Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Realization of Regulatory Compliance within Commercial Healthcare Clearswift Best Practice Guidance for Critical Information Protection
‘When one size can fit most’
November 2015
CRITICAL INFORMATION PROTECTION. Competitive advantage for Commercial Healthcare
Table of Contents
Executive Summary 3
Data Loss Evolution 4
Directives, Regulations and Standards 4
Regulation Interpretation 5
Data Field Applicability to Multiple Regulations 5
Examples of PII, PCI and PHI Policies 6
Adaptive Data Loss Prevention Adoption – Best Practices 7
Strategic Alignment 8
Report Notes: 8
Crisis Management 8
Planning 8
Response 9
Key Message Preparation 9
Summary 9
Appendix A: Hitech Act Compliance 10
Appendix B: Proposed Safe Harbor Reform 10
Appendix C: Data Fields Aligned to Obligated Regulations 12
Appendix D: Real-time ‘Stream Processing’ architecture schematics 14
Realization of Regulatory Compliance within Commercial Healthcare | October 2015 www.clearswift.com02
Executive Summary
The global focus on Governance, Regulations and Compliance (GRC) has accelerated across regional boundaries as the
opportunity to expand commercial operations via technologies such as web 2.0, and mobile applications amongst others
is realized. Specifically, these new initiatives have to be considered alongside the traditional face-to-face operations
of stores, distribution centres and stakeholders including pharmacies, surgeries, hospitals etc.
Over the past decade cyber-attacks were primarily identified as the responsibility of external factors such as hackers, script
kiddies and cyber criminals, each using their skills to intentionally interrupt, inhibit and damage systems and/or extract critical
information from an organization. Today a further shift and re-focus has now been accepted by organizations and market
analysts, that ‘insider’ attacks are more prevalent than previously believed, making up over 65% of critical information loss.
ObjectiveThis report provides an overview of the regulations that
commercial healthcare organizations particularly within
the US and UK, are / will be obliged to enforce compliance
either immediately or within the 2015-2017 timeframe.
In addition, best proactive implementation strategies are
recommended to ensure maximum data protection and
minimum business impact, whilst positively impacting
non-US operations
Situation AnalysisThe primary regulations that commercial healthcare
organizations have to comply with by law include Safe
Harbor , European Data Protection Directive, HIPAA,
HITECH Act, PCI-DSS and EPCA (if using ISP service
providers). These regulations require the ability to
process, store and secure the communication of Personal
Identifiable Information (PII), Protected Health Information
(PHI) and Payment Card Industry (PCI) sensitive data to be
handled in accordance with the appropriate regulation(s)
Straightforward StrategyThe aim is to be able to comply with all six regulations
without the need to build extensive and resource intensive
separate policy groups. PCI-DSS, HIPAA and EU Data
Protection regulations would have individual policies, whilst
the data fields for Safe Harbor, HITECH Act and EPCA, can
be met with the policies from the other 3 regulations
MethodologyA progressive enforcement strategy ensures that
organizations can make calculated decisions for the
enforcement or monitoring for all incoming, outgoing and
internal sensitive data. This strategy allows each of the
different business units to experience the effects of policy
enforcement whilst in monitor mode. The implementation
of work-flow actions, allows line-management to experience
approval requests when the requisite adaptive and
proactive solution, implemented to protect critical
information, identifies a possible policy violation that
if ‘authorized’, requires 2nd level authorization by the
sender’s management.
Implement malware detection techniques immediately, as
a first line of defence. PII, PHI and PCI compliance polices
need to be developed and integrated into all areas where
the information is found and used, including email, web,
social and cloud collaboration applications. Minimize
resource overheads and the complexity of operational
management around compliance policies, but keep them
distinct. Execution of the policies must be managed as
part of the progressive enforcement strategy.
