I'm in healthcare and am concerned about the breaches of healthcare information that seem to have been in the news all year long. Any suggestions on how I can make sure my organization doesn't end up in the headlines for leaking patient info?

Remember when George Clooney was recently treated in a hospital for a motorcycle accident? The security team at the hospital was surprised when, a couple of days after his treatment, the hospital was asked to explain how his medical information was disclosed. Healthcare organizations have to be compliant with HIPAA, which detailed that individual identification information, such as social-security numbers, names, etc., should not be stored unencrypted on computers or communicated without adequate protections.

Sounds simple? Not really. Healthcare organizations are composed of doctors, technicians and other specialists who often use their own PCs, maintain their own digital records, and who communicate with other specialists and patients using unencrypted e-mail. Often these network users are not employees of the healthcare organization, but rather are a part of a healthcare practice offering services at a healthcare organization.

Information security teams at healthcare organizations are charged with protecting HIPAA data, but can't control their users or computing environments, and often are asked questions as to what happened without forewarning of what is going to happen. Let's explore how some health care organizations protect HIPAA information in these environments.

Maimonides Medical Center in New York has deployed data loss prevention (DLP) appliances to monitor all communications that leave their network. Deploying a passive appliance all communications are analyzed to determine what is being communicated on Internet mail, chat, SMTP email, FTP and others channels. When the DLP appliance detects a violation of HIPAA, PCI or other compliance standards they notify the user that has violated the compliance policy to educate them on the violation and policy. This model begins to educate their users on the impact of their communications and teaches them best practices for safeguarding patient data.

MedStar Health in Washington extends this model one step further by scanning machines to determine HIPAA violations on data that is stored. In addition MedStar uses the DLP appliances skin tone analysis capabilities to determine if individuals are communicating sensitive information or if they have questionable images on their machines.