The adoption of cloud services is steadily rising across the healthcare industry as organizations push for better access to medical data. For a leading university hospital system, the move to the cloud helped make terabytes of protected health information (PHI) accessible to their more than 40,000 employees, from medical practitioners to field researchers. While a strong cloud foundation is a key element of digital transformation, it also introduces security issues that can lead to a data breach when executed without proper controls in place.
This hospital is consistently ranked among the top 10 hospitals in the United States. With outpatient activity exceeding 2.3 million patient visits and more than 42,000 patient discharges in 2020, the hospital generates mountains of PHI every day. Because of the sensitive nature of this information, they must comply with the Health Insurance Portability and Accountability Act (HIPAA), a federal regulation that governs health information privacy and security. According to the hospital’s Associate Director of IT Enterprise Applications, “It’s all about preventing PHI data loss.”
Needless to say, the hospital system turned to Lookout to help secure their increasing reliance on cloud services. With an initial mix of both on-premises and cloud solutions, protecting all their data in a compliant manner as they migrated to full cloud adoption was challenging. The pandemic further complicated matters by accelerating the process by months or even years.
Securing the hybrid cloud
The hospital’s IT team began its cloud migration in 2013 with the deployment of Box cloud storage to supplement their on-premises IT operations. Their initial app supported shared access to an enterprise-wide master patient index.
This blend of on-premises and public-cloud services provided flexibility, cost savings, performance and scalability. However, as with any change to enterprise infrastructure, adopting a hybrid-cloud model meant looking at security practices already in place and determining how they may need to be adapted. The hospital’s main concern was assuring that PHI data remained HIPAA compliant in an environment where it could be easily shared between these private and public clouds.
The IT team first collaborated with Lookout to secure their Box deployment. Lookout Cloud Access Security Broker (CASB) was deployed to provide secure access, visibility and data protection for Box. With advanced Enterprise Digital Rights Management (EDRM) capabilities, User and Entity Behavior Analytics (UEBA), and flexible integration with their existing on-premises data loss prevention (DLP) solution, the hospital could be confident that PHI was secure while conforming to all applicable regulations.
In 2020, the pandemic pushed them to expand their cloud footprint further with three new cloud services, namely Microsoft SharePoint for web-based collaboration, Microsoft OneDrive for file hosting and Microsoft Teams for business communication. With Lookout CASB already in place for Box, the hospital simply pushed their existing compliance and data protection policies to SharePoint, OneDrive and Teams, ensuring all data was protected and compliant under well-tested and verified policies regardless of where it was hosted.
Bridging together the old and the new
While these additional cloud services enabled productivity by making data accessible from anywhere, tying cloud data into their legacy data loss prevention (DLP) methods presented another new challenge. Simply put, since certain data was no longer stored within the network perimeter, the hospital’s legacy on-premises DLP hardware could no longer protect it. What was needed was a cloud DLP solution, deeply integrated with their cloud apps, which includes Box, SharePoint, OneDrive and Teams, through APIs that could scan and classify cloud data during creation, upload and collaboration.
However, that legacy on-premises DLP solution had been in place for years. A great deal of effort had gone into customizing and configuring DLP rules and policies, testing for accuracy and effectiveness, and further refining to eliminate noise and false positives. With years of validation, the customer was confident in its ability to keep sensitive data safe.
In addition, their IT team had an embedded workflow in place to quickly route and resolve a daily stream of DLP incidents. The ability to integrate the Lookout cloud DLP while leveraging those legacy DLP capabilities and workflows became a prerequisite to help reduce the cost of incident remediation and increase effectiveness.
Extending the hospital’s legacy on-premise DLP to cloud apps with our cloud-delivered DLP gave the hospital the ability to discover, monitor and protect their sensitive data from virtually anywhere — whether on premises or in the cloud. In addition, they’re able to leverage existing DLP policies and workflows to extend finely-tuned rules and business logic to cloud control points such as Box, SharePoint, OneDrive, Teams and more. With this combined capability, the IT team can apply advanced data protection actions such as encryption, redaction and information masking to data wherever it resides.
But integration with the hospital’s legacy DLP tools was just a starting point. The Lookout Platform’s extensive DLP feature set actually expanded their capabilities, enabling the hospital to stay ahead of changes in compliance and data privacy regulations. Lookout enforces these sensitive data policies on both data in motion and data at rest across Box, OneDrive, and Sharepoint.
“We use Lookout with exact data matching (EDM) to flag information like social security numbers, names and medical record numbers in our master patient index,” said the hospital’s IT Director. “Our policies are set to encrypt data at rest, remove external collaborators, remove public links and insert a marker PDF file informing users to proactively encrypt data.”
Protecting data across the extended enterprise
As a research and teaching hospital, employees often require remote access to sensitive data while operating in the field. This often means downloading PHI data to a local disk or USB drive.
In a world of electronic data transfers and remote devices, there are dozens of ways that security can break down leading to HIPAA non-compliance. HIPAA requires encryption of PHI when the data is at rest, which includes data stored on a disk, USB drive or other local resource. To accommodate this requirement, the hospital employs Lookout Enterprise Digital Rights Management (EDRM) for file encryption and access policy enforcement. Once encrypted, rules can be applied to a document to allow or deny specific activities.
EDRM addresses the data protection needs of the enterprise as users collaborate and share PHI across both internal and external stakeholders. It allows PHI to be created, viewed, modified and distributed securely while protecting it from unauthorized access, use and distribution.
“We had people working remotely internationally in places like Uganda and Vietnam who needed access to this sensitive data after it left our control,” the IT Director said. “That’s critical for HIPAA safe harbor. With Lookout’s advanced encryption, we can guarantee that anything that’s left our control will remain encrypted.”
Expanding the possibilities
This leading university hospital system moves confidently through each step of its cloud journey knowing sensitive data will remain safe and HIPAA compliant. And as new use cases emerge, Lookout will be there working alongside the hospital’s IT team.
“We’re constantly getting answers about what’s possible now along with what’s coming soon in terms of capabilities,” the IT Director noted. “Lookout helps us securely scale a very successful deployment, and it feels like a partnership.”
To learn more about how Lookout can protect your data, contact us.