our best practice guide
Transcription
our best practice guide
Realization of Regulatory Compliance within Commercial Healthcare Clearswift Best Practice Guidance for Critical Information Protection November 2015 ‘When one size can fit most’ CRITICAL INFORMATION PROTECTION. Competitive advantage for Commercial Healthcare Table of Contents Executive Summary3 Data Loss Evolution4 Directives, Regulations and Standards4 Regulation Interpretation5 Data Field Applicability to Multiple Regulations5 Examples of PII, PCI and PHI Policies6 Adaptive Data Loss Prevention Adoption – Best Practices7 Strategic Alignment8 Report Notes:8 Crisis Management8 Planning8 Response9 Key Message Preparation9 Summary9 02 Appendix A: Hitech Act Compliance 10 Appendix B: Proposed Safe Harbor Reform 10 Appendix C: Data Fields Aligned to Obligated Regulations 12 Appendix D: Real-time ‘Stream Processing’ architecture schematics 14 Realization of Regulatory Compliance within Commercial Healthcare | October 2015 www.clearswift.com Executive Summary The global focus on Governance, Regulations and Compliance (GRC) has accelerated across regional boundaries as the opportunity to expand commercial operations via technologies such as web 2.0, and mobile applications amongst others is realized. Specifically, these new initiatives have to be considered alongside the traditional face-to-face operations of stores, distribution centres and stakeholders including pharmacies, surgeries, hospitals etc. Over the past decade cyber-attacks were primarily identified as the responsibility of external factors such as hackers, script kiddies and cyber criminals, each using their skills to intentionally interrupt, inhibit and damage systems and/or extract critical information from an organization. Today a further shift and re-focus has now been accepted by organizations and market analysts, that ‘insider’ attacks are more prevalent than previously believed, making up over 65% of critical information loss. Objective This report provides an overview of the regulations that commercial healthcare organizations particularly within the US and UK, are / will be obliged to enforce compliance either immediately or within the 2015-2017 timeframe. In addition, best proactive implementation strategies are recommended to ensure maximum data protection and minimum business impact, whilst positively impacting non-US operations Situation Analysis The primary regulations that commercial healthcare organizations have to comply with by law include Safe Harbor , European Data Protection Directive, HIPAA, HITECH Act, PCI-DSS and EPCA (if using ISP service providers). These regulations require the ability to process, store and secure the communication of Personal Identifiable Information (PII), Protected Health Information (PHI) and Payment Card Industry (PCI) sensitive data to be handled in accordance with the appropriate regulation(s) Straightforward Strategy The aim is to be able to comply with all six regulations without the need to build extensive and resource intensive separate policy groups. PCI-DSS, HIPAA and EU Data Protection regulations would have individual policies, whilst the data fields for Safe Harbor, HITECH Act and EPCA, can be met with the policies from the other 3 regulations 03 Methodology A progressive enforcement strategy ensures that organizations can make calculated decisions for the enforcement or monitoring for all incoming, outgoing and internal sensitive data. This strategy allows each of the different business units to experience the effects of policy enforcement whilst in monitor mode. The implementation of work-flow actions, allows line-management to experience approval requests when the requisite adaptive and proactive solution, implemented to protect critical information, identifies a possible policy violation that if ‘authorized’, requires 2nd level authorization by the sender’s management. Implement malware detection techniques immediately, as a first line of defence. PII, PHI and PCI compliance polices need to be developed and integrated into all areas where the information is found and used, including email, web, social and cloud collaboration applications. Minimize resource overheads and the complexity of operational management around compliance policies, but keep them distinct. Execution of the policies must be managed as part of the progressive enforcement strategy. Realization of Regulatory Compliance within Commercial Healthcare | October 2015 www.clearswift.com Data Loss Evolution Over the past decade cyber-attacks were primarily identified as the responsibility of external factors such as hackers, script kiddies and cyber criminals, each using their skills to intentionally interrupt, inhibit and damage systems and/or extract critical information from an organization. Today a further shift and re-focus has now been accepted by organizations and market analysts, that ‘insider’ attacks are more prevalent than previously believed, making up over 65%3 of critical information loss. With