Realization of Regulatory Compliance within Commercial Healthcare · Realization of Regulatory Compliance within Commercial Healthcare Clearswift Best Practice Guidance for Critical

Realization of Regulatory Compliance within Commercial Healthcare Clearswift Best Practice Guidance for Critical Information Protection

‘When one size can fit most’

November 2015

CRITICAL INFORMATION PROTECTION. Competitive advantage for Commercial Healthcare

Table of Contents

Executive Summary 3

Data Loss Evolution 4

Directives, Regulations and Standards 4

Regulation Interpretation 5

Data Field Applicability to Multiple Regulations 5

Examples of PII, PCI and PHI Policies 6

Adaptive Data Loss Prevention Adoption – Best Practices 7

Strategic Alignment 8

Report Notes: 8

Crisis Management 8

Planning 8

Response 9

Key Message Preparation 9

Summary 9

Appendix A: Hitech Act Compliance 10

Appendix B: Proposed Safe Harbor Reform 10

Appendix C: Data Fields Aligned to Obligated Regulations 12

Appendix D: Real-time ‘Stream Processing’ architecture schematics 14

Realization of Regulatory Compliance within Commercial Healthcare | October 2015 www.clearswift.com02

Executive Summary

The global focus on Governance, Regulations and Compliance (GRC) has accelerated across regional boundaries as the

opportunity to expand commercial operations via technologies such as web 2.0, and mobile applications amongst others

is realized. Specifically, these new initiatives have to be considered alongside the traditional face-to-face operations

of stores, distribution centres and stakeholders including pharmacies, surgeries, hospitals etc.

Over the past decade cyber-attacks were primarily identified as the responsibility of external factors such as hackers, script

kiddies and cyber criminals, each using their skills to intentionally interrupt, inhibit and damage systems and/or extract critical

information from an organization. Today a further shift and re-focus has now been accepted by organizations and market

analysts, that ‘insider’ attacks are more prevalent than previously believed, making up over 65% of critical information loss.

ObjectiveThis report provides an overview of the regulations that

commercial healthcare organizations particularly within

the US and UK, are / will be obliged to enforce compliance

either immediately or within the 2015-2017 timeframe.

In addition, best proactive implementation strategies are

recommended to ensure maximum data protection and

minimum business impact, whilst positively impacting

non-US operations

Situation AnalysisThe primary regulations that commercial healthcare

organizations have to comply with by law include Safe

Harbor , European Data Protection Directive, HIPAA,

HITECH Act, PCI-DSS and EPCA (if using ISP service

providers). These regulations require the ability to

process, store and secure the communication of Personal

Identifiable Information (PII), Protected Health Information

(PHI) and Payment Card Industry (PCI) sensitive data to be

handled in accordance with the appropriate regulation(s)

Straightforward StrategyThe aim is to be able to comply with all six regulations

without the need to build extensive and resource intensive

separate policy groups. PCI-DSS, HIPAA and EU Data

Protection regulations would have individual policies, whilst

the data fields for Safe Harbor, HITECH Act and EPCA, can

be met with the policies from the other 3 regulations

MethodologyA progressive enforcement strategy ensures that

organizations can make calculated decisions for the

enforcement or monitoring for all incoming, outgoing and

internal sensitive data. This strategy allows each of the

different business units to experience the effects of policy

enforcement whilst in monitor mode. The implementation

of work-flow actions, allows line-management to experience

approval requests when the requisite adaptive and

proactive solution, implemented to protect critical

information, identifies a possible policy violation that

if ‘authorized’, requires 2nd level authorization by the

sender’s management.

Implement malware detection techniques immediately, as

a first line of defence. PII, PHI and PCI compliance polices

need to be developed and integrated into all areas where

the information is found and used, including email, web,

social and cloud collaboration applications. Minimize

resource overheads and the complexity of operational

management around compliance policies, but keep them

distinct. Execution of the policies must be managed as

part of the progressive enforcement strategy.


Data Loss Evolution

Over the past decade cyber-attacks were primarily identified as the responsibility of external factors such as hackers, script

kiddies and cyber criminals, each using their skills to intentionally interrupt, inhibit and damage systems and/or extract critical

information from an organization. Today a further shift and re-focus has now been accepted by organizations and market

analysts, that ‘insider’ attacks are more prevalent than previously believed, making up over 65%3 of critical information loss.