Realization of Regulatory Compliance within Commercial Healthcare | October 2015 www.clearswift.com03
Data Loss Evolution
Over the past decade cyber-attacks were primarily identified as the responsibility of external factors such as hackers, script
kiddies and cyber criminals, each using their skills to intentionally interrupt, inhibit and damage systems and/or extract critical
information from an organization. Today a further shift and re-focus has now been accepted by organizations and market
analysts, that ‘insider’ attacks are more prevalent than previously believed, making up over 65%3 of critical information loss.
With the insider attack there are both malicious and inadvertent attacks that occur, although both have the same result of
critical information falling into unauthorised hands. Around 73%4 of incidents are through inadvertent information sharing.
Dealing with this ‘everyday’ problem has the added benefit of dealing with the malicious insider who is trying to steal
information from the organization, as well as the inadvertent loss.
Known threats are complex and precise allowing the attacker to either execute in isolation or as part of an advanced attack:.
The assault on information comes from a new set of attack vectors, most common is the use of documents, attachments,
embedded executables, etc. to inadvertently or maliciously steal critical information or deliver malware
Directives, Regulations and Standards
This drive requires commercial healthcare organizations to honor their commitment to maintain a secure infrastructure for the
various genres of information/data that the global organization accumulates for primary and secondary processing purposes.
The global focus on Governance, Regulations and Compliance (GRC) has accelerated across regional boundaries as the
opportunity to expand commercial operations via technologies such as web 2.0, and mobile applications amongst others is
realized. Specifically, these new initiatives have to be considered alongside the traditional face-to-face operations of stores,
distribution centres and stakeholders including pharmacies, surgeries, hospitals etc.
The primary regulations5 that need to be complied with by law are outlined in Table 1. The evolution of the current European
Data Protection Directive in the European Union is due to be superseded in 2015/20162, becoming law within 2 years (~2017).
This document aims to enable commercial healthcare organizations to establish a position of compliance of the new EU General
Data Protection Regulation (EUGDPR) during the timeframe of compliance, without the need to revisit the old ‘directive’ that may
create an opportunity to be non-compliant and visible to the FTC, ICO and other regulatory organizations6.
Threat Information Type/Action
Critical Data Leakage to the Internet Everything from PCI, PHI, PII, IP, M&A and more
Accidental Disclosures Email content, cloud/web app data, doc revisions, Phishing, big data, cross dept. disclosures
Advanced Threats Active malicious code for immediate / delayed execution
Social Networks Social engineering, defamatory content, active links
2 http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf3 Source: Forrester Business Technographics Global Security Survey, 2014 4 Source: Enemy Within Report, Clearswift, January 20155 For the purpose of this paper ‘Regulation(s) will refer to all directives, regulations and standards6 FTC, ICO and other regulatory organizations. Federal Trade Commission (US), Information Commissioners Office (UK), Federal and regional
regulators (DACH), Dept. of Health and Human Services (US), Federal Data Protection and Information Commissioner (Switz), etc.
Realization of Regulatory Compliance within Commercial Healthcare | October 2015 www.clearswift.com04
Table 1 - Primary Regulations
Regulation5 Data Included Regulation Revision Planned
Primary Region Focus
Safe Harbor (See Appendix B)
PII, PHI Yes (2015 - 2017) US - EuropeUS - Switzerland
EU Data Protection Directive 1998
PII Yes (2015 - 2016) 28 EU Member States
HIPAA PHI No US
HITECH Act7 PHI No US
PCI-DSS PCI 3.2 due 2016 Worldwide
Electronic Communications Privacy Act
PII, PHI, PCI No US
Regulation Interpretation
Addressing the rash of regulations that global commercial healthcare organizations need to be compliant could appear to be
overwhelming and unmanageable. Approaching the regulations from a ‘One Size Can Fit Most’ approach reveals that many
of the regulations outlined in Table 1 overlap each other, so aligning the approach to the regulation with the highest level of
commonality minimizes repetition whilst assuring protection across all obligatory data genres
A combination of senior management support, realistic planning, employee awareness, staged rollout and an automated
technology solution can dispel the myths and beliefs that compliance is unachievable and resource intensive
Data Field Applicability to Multiple Regulations
Table 3 represents an analysis of the data fields required to achieve compliance of the regulations described in Table 2
(Regulation Legend). An extensive table of the data fields analysed can be found in Appendix C.