the insider attack there are both malicious and inadvertent attacks that occur, although both have the same result of critical information falling into unauthorised hands. Around 73%4 of incidents are through inadvertent information sharing. Dealing with this ‘everyday’ problem has the added benefit of dealing with the malicious insider who is trying to steal information from the organization, as well as the inadvertent loss. Known threats are complex and precise allowing the attacker to either execute in isolation or as part of an advanced attack:. Threat Information Type/Action Critical Data Leakage to the Internet Everything from PCI, PHI, PII, IP, M&A and more Accidental Disclosures Email content, cloud/web app data, doc revisions, Phishing, big data, cross dept. disclosures Advanced Threats Active malicious code for immediate / delayed execution Social Networks Social engineering, defamatory content, active links The assault on information comes from a new set of attack vectors, most common is the use of documents, attachments, embedded executables, etc. to inadvertently or maliciously steal critical information or deliver malware Directives, Regulations and Standards This drive requires commercial healthcare organizations to honor their commitment to maintain a secure infrastructure for the various genres of information/data that the global organization accumulates for primary and secondary processing purposes. The global focus on Governance, Regulations and Compliance (GRC) has accelerated across regional boundaries as the opportunity to expand commercial operations via technologies such as web 2.0, and mobile applications amongst others is realized. Specifically, these new initiatives have to be considered alongside the traditional face-to-face operations of stores, distribution centres and stakeholders including pharmacies, surgeries, hospitals etc. The primary regulations5 that need to be complied with by law are outlined in Table 1. The evolution of the current European Data Protection Directive in the European Union is due to be superseded in 2015/20162, becoming law within 2 years (~2017). This document aims to enable commercial healthcare organizations to establish a position of compliance of the new EU General Data Protection Regulation (EUGDPR) during the timeframe of compliance, without the need to revisit the old ‘directive’ that may create an opportunity to be non-compliant and visible to the FTC, ICO and other regulatory organizations6. http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf Source: Forrester Business Technographics Global Security Survey, 2014 4 Source: Enemy Within Report, Clearswift, January 2015 5 For the purpose of this paper ‘Regulation(s) will refer to all directives, regulations and standards 6 F TC, ICO and other regulatory organizations. Federal Trade Commission (US), Information Commissioners Office (UK), Federal and regional regulators (DACH), Dept. of Health and Human Services (US), Federal Data Protection and Information Commissioner (Switz), etc. 2 3 04 Realization of Regulatory Compliance within Commercial Healthcare | October 2015 www.clearswift.com Table 1 - Primary Regulations Regulation5 Data Included Regulation Revision Planned Primary Region Focus Safe Harbor (See Appendix B) PII, PHI Yes (2015 - 2017) US - Europe US - Switzerland EU Data Protection Directive 1998 PII Yes (2015 - 2016) 28 EU Member States HIPAA PHI No US HITECH Act7 PHI No US PCI-DSS PCI 3.2 due 2016 Worldwide Electronic Communications Privacy Act PII, PHI, PCI No US Regulation Interpretation Addressing the rash of regulations that global commercial healthcare organizations need to be compliant could appear to be overwhelming and unmanageable. Approaching the regulations from a ‘One Size Can Fit Most’ approach reveals that many of the regulations outlined in Table 1 overlap each other, so aligning the approach to the regulation with the highest level of commonality minimizes repetition whilst assuring protection across all obligatory data genres A combination of senior management support, realistic planning, employee awareness, staged rollout and an automated technology solution can dispel the myths and beliefs that compliance is unachievable and resource intensive Data Field Applicability to Multiple Regulations Table 3 represents an analysis of the data fields required to achieve compliance of the regulations described in Table 2 (Regulation Legend). An extensive table of the data fields analysed can be found in Appendix C. The interpretation of Table 3 conveys: •Organizations would be able to comply with Safe Harbor (1), HITECH Act (4) and EPCA (6), without the need to build individual policies as all data fields for these regulations can be met with the policies for the other 3 regulations •A set of policies aligned to the European General Data Protection Regulation (PII) would cover 46 data fields and also enable compliance for a small number of other data fields for other regulations •A set of policies aligned to HIPAA (PHI) would cover 12 data fields and also enable compliance for a small number of other data fields for other regulations • A standard set of policies aligned to PCI-DSS (PCI) would cover all of the data fields for PCI compliance 7 05 See Appendix A for requirements for compliance with Hitech Act for primary care providers and pharmacies Realization of Regulatory Compliance within Commercial Healthcare | October 2015 www.clearswift.com Table 2 – Regulation Legend Identifier Regulation Data Included 1 Safe Harbor PII, PHI 2 EU Data Protection Directive 1998 PII 3 HIPAA PHI 4 HITECH Act PHI 5 PCI-DSS PCI 6 Electronic Communications Privacy Act PII, PHI, PCI Table 3 – Analysis of primary regulations to be enforced Identifier Label Regulation 2 3 PCI 5 Grand Total 7 7 PHI 2 5 7 PII 33 1 34 PII, PHI 11 6 17 Grand Total of Data Fields 46 12 7 65 Examples of PII, PCI and PHI Policies The schematics found within Appendix D provide an overview of the simplicity of building and operating the ‘Mail Policy Route’ that outlines the stages that are executed akin to a real-time ‘Stream Processing’ architecture. In addition examples of the tokens and policies for PII (2), PHI (3) and PCI-DSS(5) are also provided. Although it would be architecturally easy to combine all lexical expressions required for PII, PHI and PCI into a single policy, Clearswift would advise against this due to the on-going maintenance and exception checking as part of normal day to day activities. The policies will be built so that the Clearswift Adaptive-Data Loss Prevention technologies can analyse and identify specific content that meets the regulatory requirements. The policies will also apply differing levels of contextualization to ensure that a correct match is identified. The mixture of content and contextualization ensures that false positives are minimized. Clearswift’s unique Adaptive Redaction features; text redaction; meta-data redaction and active content redaction, ensures that organizations are able to operationally differentiate between ‘out of context’ and/or unintentional content sharing exceptions where only the expression is redacted, allowing the remaining content to proceed to the receiver, minimizing false positives and business interruptions; and also intentional unauthorized collaboration into or out of a network for sensitive and active content (Advanced Persistent Threats - APT) 06 Realization of Regulatory Compliance within Commercial Healthcare | October 2015 www.clearswift.com Adaptive DLP Adoption – Best Practices Clearswifts approach to the implementation of data loss prevention technologies has been developed over the past 20 years to ensure that commercial healthcare organizations are in a position of awareness, control and remediation during all stages of planning, implementation and operational management of the architecture. Planning & Operations The historical and on-going practice of engaging external consultancies to analyse and implement DLP solutions would not enrich personnel with the advanced upskills necessary to enable them to maintain the architecture for on-going maintenance, upgrades and integration. These perceived mandatory data loss prevention engagements require management to maintain excessive on-going DLP budgets for operational maintenance, rather than enhancements to mitigate future data loss threats. Clearswift has proven that an effective adaptive data loss prevention operation can be undertaken with the knowledge and skills of existing personnel and implementation support engagement from Clearswift and any preferred reseller partner. Initial Evaluation DLP does not require excessive periods of upfront analysis to provide visibility of probable data loss exceptions. Adaptive DLP Task Elapsed Days Identify a dedicated business unit or team to focus on the initial Proof of Concept 1 Identify a list of lexical expressions or pre-built tokens for policy enforcement 2 Implement an Email A-DLP product into the SMTP flow (In-Stream or Side-Car) 1 Initiate the A-DLP product in ‘Monitor’ mode against the target individual(s)/team(s) 1 Adjust and add policies into the A-DLP product during POC 14 Total Days to Review A-DLP Effectiveness 19 (3 weeks) The 19 days totalled above would be a maximum period as all days are deemed as processing sequentially, whereas in reality the first 4 tasks could be reduced to 2 days and the POC period (task 5) reduced to a shorter period based on initial results. On-going Operational Usage Operational implementations of DLP are not a ‘One Size For All’ or require extensive policies to cover every eventuality approach. Existing DLP implementations operate on a negative ROI, with any presupposed value coming from ‘Cost Mitigation’ in the event of a breach. Clearswift have found from existing A-DLP clients that a positive ROI and business contribution can be achieved if clients ensure that they utilize a flow of policy implementations dependent on the approach that the business requires and immediacy of regulatory