With the insider attack there are both malicious and inadvertent attacks that occur, although both have the same result of

critical information falling into unauthorised hands. Around 73%4 of incidents are through inadvertent information sharing.

Dealing with this ‘everyday’ problem has the added benefit of dealing with the malicious insider who is trying to steal

information from the organization, as well as the inadvertent loss.

Known threats are complex and precise allowing the attacker to either execute in isolation or as part of an advanced attack:.

The assault on information comes from a new set of attack vectors, most common is the use of documents, attachments,

embedded executables, etc. to inadvertently or maliciously steal critical information or deliver malware

Directives, Regulations and Standards

This drive requires commercial healthcare organizations to honor their commitment to maintain a secure infrastructure for the

various genres of information/data that the global organization accumulates for primary and secondary processing purposes.

The global focus on Governance, Regulations and Compliance (GRC) has accelerated across regional boundaries as the

opportunity to expand commercial operations via technologies such as web 2.0, and mobile applications amongst others is

realized. Specifically, these new initiatives have to be considered alongside the traditional face-to-face operations of stores,

distribution centres and stakeholders including pharmacies, surgeries, hospitals etc.

The primary regulations5 that need to be complied with by law are outlined in Table 1. The evolution of the current European

Data Protection Directive in the European Union is due to be superseded in 2015/20162, becoming law within 2 years (~2017).

This document aims to enable commercial healthcare organizations to establish a position of compliance of the new EU General

Data Protection Regulation (EUGDPR) during the timeframe of compliance, without the need to revisit the old ‘directive’ that may

create an opportunity to be non-compliant and visible to the FTC, ICO and other regulatory organizations6.

Threat Information Type/Action

Critical Data Leakage to the Internet Everything from PCI, PHI, PII, IP, M&A and more

Accidental Disclosures Email content, cloud/web app data, doc revisions, Phishing, big data, cross dept. disclosures

Advanced Threats Active malicious code for immediate / delayed execution

Social Networks Social engineering, defamatory content, active links

2 http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf3 Source: Forrester Business Technographics Global Security Survey, 2014 4 Source: Enemy Within Report, Clearswift, January 20155 For the purpose of this paper ‘Regulation(s) will refer to all directives, regulations and standards6 FTC, ICO and other regulatory organizations. Federal Trade Commission (US), Information Commissioners Office (UK), Federal and regional

regulators (DACH), Dept. of Health and Human Services (US), Federal Data Protection and Information Commissioner (Switz), etc.


Table 1 - Primary Regulations

Regulation5 Data Included Regulation Revision Planned

Primary Region Focus

Safe Harbor (See Appendix B)

PII, PHI Yes (2015 - 2017) US - EuropeUS - Switzerland

EU Data Protection Directive 1998

PII Yes (2015 - 2016) 28 EU Member States

HIPAA PHI No US

HITECH Act7 PHI No US

PCI-DSS PCI 3.2 due 2016 Worldwide

Electronic Communications Privacy Act

PII, PHI, PCI No US

Regulation Interpretation

Addressing the rash of regulations that global commercial healthcare organizations need to be compliant could appear to be

overwhelming and unmanageable. Approaching the regulations from a ‘One Size Can Fit Most’ approach reveals that many

of the regulations outlined in Table 1 overlap each other, so aligning the approach to the regulation with the highest level of

commonality minimizes repetition whilst assuring protection across all obligatory data genres

A combination of senior management support, realistic planning, employee awareness, staged rollout and an automated

technology solution can dispel the myths and beliefs that compliance is unachievable and resource intensive

Data Field Applicability to Multiple Regulations

Table 3 represents an analysis of the data fields required to achieve compliance of the regulations described in Table 2

(Regulation Legend). An extensive table of the data fields analysed can be found in Appendix C.