The interpretation of Table 3 conveys:
• Organizations would be able to comply with Safe Harbor (1), HITECH Act (4) and EPCA (6), without the need to build
individual policies as all data fields for these regulations can be met with the policies for the other 3 regulations
• A set of policies aligned to the European General Data Protection Regulation (PII) would cover 46 data fields
and also enable compliance for a small number of other data fields for other regulations
• A set of policies aligned to HIPAA (PHI) would cover 12 data fields and also enable compliance for a small
number of other data fields for other regulations
• A standard set of policies aligned to PCI-DSS (PCI) would cover all of the data fields for PCI compliance
7 See Appendix A for requirements for compliance with Hitech Act for primary care providers and pharmacies
Realization of Regulatory Compliance within Commercial Healthcare | October 2015 www.clearswift.com05
Table 3 – Analysis of primary regulations to be enforced
Identifier Label
Regulation 2 3 5 Grand Total
PCI 7 7
PHI 2 5 7
PII 33 1 34
PII, PHI 11 6 17
Grand Total of Data Fields 46 12 7 65
Examples of PII, PCI and PHI Policies
The schematics found within Appendix D provide an overview of the simplicity of building and operating the ‘Mail Policy Route’
that outlines the stages that are executed akin to a real-time ‘Stream Processing’ architecture. In addition examples of the
tokens and policies for PII (2), PHI (3) and PCI-DSS(5) are also provided. Although it would be architecturally easy to combine
all lexical expressions required for PII, PHI and PCI into a single policy, Clearswift would advise against this due to the on-going
maintenance and exception checking as part of normal day to day activities. The policies will be built so that the Clearswift
Adaptive-Data Loss Prevention technologies can analyse and identify specific content that meets the regulatory requirements.
The policies will also apply differing levels of contextualization to ensure that a correct match is identified. The mixture of
content and contextualization ensures that false positives are minimized.
Clearswift’s unique Adaptive Redaction features; text redaction; meta-data redaction and active content redaction, ensures that
organizations are able to operationally differentiate between ‘out of context’ and/or unintentional content sharing exceptions
where only the expression is redacted, allowing the remaining content to proceed to the receiver, minimizing false positives and
business interruptions; and also intentional unauthorized collaboration into or out of a network for sensitive and active content
(Advanced Persistent Threats - APT)
Table 2 – Regulation Legend
Identifier Regulation Data Included
1 Safe Harbor PII, PHI
2 EU Data Protection Directive 1998 PII
3 HIPAA PHI
4 HITECH Act PHI
5 PCI-DSS PCI
6 Electronic Communications Privacy Act PII, PHI, PCI
Realization of Regulatory Compliance within Commercial Healthcare | October 2015 www.clearswift.com06
Adaptive DLP Adoption – Best Practices
Clearswifts approach to the implementation of data loss prevention technologies has been developed over the past 20 years
to ensure that commercial healthcare organizations are in a position of awareness, control and remediation during all stages
of planning, implementation and operational management of the architecture.
Planning & Operations
The historical and on-going practice of engaging external consultancies to analyse and implement DLP solutions would not
enrich personnel with the advanced upskills necessary to enable them to maintain the architecture for on-going maintenance,
upgrades and integration. These perceived mandatory data loss prevention engagements require management to maintain
excessive on-going DLP budgets for operational maintenance, rather than enhancements to mitigate future data loss threats.
Clearswift has proven that an effective adaptive data loss prevention operation can be undertaken with the knowledge and
skills of existing personnel and implementation support engagement from Clearswift and any preferred reseller partner.
Initial Evaluation
DLP does not require excessive periods of upfront analysis to provide visibility of probable data loss exceptions.