compliance. Each organization should review the different DLP enforcement flows. Progressive Enforcement Progressive enforcement ensures that businesses can achieve a rapid risk reduction whilst making calculated decisions for the enforcement or monitoring for all incoming, outgoing and internal sensitive data. This strategy allows each different business unit to experience the effects of policy enforcement whilst in monitoring mode. A progressive strategy will ensure that new policies can be run in monitoring mode, alongside similar policies that are actively enforcing data movement. The implementation of workflow actions, allows line-management to experience approval requests when the Clearswift A-DLP solution identifies a possible policy violation that requires 2nd level authorization by the sender’s management, before proceeding to the intended recipient. 07 Realization of Regulatory Compliance within Commercial Healthcare | October 2015 www.clearswift.com Clearswift believe that from previous implementations, should organizations approach their regulatory compliance utilizing Clearswift Adaptive-Data Loss Prevention solutions, with the progressive enforcement strategy, they would achieve: • 100% immediate visibility of policy enforcement effects, prior to execution • <80% reduction in known or projected false positives in the first 12 months • <100% alignment to enforced regulations and compliance in the first 12 months • 100% immediate visibility of data breach mitigation by department and/or individual • <50%> immediate decrease in the amount of time it takes to resolve quarantine/breach issues •100% return on investment calculated against tangible savings and mitigated data breaches using industry enforced penalties, reputational damages and increased employee security awareness. Strategic Alignment Executing the Clearswift best practice adoption for regulatory compliance in conjunction with Clearswift Adaptive Data Loss Prevention solutions, will ensure that a commercial healthcare organization’s obligation to conform to global regulatory compliance, maintains the maximum simplicity of implementation superseding the complexity of the regulations, allowing the business to focus on continuous operational growth with the knowledge that the organization is compliant with the most stringent regulations. This alignment protects all stakeholders from malicious and unintentional data loss, increases employee security awareness, therefore mitigating the financial and reputational penalties incurred by organizations that have not taken a pro-active position. Crisis Management This document is focused on the progressive implementation for protection of critical and sensitive data and does not specifically cover any guidance on Crisis Management. It is essential that moving forwards, organizations should always plan for the ‘unforseen’ event and review their crisis management processes, so they are able to react positively and minimize the effect to their business. A few areas of reflection have been included below: Planning Crisis prevention, at its best, is the organizational equivalent of a medical full body scan. • Crisis Document Audit — A simple review of existing client documents related to crisis preparedness and response, such as crisis communications plans, emergency response policies, disaster plans, etc. This audit includes creation of a written evaluation with recommendations for improvement. •Executive Session Vulnerability Audit — The executive team should undertake a series of educational and thoughtprovoking discussions to uncover and begin to address organizational vulnerabilities that could escalate to crises. •Comprehensive Vulnerability Audit — A series of interviews with employees at all levels of an organization, each conducted in complete confidence, so that the interviewee feels comfortable disclosing information he/she might not otherwise discuss. This is often complemented by interviews with representative members of key external audiences. • Crisis Communications Plans — Based on some level of vulnerability audit, creation of a response structure and written plan that will guide and optimize reaction to future crises. This includes ensuring there is close coordination between the teams involved in the operational and communications aspects of crisis response. •Disaster/Incident Response Planning and Training — Also based on a vulnerability audit, ensuring an organization is prepared for the operational response to a crisis, complementing its crisis communications planning. •Senior- and Mid-Level Staff Training About Crisis Management Fundamentals and Best Practices — Prevention and/or response, from one-hour luncheon presentation to multi-day sessions. •Media Training — Comprehensive instruction and practice on camera, enhancing spokespersons’ abilities to optimize results from both “good news” and crisis-related interviews. 