The interpretation of Table 3 conveys:

• Organizations would be able to comply with Safe Harbor (1), HITECH Act (4) and EPCA (6), without the need to build

individual policies as all data fields for these regulations can be met with the policies for the other 3 regulations

• A set of policies aligned to the European General Data Protection Regulation (PII) would cover 46 data fields

and also enable compliance for a small number of other data fields for other regulations

• A set of policies aligned to HIPAA (PHI) would cover 12 data fields and also enable compliance for a small

number of other data fields for other regulations

• A standard set of policies aligned to PCI-DSS (PCI) would cover all of the data fields for PCI compliance

7 See Appendix A for requirements for compliance with Hitech Act for primary care providers and pharmacies


Table 3 – Analysis of primary regulations to be enforced

Identifier Label

Regulation 2 3 5 Grand Total

PCI 7 7

PHI 2 5 7

PII 33 1 34

PII, PHI 11 6 17

Grand Total of Data Fields 46 12 7 65

Examples of PII, PCI and PHI Policies

The schematics found within Appendix D provide an overview of the simplicity of building and operating the ‘Mail Policy Route’

that outlines the stages that are executed akin to a real-time ‘Stream Processing’ architecture. In addition examples of the

tokens and policies for PII (2), PHI (3) and PCI-DSS(5) are also provided. Although it would be architecturally easy to combine

all lexical expressions required for PII, PHI and PCI into a single policy, Clearswift would advise against this due to the on-going

maintenance and exception checking as part of normal day to day activities. The policies will be built so that the Clearswift

Adaptive-Data Loss Prevention technologies can analyse and identify specific content that meets the regulatory requirements.

The policies will also apply differing levels of contextualization to ensure that a correct match is identified. The mixture of

content and contextualization ensures that false positives are minimized.

Clearswift’s unique Adaptive Redaction features; text redaction; meta-data redaction and active content redaction, ensures that

organizations are able to operationally differentiate between ‘out of context’ and/or unintentional content sharing exceptions

where only the expression is redacted, allowing the remaining content to proceed to the receiver, minimizing false positives and

business interruptions; and also intentional unauthorized collaboration into or out of a network for sensitive and active content

(Advanced Persistent Threats - APT)

Table 2 – Regulation Legend

Identifier Regulation Data Included

1 Safe Harbor PII, PHI

2 EU Data Protection Directive 1998 PII

3 HIPAA PHI

4 HITECH Act PHI

5 PCI-DSS PCI

6 Electronic Communications Privacy Act PII, PHI, PCI


Adaptive DLP Adoption – Best Practices

Clearswifts approach to the implementation of data loss prevention technologies has been developed over the past 20 years

to ensure that commercial healthcare organizations are in a position of awareness, control and remediation during all stages

of planning, implementation and operational management of the architecture.

Planning & Operations

The historical and on-going practice of engaging external consultancies to analyse and implement DLP solutions would not

enrich personnel with the advanced upskills necessary to enable them to maintain the architecture for on-going maintenance,

upgrades and integration. These perceived mandatory data loss prevention engagements require management to maintain

excessive on-going DLP budgets for operational maintenance, rather than enhancements to mitigate future data loss threats.

Clearswift has proven that an effective adaptive data loss prevention operation can be undertaken with the knowledge and

skills of existing personnel and implementation support engagement from Clearswift and any preferred reseller partner.

Initial Evaluation

DLP does not require excessive periods of upfront analysis to provide visibility of probable data loss exceptions.

The 19 days totalled above would be a maximum period as all days are deemed as processing sequentially, whereas in reality

the first 4 tasks could be reduced to 2 days and the POC period (task 5) reduced to a shorter period based on initial results.

On-going Operational Usage

Operational implementations of DLP are not a ‘One Size For All’ or require extensive policies to cover every eventuality

approach. Existing DLP implementations operate on a negative ROI, with any presupposed value coming from ‘Cost Mitigation’

in the event of a breach. Clearswift have found from existing A-DLP clients that a positive ROI and business contribution can

be achieved if clients ensure that they utilize a flow of policy implementations dependent on the approach that the business

requires and immediacy of regulatory compliance. Each organization should review the different DLP enforcement flows.

Progressive Enforcement

Progressive enforcement ensures that businesses can achieve a rapid risk reduction whilst making calculated decisions

for the enforcement or monitoring for all incoming, outgoing and internal sensitive data. This strategy allows each different

business unit to experience the effects of policy enforcement whilst in monitoring mode. A progressive strategy will ensure

that new policies can be run in monitoring mode, alongside similar policies that are actively enforcing data movement.

The implementation of workflow actions, allows line-management to experience approval requests when the Clearswift

A-DLP solution identifies a possible policy violation that requires 2nd level authorization by the sender’s management, before

proceeding to the intended recipient.