The 19 days totalled above would be a maximum period as all days are deemed as processing sequentially, whereas in reality
the first 4 tasks could be reduced to 2 days and the POC period (task 5) reduced to a shorter period based on initial results.
On-going Operational Usage
Operational implementations of DLP are not a ‘One Size For All’ or require extensive policies to cover every eventuality
approach. Existing DLP implementations operate on a negative ROI, with any presupposed value coming from ‘Cost Mitigation’
in the event of a breach. Clearswift have found from existing A-DLP clients that a positive ROI and business contribution can
be achieved if clients ensure that they utilize a flow of policy implementations dependent on the approach that the business
requires and immediacy of regulatory compliance. Each organization should review the different DLP enforcement flows.
Progressive Enforcement
Progressive enforcement ensures that businesses can achieve a rapid risk reduction whilst making calculated decisions
for the enforcement or monitoring for all incoming, outgoing and internal sensitive data. This strategy allows each different
business unit to experience the effects of policy enforcement whilst in monitoring mode. A progressive strategy will ensure
that new policies can be run in monitoring mode, alongside similar policies that are actively enforcing data movement.
The implementation of workflow actions, allows line-management to experience approval requests when the Clearswift
A-DLP solution identifies a possible policy violation that requires 2nd level authorization by the sender’s management, before
proceeding to the intended recipient.
Adaptive DLP Task Elapsed Days
Identify a dedicated business unit or team to focus on the initial Proof of Concept 1
Identify a list of lexical expressions or pre-built tokens for policy enforcement 2
Implement an Email A-DLP product into the SMTP flow (In-Stream or Side-Car) 1
Initiate the A-DLP product in ‘Monitor’ mode against the target individual(s)/team(s) 1
Adjust and add policies into the A-DLP product during POC 14
Total Days to Review A-DLP Effectiveness 19 (3 weeks)
Realization of Regulatory Compliance within Commercial Healthcare | October 2015 www.clearswift.com07
Clearswift believe that from previous implementations, should organizations approach their regulatory compliance utilizing
Clearswift Adaptive-Data Loss Prevention solutions, with the progressive enforcement strategy, they would achieve:
• 100% immediate visibility of policy enforcement effects, prior to execution
• <80% reduction in known or projected false positives in the first 12 months
• <100% alignment to enforced regulations and compliance in the first 12 months
• 100% immediate visibility of data breach mitigation by department and/or individual
• <50%> immediate decrease in the amount of time it takes to resolve quarantine/breach issues
• 100% return on investment calculated against tangible savings and mitigated data breaches using
industry enforced penalties, reputational damages and increased employee security awareness.
Strategic Alignment
Executing the Clearswift best practice adoption for regulatory compliance in conjunction with Clearswift Adaptive Data
Loss Prevention solutions, will ensure that a commercial healthcare organization’s obligation to conform to global regulatory
compliance, maintains the maximum simplicity of implementation superseding the complexity of the regulations, allowing
the business to focus on continuous operational growth with the knowledge that the organization is compliant with the most
stringent regulations. This alignment protects all stakeholders from malicious and unintentional data loss, increases employee
security awareness, therefore mitigating the financial and reputational penalties incurred by organizations that have not taken
a pro-active position.
Crisis Management
This document is focused on the progressive implementation for protection of critical and sensitive data and does not
specifically cover any guidance on Crisis Management. It is essential that moving forwards, organizations should always plan
for the ‘unforseen’ event and review their crisis management processes, so they are able to react positively and minimize the
effect to their business. A few areas of reflection have been included below:
Planning
Crisis prevention, at its best, is the organizational equivalent of a medical full body scan.
• Crisis Document Audit — A simple review of existing client documents related to crisis preparedness and response, such
as crisis communications plans, emergency response policies, disaster plans, etc. This audit includes creation of a written
evaluation with recommendations for improvement.
• Executive Session Vulnerability Audit — The executive team should undertake a series of educational and thought-
provoking discussions to uncover and begin to address organizational vulnerabilities that could escalate to crises.