08 Realization of Regulatory Compliance within Commercial Healthcare | October 2015 www.clearswift.com Response Using effective strategy and tactics to avoid, or at least minimize, the negative impact of pending or breaking crises. In essence, fire-fighting. Crisis response addresses the needs not only of external stakeholders, but also of employees — because every employee is a PR representative and crisis manager for your organization, whether you want them to be or not. Activities that are a subset of crisis response include: Key message preparation •Preparation of draft and/or final versions of internal and external communications with all of a client’s important audiences, including media (usually “behind the scenes” but on rare occasion serving as spokesperson for a client). •Creation and/or coordination of Internet-based crisis-response activities, to include social media crisis management (more on that later). • On- or off-site oversight of client crisis response activities to the extent clients do not have specific capabilities in this area. • Situation-specific media and presentation training. •Close coordination with legal counsel when litigation or possible litigation is involved, to ensure all tactics and messages are compatible with legal strategy. Summary Addressing the raft of regulations that global healthcare organizations need to be compliant with could appear to be overwhelming and unmanageable. Approaching the regulations from a ‘where one size can fit most’ perspective reveals that many of the regulations overlap each other, so aligning to the regulation with the highest level of commonality minimizes repetition whilst assuring protection across all obligatory data genres. Understanding the regulations and the types of information effected is critical to creating an effective protection strategy. Further steps in the process include understanding of where the information is located, especially when it is extracted from databases in the form of reports or in email, so this may be on laptops or mobile devices, or with partners who are part of the value chain from supplier to citizen; enabled by the flow of information. When this initial discovery work has been completed, then a technology solution strategy can be created to ensure that the information remains safe at all times. New Adaptive Data Loss Prevention technologies can be used to ensure that critical information is always protected, while enabling improved continuous collaboration. For more details contact: [email protected] or vist www.criticalinformationprotection.com 09 Realization of Regulatory Compliance within Commercial Healthcare | October 2015 www.clearswift.com Appendix A: Hitech Act Compliance The first steps in achieving meaningful use are to have a certified electronic health record (EHR) and to be able to demonstrate that it is being used to meet the requirements. Stage 1 contains 25 objectives/measures for Eligible Providers (EPs) and 24 objectives/measures for eligible hospitals. The objectives/measures have been divided into a core set and menu set. EPs and eligible hospitals must meet all objectives/measures in the core set (15 for EPs and 14 for eligible hospitals). EPs must meet 5 of the 10 menu-set items during Stage 1, one of which must be a public health objective. Full list of the Core Requirements and a full list of the Menu Requirements. Core Requirements: 1. Use computerized order entry for medication orders. 2. Implement drug-drug, drug-allergy checks. 3. Generate and transmit permissible prescriptions electronically. 4. Record demographics. 5. Maintain an up-to-date problem list of current and active diagnoses. 6. Maintain active medication list. 7. Maintain active medication allergy list. 8. Record and chart changes in vital signs. 9. Record smoking status for patients 13 years old or older. 10.Implement one clinical decision support rule. 11.Report ambulatory quality measures to CMS or the States. 12.Provide patients with an electronic copy of their health information upon request. 13.Provide clinical summaries to patients for each office visit. 14.Capability to exchange key clinical information electronically among providers and patient authorized entities. 15.Protect electronic health information (privacy & security) Menu Requirements: 1. Implement drug-formulary checks. 2. Incorporate clinical lab-test results into certified EHR as structured data. 3.Generate lists of patients by specific conditions to use for quality improvement, reduction of disparities, research, and outreach. 4. Send reminders to patients per patient preference for preventive/ follow-up care 5.Provide patients with timely electronic access to their health information (including lab results, problem list, medication lists, allergies) 6. Use certified EHR to identify patient-specific education resources and provide to patient if appropriate. 7. Perform medication reconciliation as relevant 8. Provide summary care record for transitions in care or referrals. 9. Capability to submit electronic data to immunization registries and actual submission. 