Adaptive DLP Task Elapsed Days

Identify a dedicated business unit or team to focus on the initial Proof of Concept 1

Identify a list of lexical expressions or pre-built tokens for policy enforcement 2

Implement an Email A-DLP product into the SMTP flow (In-Stream or Side-Car) 1

Initiate the A-DLP product in ‘Monitor’ mode against the target individual(s)/team(s) 1

Adjust and add policies into the A-DLP product during POC 14

Total Days to Review A-DLP Effectiveness 19 (3 weeks)


Clearswift believe that from previous implementations, should organizations approach their regulatory compliance utilizing

Clearswift Adaptive-Data Loss Prevention solutions, with the progressive enforcement strategy, they would achieve:

• 100% immediate visibility of policy enforcement effects, prior to execution

• <80% reduction in known or projected false positives in the first 12 months

• <100% alignment to enforced regulations and compliance in the first 12 months

• 100% immediate visibility of data breach mitigation by department and/or individual

• <50%> immediate decrease in the amount of time it takes to resolve quarantine/breach issues

• 100% return on investment calculated against tangible savings and mitigated data breaches using

industry enforced penalties, reputational damages and increased employee security awareness.

Strategic Alignment

Executing the Clearswift best practice adoption for regulatory compliance in conjunction with Clearswift Adaptive Data

Loss Prevention solutions, will ensure that a commercial healthcare organization’s obligation to conform to global regulatory

compliance, maintains the maximum simplicity of implementation superseding the complexity of the regulations, allowing

the business to focus on continuous operational growth with the knowledge that the organization is compliant with the most

stringent regulations. This alignment protects all stakeholders from malicious and unintentional data loss, increases employee

security awareness, therefore mitigating the financial and reputational penalties incurred by organizations that have not taken

a pro-active position.

Crisis Management

This document is focused on the progressive implementation for protection of critical and sensitive data and does not

specifically cover any guidance on Crisis Management. It is essential that moving forwards, organizations should always plan

for the ‘unforseen’ event and review their crisis management processes, so they are able to react positively and minimize the

effect to their business. A few areas of reflection have been included below:

Planning

Crisis prevention, at its best, is the organizational equivalent of a medical full body scan.

• Crisis Document Audit — A simple review of existing client documents related to crisis preparedness and response, such

as crisis communications plans, emergency response policies, disaster plans, etc. This audit includes creation of a written

evaluation with recommendations for improvement.

• Executive Session Vulnerability Audit — The executive team should undertake a series of educational and thought-

provoking discussions to uncover and begin to address organizational vulnerabilities that could escalate to crises.

• Comprehensive Vulnerability Audit — A series of interviews with employees at all levels of an organization, each conducted

in complete confidence, so that the interviewee feels comfortable disclosing information he/she might not otherwise discuss.

This is often complemented by interviews with representative members of key external audiences.

• Crisis Communications Plans — Based on some level of vulnerability audit, creation of a response structure and written

plan that will guide and optimize reaction to future crises. This includes ensuring there is close coordination between the

teams involved in the operational and communications aspects of crisis response.

• Disaster/Incident Response Planning and Training — Also based on a vulnerability audit, ensuring an organization

is prepared for the operational response to a crisis, complementing its crisis communications planning.

• Senior- and Mid-Level Staff Training About Crisis Management Fundamentals and Best Practices —

Prevention and/or response, from one-hour luncheon presentation to multi-day sessions.

• Media Training — Comprehensive instruction and practice on camera, enhancing spokespersons’ abilities to optimize results

from both “good news” and crisis-related interviews.


Response

Using effective strategy and tactics to avoid, or at least minimize, the negative impact of pending or breaking crises. In essence,

fire-fighting. Crisis response addresses the needs not only of external stakeholders, but also of employees — because every

employee is a PR representative and crisis manager for your organization, whether you want them to be or not. Activities that

are a subset of crisis response include:

Key message preparation

• Preparation of draft and/or final versions of internal and external communications with all of a client’s important audiences,

including media (usually “behind the scenes” but on rare occasion serving as spokesperson for a client).

• Creation and/or coordination of Internet-based crisis-response activities, to include social media crisis management

(more on that later).

• On- or off-site oversight of client crisis response activities to the extent clients do not have specific capabilities in this area.

• Situation-specific media and presentation training.

• Close coordination with legal counsel when litigation or possible litigation is involved, to ensure all tactics

and messages are compatible with legal strategy.

