hamburger icon close icon

Healthcare - Identify Stray Protected Health Information

Criminals know the value of protected health information (PHI), so they focus on attacking healthcare organizations around the world. This is not a new phenomenon, and it is getting worse. According to a recent Verizon report, healthcare is the industry with the third largest number of data breaches reported in 2020. Underscoring the magnitude of the problem, the United States Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) published an advisory in October 2020 highlighting the increased emphasis cybercriminals are placing on healthcare.

What are the effects of PHI breaches?

These breaches have myriad impacts on patients, physicians, clinical staff, IT, administration, and everyone else involved in healthcare. It is hard to quantify the consequences these incidents have exactly, from impacts to patient care, to identity theft, to extortion, loss of trust, and regulatory action. One estimate, using HHS data, put the impact of PHI breaches to healthcare organizations in the US at $13.2 billion annually in 2020. Unsettlingly, human error is at the top of the list of causes. This may not be surprising, especially given the intense pressure people working in healthcare have been under during the COVID-19 pandemic.

Application sprawl and complexity

Adding fuel to the fire, the proliferation of application silos adds complexity to an already unwieldy system. In healthcare, it is common to see hundreds and even thousands of applications running in a single provider organization. This, coupled with the external factors of relentless stress and a global health emergency, make it vital to automate the tracking and identification of PHI. There are too many sources of PHI, and too many systems to process and store it, each with its own configuration idiosyncrasies and best practices, to trust that all PHI is properly protected and accounted for. Much like anti-virus software has become ubiquitous for its ability to provide continuous monitoring and remediation, keeping PHI safe requires tools that automate that process.

Data privacy requirements

Looking at data privacy regulations, there are four core requirements

  • Classification of what types of information is being stored
  • Mapping of where personal and sensitive data is stored
  • Servicing of data subject access requests, so when someone asks for their data that request can be honored in a timely fashion
  • Compliance and reporting of compliance status to auditors and other stakeholders

In healthcare, mapping is particularly important when it comes to identifying "stray PHI," which is PHI that is stored outside of the locations designated for it. This is a growing problem fed by the complexity in the healthcare application ecosystem described above. Having an incomplete picture of where PHI is stored, and who can access it, is a preventable risk that fortunately has an easy solution.

How can NetApp Cloud Data Sense help you?

Cloud Data Sense helps healthcare organizations comply with data privacy regulations by identifying PHI both in structured and unstructured environments as well as automating compliance processes. With Cloud Data Sense you can discover potential data risks, automate data governance tasks to identify cost savings opportunities, assist with data migration projects, empower data privacy and compliance teams, and give them the ability to generate data protection impact analysis reports.  You can protect your organization from compliance risk by ensuring sensitive data is stored where you want it, as you integrate data governance with compliance protection.

Cloud Data Sense gives enterprise-wide, real-time insight into how much data you have, where it lives, what the activity levels are on that data, which of the datasets contain sensitive information, and what permissions are allowed on the data. With that insight, Cloud Data Sense users can make better decisions on where they want their data stored, tiered, archived; they can do a better job of defining and implementing retention and governance policies; they can move quickly and easily to protect the organization from risk of loss and compliance breach. Cloud Data Sense sets a new standard for executing your organization's data governance and privacy programs, powered by built-in AI-driven privacy controls.

Does Cloud Data Sense work only in the cloud?

As part of NetApp's overarching cloud strategy, Cloud Data Sense works in the cloud and on-premises. No matter where your data is stored, you can keep track of and secure your PHI.

Cloud Data Sense can be deployed on premises or in the cloud and connects directly to:

  • Cloud Volumes ONTAP
    • For AWS, Azure, and Google Cloud
  • Azure NetApp Files
  • Amazon S3 buckets
  • On-premises storage
    • Any NFS or SMB file share
  • SnapMirror® data protection volumes
  • StorageGRID
  • One Drive
  • Structured data sources
    • MongoDB, PostgreSQL, MySQL, Oracle, SAP HANA, and MSSQL databases

What makes Cloud Data Sense unique?

  • Higher accuracy
    • Advanced NLP and AI enables complex PHI and context detection
  • Lower costs
    • Automatic classification has lower TCO compared to manual classification rules
  • A single pane of glass
    • Both structured and unstructured, cloud and on-premises
    • All from one vendor
  • Zero configuration
    • Quick, agentless, no-hassle solution
    • Set it and forget it

Does Cloud Data Sense look like something that could help you improve your security and compliance posture? Schedule a demo to learn more.