10.Capability to provide electronic syndromic surveillance data to public health agencies and actual transmission. Appendix B: Proposed Safe Harbor Reform The following reform has been proposed prior to the ruling by the Court of Justice of the European Union, 6 October 2015 ‘The Court finds that Safe Harbour denies the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals. The Court holds that the Commission (Irish supervisory authority (the Data Protection Commissioner)) did not have competence to restrict the national supervisory authorities’ powers in that way. For all those reasons, the Court declares the Safe Harbour Decision invalid. 10 Realization of Regulatory Compliance within Commercial Healthcare | October 2015 www.clearswift.com On Oct. 15, 2015, the Article 29 Working Party (the Working Party) – the umbrella organization that encompasses the Data Protection Commissioners of the 31 EEA Member States – published its initial reaction to the CJEU ruling. The Working Party confirms that the invalidation of the Safe Harbor Program is effective immediately. In addition, it warns that if, by January 2016, the U.S. and the EU have not reached a satisfactory agreement that incorporates certain elements identified in the Working Party’s statement, the EEA Data Protection Authorities will commence enforcement actions against illegal cross-border data transfers. The Working Party identifies key points that should be addressed in these intergovernmental negotiations. In the Working Party’s opinion, these solutions should include clear and binding mechanisms that incorporate at least obligations on: • Oversight of access by public authorities; • Transparency; • Proportionality; • Redress mechanisms; and • Data protection rights. These negotiations are viewed as crucial by the members of the Working Party. If an appropriate solution that meets the criteria described above is not found by January 2016, the Working Party warns that EU Data Protection Authorities may start taking all actions that they may deem necessary, including coordinated enforcement actions. EU concern with the adequacy of the Safe Harbor framework intensified after the June 2013 disclosure of PRISM, the US government surveillance program under which the NSA is reported to have secretly monitored the personal data of EU citizens whose data transfers to US online service providers was made possible by these providers’ self-certified Safe Harbor compliance. Prodded largely by this discovery, the European Commission cited a host of alleged deficiencies in the Safe Harbor self-certification and enforcement procedures and recommended to the European Parliament and European Council Safe Harbor reforms consisting of the following 13 requirements: • Self-certified companies should publicly disclose their privacy policies on their websites in clear and conspicuous language. •The privacy policies of self-certified companies’ websites should include a link to the Department of Commerce Safe Harbor website that lists all current Safe Harbor-compliant companies. •Self-certified companies should notify the Department of Commerce and publish the privacy conditions of any contracts they enter into with subcontractors. •The Department of Commerce should clearly flag on its website all companies that are no longer currently fulfilling Safe Harbor requirements and hold these companies to an obligation to continue to apply the Safe Harbor requirements for data that has been received under Safe Harbor. •Safe Harbor-compliant companies’ websites should include a link in their privacy policies to either or both of the companies’ chosen alternative dispute resolution (ADR) provider and EU panel to allow EU data subjects to contact this intermediary immediately in case of data privacy or security problems. • ADR should be made readily available and affordable to EU data subjects to resolve complaints under the Safe Harbor. •The Department of Commerce should monitor ADR providers more systematically regarding the transparency and accessibility of information they provide about their procedures and the follow-up they give to complaints (including the publication of findings of non-compliance as a mandatory sanction for non-compliance). •Following their certification or recertification under the Safe Harbor, a certain percentage of companies should be subject to regulatory investigation of the compliance of their privacy policies with Safe Harbor requirements. •Whenever a complaint or investigation results in a finding of Safe Harbor non-compliance, the non-compliant company should be subject to a follow-up investigation after one year. •The Department of Commerce should inform the competent EU data protection authority of any doubts or pending complaints about a company’s compliance. • False claims of Safe Harbor adherence should continue to be investigated by the relevant US regulatory authorities. •Privacy policies of self-certified companies should include information on the extent to which US law allows public authorities to collect and process data transferred under the Safe Harbor and, in particular, when the company applies exceptions to the Safe Harbor Principles to meet national security, public interest or law enforcement requirements. •A national security exception to the Safe Harbor requirements should be invoked only to an extent that is strictly necessary or proportionate to the protection of national security. 