Summary

Addressing the raft of regulations that global healthcare organizations need to be compliant with could appear to be

overwhelming and unmanageable. Approaching the regulations from a ‘where one size can fit most’ perspective reveals that

many of the regulations overlap each other, so aligning to the regulation with the highest level of commonality minimizes

repetition whilst assuring protection across all obligatory data genres.

Understanding the regulations and the types of information effected is critical to creating an effective protection strategy.

Further steps in the process include understanding of where the information is located, especially when it is extracted from

databases in the form of reports or in email, so this may be on laptops or mobile devices, or with partners who are part of the

value chain from supplier to citizen; enabled by the flow of information.

When this initial discovery work has been completed, then a technology solution strategy can be created to ensure that the

information remains safe at all times. New Adaptive Data Loss Prevention technologies can be used to ensure that critical

information is always protected, while enabling improved continuous collaboration.

For more details contact: [email protected] or vist www.criticalinformationprotection.com


Appendix A: Hitech Act Compliance

The first steps in achieving meaningful use are to have a certified electronic health record (EHR) and to be able to

demonstrate that it is being used to meet the requirements. Stage 1 contains 25 objectives/measures for Eligible Providers

(EPs) and 24 objectives/measures for eligible hospitals. The objectives/measures have been divided into a core set and menu

set. EPs and eligible hospitals must meet all objectives/measures in the core set (15 for EPs and 14 for eligible hospitals). EPs

must meet 5 of the 10 menu-set items during Stage 1, one of which must be a public health objective.

Full list of the Core Requirements and a full list of the Menu Requirements.

Core Requirements:

1. Use computerized order entry for medication orders.

2. Implement drug-drug, drug-allergy checks.

3. Generate and transmit permissible prescriptions electronically.

4. Record demographics.

5. Maintain an up-to-date problem list of current and active diagnoses.

6. Maintain active medication list.

7. Maintain active medication allergy list.

8. Record and chart changes in vital signs.

9. Record smoking status for patients 13 years old or older.

10. Implement one clinical decision support rule.

11. Report ambulatory quality measures to CMS or the States.

12. Provide patients with an electronic copy of their health information upon request.

13. Provide clinical summaries to patients for each office visit.

14. Capability to exchange key clinical information electronically among providers and patient authorized entities.

15. Protect electronic health information (privacy & security)

Menu Requirements:

1. Implement drug-formulary checks.

2. Incorporate clinical lab-test results into certified EHR as structured data.

3. Generate lists of patients by specific conditions to use for quality improvement, reduction

of disparities, research, and outreach.

4. Send reminders to patients per patient preference for preventive/ follow-up care

5. Provide patients with timely electronic access to their health information

(including lab results, problem list, medication lists, allergies)

6. Use certified EHR to identify patient-specific education resources and provide to patient if appropriate.

7. Perform medication reconciliation as relevant

8. Provide summary care record for transitions in care or referrals.

9. Capability to submit electronic data to immunization registries and actual submission.

10. Capability to provide electronic syndromic surveillance data to public health agencies and actual transmission.

Appendix B: Proposed Safe Harbor Reform

The following reform has been proposed prior to the ruling by the Court of Justice of the European Union, 6 October 2015

‘The Court finds that Safe Harbour denies the national supervisory authorities their powers where a person calls into question

whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals. The

Court holds that the Commission (Irish supervisory authority (the Data Protection Commissioner)) did not have competence to restrict

the national supervisory authorities’ powers in that way. For all those reasons, the Court declares the Safe Harbour Decision invalid.


On Oct. 15, 2015, the Article 29 Working Party (the Working Party) – the umbrella organization that encompasses the Data

Protection Commissioners of the 31 EEA Member States – published its initial reaction to the CJEU ruling. The Working Party

confirms that the invalidation of the Safe Harbor Program is effective immediately. In addition, it warns that if, by January 2016,

the U.S. and the EU have not reached a satisfactory agreement that incorporates certain elements identified in the Working Party’s

statement, the EEA Data Protection Authorities will commence enforcement actions against illegal cross-border data transfers.

The Working Party identifies key points that should be addressed in these intergovernmental negotiations. In the Working

Party’s opinion, these solutions should include clear and binding mechanisms that incorporate at least obligations on:

• Oversight of access by public authorities;

• Transparency;

• Proportionality;

• Redress mechanisms; and

• Data protection rights.

These negotiations are viewed as crucial by the members of the Working Party. If an appropriate solution that meets the

criteria described above is not found by January 2016, the Working Party warns that EU Data Protection Authorities may

start taking all actions that they may deem necessary, including coordinated enforcement actions.