• Comprehensive Vulnerability Audit — A series of interviews with employees at all levels of an organization, each conducted
in complete confidence, so that the interviewee feels comfortable disclosing information he/she might not otherwise discuss.
This is often complemented by interviews with representative members of key external audiences.
• Crisis Communications Plans — Based on some level of vulnerability audit, creation of a response structure and written
plan that will guide and optimize reaction to future crises. This includes ensuring there is close coordination between the
teams involved in the operational and communications aspects of crisis response.
• Disaster/Incident Response Planning and Training — Also based on a vulnerability audit, ensuring an organization
is prepared for the operational response to a crisis, complementing its crisis communications planning.
• Senior- and Mid-Level Staff Training About Crisis Management Fundamentals and Best Practices —
Prevention and/or response, from one-hour luncheon presentation to multi-day sessions.
• Media Training — Comprehensive instruction and practice on camera, enhancing spokespersons’ abilities to optimize results
from both “good news” and crisis-related interviews.
Realization of Regulatory Compliance within Commercial Healthcare | October 2015 www.clearswift.com08
Response
Using effective strategy and tactics to avoid, or at least minimize, the negative impact of pending or breaking crises. In essence,
fire-fighting. Crisis response addresses the needs not only of external stakeholders, but also of employees — because every
employee is a PR representative and crisis manager for your organization, whether you want them to be or not. Activities that
are a subset of crisis response include:
Key message preparation
• Preparation of draft and/or final versions of internal and external communications with all of a client’s important audiences,
including media (usually “behind the scenes” but on rare occasion serving as spokesperson for a client).
• Creation and/or coordination of Internet-based crisis-response activities, to include social media crisis management
(more on that later).
• On- or off-site oversight of client crisis response activities to the extent clients do not have specific capabilities in this area.
• Situation-specific media and presentation training.
• Close coordination with legal counsel when litigation or possible litigation is involved, to ensure all tactics
and messages are compatible with legal strategy.
Summary
Addressing the raft of regulations that global healthcare organizations need to be compliant with could appear to be
overwhelming and unmanageable. Approaching the regulations from a ‘where one size can fit most’ perspective reveals that
many of the regulations overlap each other, so aligning to the regulation with the highest level of commonality minimizes
repetition whilst assuring protection across all obligatory data genres.
Understanding the regulations and the types of information effected is critical to creating an effective protection strategy.
Further steps in the process include understanding of where the information is located, especially when it is extracted from
databases in the form of reports or in email, so this may be on laptops or mobile devices, or with partners who are part of the
value chain from supplier to citizen; enabled by the flow of information.
When this initial discovery work has been completed, then a technology solution strategy can be created to ensure that the
information remains safe at all times. New Adaptive Data Loss Prevention technologies can be used to ensure that critical
information is always protected, while enabling improved continuous collaboration.
For more details contact: [email protected] or vist www.criticalinformationprotection.com
Realization of Regulatory Compliance within Commercial Healthcare | October 2015 www.clearswift.com09
Appendix A: Hitech Act Compliance
The first steps in achieving meaningful use are to have a certified electronic health record (EHR) and to be able to
demonstrate that it is being used to meet the requirements. Stage 1 contains 25 objectives/measures for Eligible Providers
(EPs) and 24 objectives/measures for eligible hospitals. The objectives/measures have been divided into a core set and menu
set. EPs and eligible hospitals must meet all objectives/measures in the core set (15 for EPs and 14 for eligible hospitals). EPs
must meet 5 of the 10 menu-set items during Stage 1, one of which must be a public health objective.
Full list of the Core Requirements and a full list of the Menu Requirements.
