and/or response, from one-hour luncheon presentation to multi-day sessions.
•Media Training — Comprehensive instruction and practice on camera, enhancing spokespersons’ abilities to optimize results
from both “good news” and crisis-related interviews.
08
Realization of Regulatory Compliance within Commercial Healthcare | October 2015
www.clearswift.com
Response
Using effective strategy and tactics to avoid, or at least minimize, the negative impact of pending or breaking crises. In essence,
fire-fighting. Crisis response addresses the needs not only of external stakeholders, but also of employees — because every
employee is a PR representative and crisis manager for your organization, whether you want them to be or not. Activities that
are a subset of crisis response include:
Key message preparation
•Preparation of draft and/or final versions of internal and external communications with all of a client’s important audiences,
including media (usually “behind the scenes” but on rare occasion serving as spokesperson for a client).
•Creation and/or coordination of Internet-based crisis-response activities, to include social media crisis management
(more on that later).
• On- or off-site oversight of client crisis response activities to the extent clients do not have specific capabilities in this area.
• Situation-specific media and presentation training.
•Close coordination with legal counsel when litigation or possible litigation is involved, to ensure all tactics
and messages are compatible with legal strategy.
Summary
Addressing the raft of regulations that global healthcare organizations need to be compliant with could appear to be
overwhelming and unmanageable. Approaching the regulations from a ‘where one size can fit most’ perspective reveals that
many of the regulations overlap each other, so aligning to the regulation with the highest level of commonality minimizes
repetition whilst assuring protection across all obligatory data genres.
Understanding the regulations and the types of information effected is critical to creating an effective protection strategy.
Further steps in the process include understanding of where the information is located, especially when it is extracted from
databases in the form of reports or in email, so this may be on laptops or mobile devices, or with partners who are part of the
value chain from supplier to citizen; enabled by the flow of information.
When this initial discovery work has been completed, then a technology solution strategy can be created to ensure that the
information remains safe at all times. New Adaptive Data Loss Prevention technologies can be used to ensure that critical
information is always protected, while enabling improved continuous collaboration.
For more details contact: info@clearswift.com or vist www.criticalinformationprotection.com
09
Realization of Regulatory Compliance within Commercial Healthcare | October 2015
www.clearswift.com
Appendix A: Hitech Act Compliance
The first steps in achieving meaningful use are to have a certified electronic health record (EHR) and to be able to
demonstrate that it is being used to meet the requirements. Stage 1 contains 25 objectives/measures for Eligible Providers
(EPs) and 24 objectives/measures for eligible hospitals. The objectives/measures have been divided into a core set and menu
set. EPs and eligible hospitals must meet all objectives/measures in the core set (15 for EPs and 14 for eligible hospitals). EPs
must meet 5 of the 10 menu-set items during Stage 1, one of which must be a public health objective.
Full list of the Core Requirements and a full list of the Menu Requirements.
Core Requirements:
1. Use computerized order entry for medication orders.
2. Implement drug-drug, drug-allergy checks.
3. Generate and transmit permissible prescriptions electronically.
4. Record demographics.
5. Maintain an up-to-date problem list of current and active diagnoses.
6. Maintain active medication list.
7. Maintain active medication allergy list.
8. Record and chart changes in vital signs.
9. Record smoking status for patients 13 years old or older.
10.Implement one clinical decision support rule.
11.Report ambulatory quality measures to CMS or the States.
12.Provide patients with an electronic copy of their health information upon request.
13.Provide clinical summaries to patients for each office visit.
14.Capability to exchange key clinical information electronically among providers and patient authorized entities.
15.Protect electronic health information (privacy & security)
Menu Requirements:
1. Implement drug-formulary checks.
2. Incorporate clinical lab-test results into certified EHR as structured data.
3.Generate lists of patients by specific conditions to use for quality improvement, reduction
of disparities, research, and outreach.
4. Send reminders to patients per patient preference for preventive/ follow-up care
5.Provide patients with timely electronic access to their health information
(including lab results, problem list, medication lists, allergies)
6. Use certified EHR to identify patient-specific education resources and provide to patient if appropriate.
7. Perform medication reconciliation as relevant
8. Provide summary care record for transitions in care or referrals.
9. Capability to submit electronic data to immunization registries and actual submission.
10.Capability to provide electronic syndromic surveillance data to public health agencies and actual transmission.
Appendix B: Proposed Safe Harbor Reform
The following reform has been proposed prior to the ruling by the Court of Justice of the European Union, 6 October 2015
‘The Court finds that Safe Harbour denies the national supervisory authorities their powers where a person calls into question
whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals. The
Court holds that the Commission (Irish supervisory authority (the Data Protection Commissioner)) did not have competence to restrict
the national supervisory authorities’ powers in that way. For all those reasons, the Court declares the Safe Harbour Decision invalid.