11 Realization of Regulatory Compliance within Commercial Healthcare | October 2015 www.clearswift.com Appendix C: Data Fields Aligned to Obligated Regulations Identifier Regulation Data Included 1 Safe Harbor PII, PHI 2 EU Data Protection Directive 1998 PII 3 HIPAA PHI 4 HITECH Act PHI 5 PCI-DSS PCI 6 Electronic Communications Privacy Act PII, PHI, PCI Data Field 12 Data Type Regulation (s) Minimum Regulation Required Address PII, PHI 1, 2, 3, 4, 6 2 Birth Date PII, PHI 1, 2, 3, 4, 6 2 Residential Phone Number PII, PHI 1, 2, 3, 4, 6 2 Mobile Phone Number PHI 1, 2, 3, 4, 6 2 Fax Numbers PII, PHI 1, 2, 3, 4, 6 2 Electronic Mail Addresses PII 1, 2, 3, 4, 6 2 Social Security Numbers PII, PHI 1, 2, 3, 4, 6 2 Bank Accounts Numbers PII 1, 2, 3, 5, 6 2 Certificate/ License Numbers PII 1, 2, 6 2 Vehicle Identifiers and Serial Numbers, Including License Plate Numbers PII 1, 2, 6 2 Device Identifiers and Serial Numbers PII 1, 2, 6 2 Web Universal Resource Locators (URLs) PII 1, 2, 6 2 Internet Protocol (IP) Address Numbers PII 1, 2, 6 2 Biometric Identifiers, Including Finger and Voice Prints PII, PHI 1, 2, 3, 4, 6 2 Full Face Photographic Image and/or Comparable Images PII, PHI 1, 2, 3, 4, 6 2 Tattoos PII, PHI 1, 2, 3, 4, 6 2 Gang Affiliation PII 1, 2, 6 2 National Insurance Number PII 1, 2, 3, 4, 6 2 Email Address (Private) PII, PHI 1, 2, 3, 4, 6 2 Email Address (Work) PII, PHI 1, 2, 3, 4, 6 2 Police Report PII 1, 2, 3, 4, 6 2 Crime Report Number PII 1, 2, 3, 4, 6 2 Medical Record PHI 1, 2, 3, 4, 6 2 Mental (state) PII, PHI 1, 2, 3, 4, 6 3 Photographs PII 1, 2, 6 2 Social Media Identifier PII 1, 2, 6 2 Political Alignment PII 1, 2, 6 2 Social Media Posts PII 1, 2, 6 2 Nationality PII 1, 2, 6 2 Nationalism PII 1, 2, 6 2 Realization of Regulatory Compliance within Commercial Healthcare | October 2015 www.clearswift.com Appendix C: Data Fields Aligned to Obligated Regulations cont. Data Field 13 Data Type Regulation (s) Minimum Regulation Required Ethnicity PII 1, 2, 6 2 Race PII 1, 2, 6 2 Religion PII 1, 2, 6 2 Aesthetics PII 1, 2, 6 2 Social Class PII 1, 2, 6 2 Language (spoken) PII 1, 2, 6 2 Generation PII 1, 2, 6 2 Locality PII 1, 2, 6 2 GIS PII 1, 2, 6 2 Tag (human attached) PII 1, 2, 6 2 Job Role PII 1, 2, 6 2 Employee Number PII 1, 2, 6 2 Pension Account Number PII 1, 2, 6 2 Life Insurance Number PII 1, 2, 6 2 School Name PII 1, 2, 6 2 401K Number PII 1, 2, 6 2 Name PII, PHI 1, 2, 3, 4, 5, 6 2 Date of Death PII, PHI 1, 2, 3, 4, 6 3 Admission Date PHI 3, 4, 6 3 Discharge Date PHI 3, 4, 6 3 Medical Record Numbers PHI 3, 4, 6 3 Health Plan Beneficiary Numbers PHI 3, 4, 6 3 Height PII, PHI 3, 4, 6 3 Weight PII, PHI 1, 2, 3, 4, 6 3 Gender PII, PHI 1, 2, 3, 4, 6 3 Sexual Orientation PII 1, 2, 3, 4, 6 3 Age PII, PHI 1, 2, 3, 4, 6 3 Images (medical) PHI 1, 2, 3, 4, 6 3 Primary Account Number (PAN) PCI 1, 2, 3, 4, 5, 6 5 Cardholder Name PCI 1, 2, 3, 4, 5, 6 5 Expiration Date PCI 1, 2, 3, 4, 5, 6 5 Service Code PCI 5, 6 5 Full Track Data PCI 5, 6 5 CAV2/ CVC2/ CVV2/ CID PCI 5, 6 5 PINs/ PIN Blocks PCI 5, 6 5 Realization of Regulatory Compliance within Commercial Healthcare | October 2015 www.clearswift.com Appendix D: Real-time ‘Stream Processing’ architecture schematics Mail Policy Route PCI Lexical Expression Policy 14 Realization of Regulatory Compliance within Commercial Healthcare | October 2015 www.clearswift.com PII Lexical Expression Policy PHI (HIPAA) Lexical Expression Policy 15 Realization of Regulatory Compliance within Commercial Healthcare | October 2015 www.clearswift.com Clearswift is trusted by organizations globally to protect their critical information, giving them the freedom to securely collaborate and drive business growth. Our unique technology supports a straightforward and ‘adaptive’ data loss prevention solution, avoiding the risk of business interruption and enabling organizations to have 100% visibility of their critical information 100% of the time. As a global organization, Clearswift has headquarters in the United States, Europe, Australia and Japan, with an extensive partner network of more than 900 resellers across the globe. United Kingdom Clearswift Ltd 1310 Waterside Arlington Business Park Theale Reading, RG7 4SA UK Germany Clearswift GmbH Im Mediapark 8 Cologne D-50670 Germany United States Clearswift Corporation 309 Fellowship Road Suite 200 Mount Laurel, NJ 08054 UNITED STATES Japan Clearswift K.K Shinjuku Park Tower N30th Floor 3-7-1 Nishi-Shinjuku Tokyo 163-1030 JAPAN www.criticalinformationprotection.com | © Clearswift 2015 Australia Clearswift (Asia/Pacific) Pty Ltd Level 17 40 Mount Street North Sydney New South Wales, 2060 AUSTRALIA