Core Requirements:
1. Use computerized order entry for medication orders.
2. Implement drug-drug, drug-allergy checks.
3. Generate and transmit permissible prescriptions electronically.
4. Record demographics.
5. Maintain an up-to-date problem list of current and active diagnoses.
6. Maintain active medication list.
7. Maintain active medication allergy list.
8. Record and chart changes in vital signs.
9. Record smoking status for patients 13 years old or older.
10. Implement one clinical decision support rule.
11. Report ambulatory quality measures to CMS or the States.
12. Provide patients with an electronic copy of their health information upon request.
13. Provide clinical summaries to patients for each office visit.
14. Capability to exchange key clinical information electronically among providers and patient authorized entities.
15. Protect electronic health information (privacy & security)
Menu Requirements:
1. Implement drug-formulary checks.
2. Incorporate clinical lab-test results into certified EHR as structured data.
3. Generate lists of patients by specific conditions to use for quality improvement, reduction
of disparities, research, and outreach.
4. Send reminders to patients per patient preference for preventive/ follow-up care
5. Provide patients with timely electronic access to their health information
(including lab results, problem list, medication lists, allergies)
6. Use certified EHR to identify patient-specific education resources and provide to patient if appropriate.
7. Perform medication reconciliation as relevant
8. Provide summary care record for transitions in care or referrals.
9. Capability to submit electronic data to immunization registries and actual submission.
10. Capability to provide electronic syndromic surveillance data to public health agencies and actual transmission.
Appendix B: Proposed Safe Harbor Reform
The following reform has been proposed prior to the ruling by the Court of Justice of the European Union, 6 October 2015
‘The Court finds that Safe Harbour denies the national supervisory authorities their powers where a person calls into question
whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals. The
Court holds that the Commission (Irish supervisory authority (the Data Protection Commissioner)) did not have competence to restrict
the national supervisory authorities’ powers in that way. For all those reasons, the Court declares the Safe Harbour Decision invalid.
Realization of Regulatory Compliance within Commercial Healthcare | October 2015 www.clearswift.com10
On Oct. 15, 2015, the Article 29 Working Party (the Working Party) – the umbrella organization that encompasses the Data
Protection Commissioners of the 31 EEA Member States – published its initial reaction to the CJEU ruling. The Working Party
confirms that the invalidation of the Safe Harbor Program is effective immediately. In addition, it warns that if, by January 2016,
the U.S. and the EU have not reached a satisfactory agreement that incorporates certain elements identified in the Working Party’s
statement, the EEA Data Protection Authorities will commence enforcement actions against illegal cross-border data transfers.
The Working Party identifies key points that should be addressed in these intergovernmental negotiations. In the Working
Party’s opinion, these solutions should include clear and binding mechanisms that incorporate at least obligations on:
• Oversight of access by public authorities;
• Transparency;
• Proportionality;
• Redress mechanisms; and
• Data protection rights.
These negotiations are viewed as crucial by the members of the Working Party. If an appropriate solution that meets the
criteria described above is not found by January 2016, the Working Party warns that EU Data Protection Authorities may
start taking all actions that they may deem necessary, including coordinated enforcement actions.
EU concern with the adequacy of the Safe Harbor framework intensified after the June 2013 disclosure of PRISM, the US
government surveillance program under which the NSA is reported to have secretly monitored the personal data of EU
citizens whose data transfers to US online service providers was made possible by these providers’ self-certified Safe Harbor
compliance. Prodded largely by this discovery, the European Commission cited a host of alleged deficiencies in the Safe
Harbor self-certification and enforcement procedures and recommended to the European Parliament and European Council
Safe Harbor reforms consisting of the following 13 requirements:
• Self-certified companies should publicly disclose their privacy policies on their websites in clear and conspicuous language.
• The privacy policies of self-certified companies’ websites should include a link to the Department of Commerce Safe Harbor
website that lists all current Safe Harbor-compliant companies.
• Self-certified companies should notify the Department of Commerce and publish the privacy conditions of any contracts
they enter into with subcontractors.
• The Department of Commerce should clearly flag on its website all companies that are no longer currently fulfilling Safe
Harbor requirements and hold these companies to an obligation to continue to apply the Safe Harbor requirements for data
that has been received under Safe Harbor.