10
Realization of Regulatory Compliance within Commercial Healthcare | October 2015
www.clearswift.com
On Oct. 15, 2015, the Article 29 Working Party (the Working Party) – the umbrella organization that encompasses the Data
Protection Commissioners of the 31 EEA Member States – published its initial reaction to the CJEU ruling. The Working Party
confirms that the invalidation of the Safe Harbor Program is effective immediately. In addition, it warns that if, by January 2016,
the U.S. and the EU have not reached a satisfactory agreement that incorporates certain elements identified in the Working Party’s
statement, the EEA Data Protection Authorities will commence enforcement actions against illegal cross-border data transfers.
The Working Party identifies key points that should be addressed in these intergovernmental negotiations. In the Working
Party’s opinion, these solutions should include clear and binding mechanisms that incorporate at least obligations on:
• Oversight of access by public authorities;
• Transparency;
• Proportionality;
• Redress mechanisms; and
• Data protection rights.
These negotiations are viewed as crucial by the members of the Working Party. If an appropriate solution that meets the
criteria described above is not found by January 2016, the Working Party warns that EU Data Protection Authorities may
start taking all actions that they may deem necessary, including coordinated enforcement actions.
EU concern with the adequacy of the Safe Harbor framework intensified after the June 2013 disclosure of PRISM, the US
government surveillance program under which the NSA is reported to have secretly monitored the personal data of EU
citizens whose data transfers to US online service providers was made possible by these providers’ self-certified Safe Harbor
compliance. Prodded largely by this discovery, the European Commission cited a host of alleged deficiencies in the Safe
Harbor self-certification and enforcement procedures and recommended to the European Parliament and European Council
Safe Harbor reforms consisting of the following 13 requirements:
• Self-certified companies should publicly disclose their privacy policies on their websites in clear and conspicuous language.
•The privacy policies of self-certified companies’ websites should include a link to the Department of Commerce Safe Harbor
website that lists all current Safe Harbor-compliant companies.
•Self-certified companies should notify the Department of Commerce and publish the privacy conditions of any contracts
they enter into with subcontractors.
•The Department of Commerce should clearly flag on its website all companies that are no longer currently fulfilling Safe
Harbor requirements and hold these companies to an obligation to continue to apply the Safe Harbor requirements for data
that has been received under Safe Harbor.
•Safe Harbor-compliant companies’ websites should include a link in their privacy policies to either or both of the companies’
chosen alternative dispute resolution (ADR) provider and EU panel to allow EU data subjects to contact this intermediary
immediately in case of data privacy or security problems.
• ADR should be made readily available and affordable to EU data subjects to resolve complaints under the Safe Harbor.
•The Department of Commerce should monitor ADR providers more systematically regarding the transparency and
accessibility of information they provide about their procedures and the follow-up they give to complaints (including the
publication of findings of non-compliance as a mandatory sanction for non-compliance).
•Following their certification or recertification under the Safe Harbor, a certain percentage of companies should be subject
to regulatory investigation of the compliance of their privacy policies with Safe Harbor requirements.
•Whenever a complaint or investigation results in a finding of Safe Harbor non-compliance, the non-compliant company
should be subject to a follow-up investigation after one year.
•The Department of Commerce should inform the competent EU data protection authority of any doubts or pending
complaints about a company’s compliance.
• False claims of Safe Harbor adherence should continue to be investigated by the relevant US regulatory authorities.
•Privacy policies of self-certified companies should include information on the extent to which US law allows public
authorities to collect and process data transferred under the Safe Harbor and, in particular, when the company applies
exceptions to the Safe Harbor Principles to meet national security, public interest or law enforcement requirements.
•A national security exception to the Safe Harbor requirements should be invoked only to an extent that is strictly necessary
or proportionate to the protection of national security.
11
Realization of Regulatory Compliance within Commercial Healthcare | October 2015
www.clearswift.com
Appendix C: Data Fields Aligned to Obligated Regulations
Identifier
Regulation
Data Included
1
Safe Harbor
PII, PHI
2
EU Data Protection Directive 1998
PII
3
HIPAA
PHI
4
HITECH Act
PHI
5
PCI-DSS
PCI
6
Electronic Communications Privacy Act
PII, PHI, PCI
Data Field
12
Data Type
Regulation (s)
Minimum Regulation
Required
Address
PII, PHI
1, 2, 3, 4, 6
2
Birth Date
PII, PHI
1, 2, 3, 4, 6
2
Residential Phone Number
PII, PHI
1, 2, 3, 4, 6
2
Mobile Phone Number
PHI
1, 2, 3, 4, 6
2
Fax Numbers
PII, PHI
1, 2, 3, 4, 6
2
Electronic Mail Addresses
PII
1, 2, 3, 4, 6
2
Social Security Numbers
PII, PHI
1, 2, 3, 4, 6
2
Bank Accounts Numbers
PII
1, 2, 3, 5, 6
2
Certificate/ License Numbers
PII
1, 2, 6
2
Vehicle Identifiers and Serial Numbers,
Including License Plate Numbers
PII
1, 2, 6
2
Device Identifiers and Serial Numbers
PII
1, 2, 6
2
Web Universal Resource Locators (URLs)
PII
1, 2, 6
2
Internet Protocol (IP) Address Numbers
PII
1, 2, 6
2
Biometric Identifiers, Including Finger and Voice Prints
PII, PHI
1, 2, 3, 4, 6
2
Full Face Photographic Image and/or Comparable Images
PII, PHI
1, 2, 3, 4, 6
2
Tattoos
PII, PHI
1, 2, 3, 4, 6
2
Gang Affiliation
PII
1, 2, 6
2
National Insurance Number
PII
1, 2, 3, 4, 6
2
Email Address (Private)
PII, PHI
1, 2, 3, 4, 6
2
Email Address (Work)
PII, PHI
1, 2, 3, 4, 6
2
Police Report
PII
1, 2, 3, 4, 6
2
Crime Report Number
PII
1, 2, 3, 4, 6
2
Medical Record
PHI
1, 2, 3, 4, 6
2
Mental (state)
PII, PHI
1, 2, 3, 4, 6
3
Photographs
PII
1, 2, 6
2
Social Media Identifier
PII
1, 2, 6
2
Political Alignment
PII
1, 2, 6
2
Social Media Posts
PII
1, 2, 6
2
Nationality
PII
1, 2, 6
2
Nationalism
PII
1, 2, 6
2
Realization of Regulatory Compliance within Commercial Healthcare | October 2015
www.clearswift.com
Appendix C: Data Fields Aligned to Obligated Regulations cont.