EU concern with the adequacy of the Safe Harbor framework intensified after the June 2013 disclosure of PRISM, the US

government surveillance program under which the NSA is reported to have secretly monitored the personal data of EU

citizens whose data transfers to US online service providers was made possible by these providers’ self-certified Safe Harbor

compliance. Prodded largely by this discovery, the European Commission cited a host of alleged deficiencies in the Safe

Harbor self-certification and enforcement procedures and recommended to the European Parliament and European Council

Safe Harbor reforms consisting of the following 13 requirements:

• Self-certified companies should publicly disclose their privacy policies on their websites in clear and conspicuous language.

• The privacy policies of self-certified companies’ websites should include a link to the Department of Commerce Safe Harbor

website that lists all current Safe Harbor-compliant companies.

• Self-certified companies should notify the Department of Commerce and publish the privacy conditions of any contracts

they enter into with subcontractors.

• The Department of Commerce should clearly flag on its website all companies that are no longer currently fulfilling Safe

Harbor requirements and hold these companies to an obligation to continue to apply the Safe Harbor requirements for data

that has been received under Safe Harbor.

• Safe Harbor-compliant companies’ websites should include a link in their privacy policies to either or both of the companies’

chosen alternative dispute resolution (ADR) provider and EU panel to allow EU data subjects to contact this intermediary

immediately in case of data privacy or security problems.

• ADR should be made readily available and affordable to EU data subjects to resolve complaints under the Safe Harbor.

• The Department of Commerce should monitor ADR providers more systematically regarding the transparency and

accessibility of information they provide about their procedures and the follow-up they give to complaints (including the

publication of findings of non-compliance as a mandatory sanction for non-compliance).

• Following their certification or recertification under the Safe Harbor, a certain percentage of companies should be subject

to regulatory investigation of the compliance of their privacy policies with Safe Harbor requirements.

• Whenever a complaint or investigation results in a finding of Safe Harbor non-compliance, the non-compliant company

should be subject to a follow-up investigation after one year.

• The Department of Commerce should inform the competent EU data protection authority of any doubts or pending

complaints about a company’s compliance.

• False claims of Safe Harbor adherence should continue to be investigated by the relevant US regulatory authorities.

• Privacy policies of self-certified companies should include information on the extent to which US law allows public

authorities to collect and process data transferred under the Safe Harbor and, in particular, when the company applies

exceptions to the Safe Harbor Principles to meet national security, public interest or law enforcement requirements.

• A national security exception to the Safe Harbor requirements should be invoked only to an extent that is strictly necessary

or proportionate to the protection of national security.


Data Field Data Type Regulation (s) Minimum Regulation Required

Address PII, PHI 1, 2, 3, 4, 6 2

Birth Date PII, PHI 1, 2, 3, 4, 6 2

Residential Phone Number PII, PHI 1, 2, 3, 4, 6 2

Mobile Phone Number PHI 1, 2, 3, 4, 6 2

Fax Numbers PII, PHI 1, 2, 3, 4, 6 2

Electronic Mail Addresses PII 1, 2, 3, 4, 6 2

Social Security Numbers PII, PHI 1, 2, 3, 4, 6 2

Bank Accounts Numbers PII 1, 2, 3, 5, 6 2

Certificate/ License Numbers PII 1, 2, 6 2

Vehicle Identifiers and Serial Numbers, Including License Plate Numbers

PII 1, 2, 6 2

Device Identifiers and Serial Numbers PII 1, 2, 6 2

Web Universal Resource Locators (URLs) PII 1, 2, 6 2

Internet Protocol (IP) Address Numbers PII 1, 2, 6 2

Biometric Identifiers, Including Finger and Voice Prints PII, PHI 1, 2, 3, 4, 6 2