• Safe Harbor-compliant companies’ websites should include a link in their privacy policies to either or both of the companies’
chosen alternative dispute resolution (ADR) provider and EU panel to allow EU data subjects to contact this intermediary
immediately in case of data privacy or security problems.
• ADR should be made readily available and affordable to EU data subjects to resolve complaints under the Safe Harbor.
• The Department of Commerce should monitor ADR providers more systematically regarding the transparency and
accessibility of information they provide about their procedures and the follow-up they give to complaints (including the
publication of findings of non-compliance as a mandatory sanction for non-compliance).
• Following their certification or recertification under the Safe Harbor, a certain percentage of companies should be subject
to regulatory investigation of the compliance of their privacy policies with Safe Harbor requirements.
• Whenever a complaint or investigation results in a finding of Safe Harbor non-compliance, the non-compliant company
should be subject to a follow-up investigation after one year.
• The Department of Commerce should inform the competent EU data protection authority of any doubts or pending
complaints about a company’s compliance.
• False claims of Safe Harbor adherence should continue to be investigated by the relevant US regulatory authorities.
• Privacy policies of self-certified companies should include information on the extent to which US law allows public
authorities to collect and process data transferred under the Safe Harbor and, in particular, when the company applies
exceptions to the Safe Harbor Principles to meet national security, public interest or law enforcement requirements.
• A national security exception to the Safe Harbor requirements should be invoked only to an extent that is strictly necessary
or proportionate to the protection of national security.
Realization of Regulatory Compliance within Commercial Healthcare | October 2015 www.clearswift.com11
Data Field Data Type Regulation (s) Minimum Regulation Required
Address PII, PHI 1, 2, 3, 4, 6 2
Birth Date PII, PHI 1, 2, 3, 4, 6 2
Residential Phone Number PII, PHI 1, 2, 3, 4, 6 2
Mobile Phone Number PHI 1, 2, 3, 4, 6 2
Fax Numbers PII, PHI 1, 2, 3, 4, 6 2
Electronic Mail Addresses PII 1, 2, 3, 4, 6 2
Social Security Numbers PII, PHI 1, 2, 3, 4, 6 2
Bank Accounts Numbers PII 1, 2, 3, 5, 6 2
Certificate/ License Numbers PII 1, 2, 6 2
Vehicle Identifiers and Serial Numbers, Including License Plate Numbers
PII 1, 2, 6 2
Device Identifiers and Serial Numbers PII 1, 2, 6 2
Web Universal Resource Locators (URLs) PII 1, 2, 6 2
Internet Protocol (IP) Address Numbers PII 1, 2, 6 2
Biometric Identifiers, Including Finger and Voice Prints PII, PHI 1, 2, 3, 4, 6 2
Full Face Photographic Image and/or Comparable Images PII, PHI 1, 2, 3, 4, 6 2
Tattoos PII, PHI 1, 2, 3, 4, 6 2
Gang Affiliation PII 1, 2, 6 2
National Insurance Number PII 1, 2, 3, 4, 6 2
Email Address (Private) PII, PHI 1, 2, 3, 4, 6 2
Email Address (Work) PII, PHI 1, 2, 3, 4, 6 2
Police Report PII 1, 2, 3, 4, 6 2
Crime Report Number PII 1, 2, 3, 4, 6 2
Medical Record PHI 1, 2, 3, 4, 6 2
Mental (state) PII, PHI 1, 2, 3, 4, 6 3
Photographs PII 1, 2, 6 2