Data Field
13
Data Type
Regulation (s)
Minimum Regulation
Required
Ethnicity
PII
1, 2, 6
2
Race
PII
1, 2, 6
2
Religion
PII
1, 2, 6
2
Aesthetics
PII
1, 2, 6
2
Social Class
PII
1, 2, 6
2
Language (spoken)
PII
1, 2, 6
2
Generation
PII
1, 2, 6
2
Locality
PII
1, 2, 6
2
GIS
PII
1, 2, 6
2
Tag (human attached)
PII
1, 2, 6
2
Job Role
PII
1, 2, 6
2
Employee Number
PII
1, 2, 6
2
Pension Account Number
PII
1, 2, 6
2
Life Insurance Number
PII
1, 2, 6
2
School Name
PII
1, 2, 6
2
401K Number
PII
1, 2, 6
2
Name
PII, PHI
1, 2, 3, 4, 5, 6
2
Date of Death
PII, PHI
1, 2, 3, 4, 6
3
Admission Date
PHI
3, 4, 6
3
Discharge Date
PHI
3, 4, 6
3
Medical Record Numbers
PHI
3, 4, 6
3
Health Plan Beneficiary Numbers
PHI
3, 4, 6
3
Height
PII, PHI
3, 4, 6
3
Weight
PII, PHI
1, 2, 3, 4, 6
3
Gender
PII, PHI
1, 2, 3, 4, 6
3
Sexual Orientation
PII
1, 2, 3, 4, 6
3
Age
PII, PHI
1, 2, 3, 4, 6
3
Images (medical)
PHI
1, 2, 3, 4, 6
3
Primary Account Number (PAN)
PCI
1, 2, 3, 4, 5, 6
5
Cardholder Name
PCI
1, 2, 3, 4, 5, 6
5
Expiration Date
PCI
1, 2, 3, 4, 5, 6
5
Service Code
PCI
5, 6
5
Full Track Data
PCI
5, 6
5
CAV2/ CVC2/ CVV2/ CID
PCI
5, 6
5
PINs/ PIN Blocks
PCI
5, 6
5
Realization of Regulatory Compliance within Commercial Healthcare | October 2015
www.clearswift.com
Appendix D: Real-time ‘Stream Processing’ architecture schematics
Mail Policy Route
PCI Lexical Expression Policy
14
Realization of Regulatory Compliance within Commercial Healthcare | October 2015
www.clearswift.com
PII Lexical Expression Policy
PHI (HIPAA) Lexical Expression Policy
15
Realization of Regulatory Compliance within Commercial Healthcare | October 2015
www.clearswift.com
Clearswift is trusted by organizations globally to protect their critical
information, giving them the freedom to securely collaborate and drive
business growth. Our unique technology supports a straightforward and
‘adaptive’ data loss prevention solution, avoiding the risk of business
interruption and enabling organizations to have 100% visibility of their
critical information 100% of the time.
As a global organization, Clearswift has headquarters in the United States,
Europe, Australia and Japan, with an extensive partner network of more
than 900 resellers across the globe.
United Kingdom
Clearswift Ltd
1310 Waterside
Arlington Business Park
Theale
Reading, RG7 4SA
UK
Germany
Clearswift GmbH
Im Mediapark 8
Cologne D-50670
Germany
United States
Clearswift Corporation
309 Fellowship Road
Suite 200
Mount Laurel, NJ 08054
UNITED STATES
Japan
Clearswift K.K
Shinjuku Park Tower N30th Floor
3-7-1 Nishi-Shinjuku
Tokyo 163-1030
JAPAN
www.criticalinformationprotection.com | © Clearswift 2015
Australia
Clearswift (Asia/Pacific) Pty Ltd
Level 17
40 Mount Street
North Sydney
New South Wales, 2060
AUSTRALIA