Full Face Photographic Image and/or Comparable Images PII, PHI 1, 2, 3, 4, 6 2

Tattoos PII, PHI 1, 2, 3, 4, 6 2

Gang Affiliation PII 1, 2, 6 2

National Insurance Number PII 1, 2, 3, 4, 6 2

Email Address (Private) PII, PHI 1, 2, 3, 4, 6 2

Email Address (Work) PII, PHI 1, 2, 3, 4, 6 2

Police Report PII 1, 2, 3, 4, 6 2

Crime Report Number PII 1, 2, 3, 4, 6 2

Medical Record PHI 1, 2, 3, 4, 6 2

Mental (state) PII, PHI 1, 2, 3, 4, 6 3

Photographs PII 1, 2, 6 2

Social Media Identifier PII 1, 2, 6 2

Political Alignment PII 1, 2, 6 2

Social Media Posts PII 1, 2, 6 2

Nationality PII 1, 2, 6 2

Nationalism PII 1, 2, 6 2

Appendix C: Data Fields Aligned to Obligated Regulations

Identifier Regulation Data Included

1 Safe Harbor PII, PHI

2 EU Data Protection Directive 1998 PII

3 HIPAA PHI

4 HITECH Act PHI

5 PCI-DSS PCI

6 Electronic Communications Privacy Act PII, PHI, PCI


Data Field Data Type Regulation (s) Minimum Regulation Required

Ethnicity PII 1, 2, 6 2

Race PII 1, 2, 6 2

Religion PII 1, 2, 6 2

Aesthetics PII 1, 2, 6 2

Social Class PII 1, 2, 6 2

Language (spoken) PII 1, 2, 6 2

Generation PII 1, 2, 6 2

Locality PII 1, 2, 6 2

GIS PII 1, 2, 6 2

Tag (human attached) PII 1, 2, 6 2

Job Role PII 1, 2, 6 2

Employee Number PII 1, 2, 6 2

Pension Account Number PII 1, 2, 6 2

Life Insurance Number PII 1, 2, 6 2

School Name PII 1, 2, 6 2

401K Number PII 1, 2, 6 2

Name PII, PHI 1, 2, 3, 4, 5, 6 2

Date of Death PII, PHI 1, 2, 3, 4, 6 3

Admission Date PHI 3, 4, 6 3

Discharge Date PHI 3, 4, 6 3

Medical Record Numbers PHI 3, 4, 6 3

Health Plan Beneficiary Numbers PHI 3, 4, 6 3

Height PII, PHI 3, 4, 6 3

Weight PII, PHI 1, 2, 3, 4, 6 3

Gender PII, PHI 1, 2, 3, 4, 6 3

Sexual Orientation PII 1, 2, 3, 4, 6 3

Age PII, PHI 1, 2, 3, 4, 6 3

Images (medical) PHI 1, 2, 3, 4, 6 3

Primary Account Number (PAN) PCI 1, 2, 3, 4, 5, 6 5

Cardholder Name PCI 1, 2, 3, 4, 5, 6 5

Expiration Date PCI 1, 2, 3, 4, 5, 6 5

Service Code PCI 5, 6 5

Full Track Data PCI 5, 6 5

CAV2/ CVC2/ CVV2/ CID PCI 5, 6 5

PINs/ PIN Blocks PCI 5, 6 5

Appendix C: Data Fields Aligned to Obligated Regulations cont.


Appendix D: Real-time ‘Stream Processing’ architecture schematics

Mail Policy Route

PCI Lexical Expression Policy


PII Lexical Expression Policy

PHI (HIPAA) Lexical Expression Policy


www.criticalinformationprotection.com | © Clearswift 2015

United KingdomClearswift Ltd

1310 Waterside

Arlington Business Park

Theale

Reading, RG7 4SA

UK

GermanyClearswift GmbH

Im Mediapark 8

Cologne D-50670

Germany

United StatesClearswift Corporation

309 Fellowship Road

Suite 200

Mount Laurel, NJ 08054

UNITED STATES

JapanClearswift K.K

Shinjuku Park Tower N30th Floor

3-7-1 Nishi-Shinjuku

Tokyo 163-1030

JAPAN

AustraliaClearswift (Asia/Pacific) Pty Ltd

Level 17

40 Mount Street

North Sydney

New South Wales, 2060

AUSTRALIA

Clearswift is trusted by organizations globally to protect their critical information, giving them the freedom to securely collaborate and drive business growth. Our unique technology supports a straightforward and ‘adaptive’ data loss prevention solution, avoiding the risk of business interruption and enabling organizations to have 100% visibility of their critical information 100% of the time.

As a global organization, Clearswift has headquarters in the United States, Europe, Australia and Japan, with an extensive partner network of more than 900 resellers across the globe.

Documents

Realization of Regulatory Compliance within Commercial Healthcare · Realization of Regulatory Compliance within Commercial Healthcare Clearswift Best Practice Guidance for Critical