Social Media Identifier PII 1, 2, 6 2
Political Alignment PII 1, 2, 6 2
Social Media Posts PII 1, 2, 6 2
Nationality PII 1, 2, 6 2
Nationalism PII 1, 2, 6 2
Appendix C: Data Fields Aligned to Obligated Regulations
Identifier Regulation Data Included
1 Safe Harbor PII, PHI
2 EU Data Protection Directive 1998 PII
3 HIPAA PHI
4 HITECH Act PHI
5 PCI-DSS PCI
6 Electronic Communications Privacy Act PII, PHI, PCI
Realization of Regulatory Compliance within Commercial Healthcare | October 2015 www.clearswift.com12
Data Field Data Type Regulation (s) Minimum Regulation Required
Ethnicity PII 1, 2, 6 2
Race PII 1, 2, 6 2
Religion PII 1, 2, 6 2
Aesthetics PII 1, 2, 6 2
Social Class PII 1, 2, 6 2
Language (spoken) PII 1, 2, 6 2
Generation PII 1, 2, 6 2
Locality PII 1, 2, 6 2
GIS PII 1, 2, 6 2
Tag (human attached) PII 1, 2, 6 2
Job Role PII 1, 2, 6 2
Employee Number PII 1, 2, 6 2
Pension Account Number PII 1, 2, 6 2
Life Insurance Number PII 1, 2, 6 2
School Name PII 1, 2, 6 2
401K Number PII 1, 2, 6 2
Name PII, PHI 1, 2, 3, 4, 5, 6 2
Date of Death PII, PHI 1, 2, 3, 4, 6 3
Admission Date PHI 3, 4, 6 3
Discharge Date PHI 3, 4, 6 3
Medical Record Numbers PHI 3, 4, 6 3
Health Plan Beneficiary Numbers PHI 3, 4, 6 3
Height PII, PHI 3, 4, 6 3
Weight PII, PHI 1, 2, 3, 4, 6 3
Gender PII, PHI 1, 2, 3, 4, 6 3
Sexual Orientation PII 1, 2, 3, 4, 6 3
Age PII, PHI 1, 2, 3, 4, 6 3
Images (medical) PHI 1, 2, 3, 4, 6 3
Primary Account Number (PAN) PCI 1, 2, 3, 4, 5, 6 5
Cardholder Name PCI 1, 2, 3, 4, 5, 6 5
Expiration Date PCI 1, 2, 3, 4, 5, 6 5
Service Code PCI 5, 6 5
Full Track Data PCI 5, 6 5
CAV2/ CVC2/ CVV2/ CID PCI 5, 6 5
PINs/ PIN Blocks PCI 5, 6 5
Appendix C: Data Fields Aligned to Obligated Regulations cont.
Realization of Regulatory Compliance within Commercial Healthcare | October 2015 www.clearswift.com13
Appendix D: Real-time ‘Stream Processing’ architecture schematics
Mail Policy Route
PCI Lexical Expression Policy
Realization of Regulatory Compliance within Commercial Healthcare | October 2015 www.clearswift.com14
PII Lexical Expression Policy
PHI (HIPAA) Lexical Expression Policy
Realization of Regulatory Compliance within Commercial Healthcare | October 2015 www.clearswift.com15
www.criticalinformationprotection.com | © Clearswift 2015
United KingdomClearswift Ltd
1310 Waterside
Arlington Business Park
Theale
Reading, RG7 4SA
UK
GermanyClearswift GmbH
Im Mediapark 8
Cologne D-50670
Germany
United StatesClearswift Corporation
309 Fellowship Road
Suite 200
Mount Laurel, NJ 08054
UNITED STATES
JapanClearswift K.K
Shinjuku Park Tower N30th Floor
3-7-1 Nishi-Shinjuku
Tokyo 163-1030
JAPAN
AustraliaClearswift (Asia/Pacific) Pty Ltd
Level 17
40 Mount Street
North Sydney
New South Wales, 2060
AUSTRALIA
Clearswift is trusted by organizations globally to protect their critical information, giving them the freedom to securely collaborate and drive business growth. Our unique technology supports a straightforward and ‘adaptive’ data loss prevention solution, avoiding the risk of business interruption and enabling organizations to have 100% visibility of their critical information 100% of the time.
As a global organization, Clearswift has headquarters in the United States, Europe, Australia and Japan, with an extensive partner network of more than 900 resellers across the globe.