February 9, 2022
How a Leading University Hospital Secures Patient Data
Across the healthcare industry, organizations are adopting cloud services to improve access to medical data. For one leading university hospital system, the move to the cloud helped make terabytes of protected health information (PHI) accessible to their more than 40,000 employees, from medical practitioners to field researchers. While a strong cloud foundation is a key element of digital transformation, it also introduces security issues that can lead to a data breach if you migrate without proper controls in place.
This hospital is consistently ranked among the top 10 hospitals in the United States. In 2020, outpatient activity exceeded 2.3 million patient visits and more than 42,000 patient discharges, which means the hospital generates mountains of PHI every day. Because of the sensitive nature of this information, the hospital must comply with the Health Insurance Portability and Accountability Act (HIPAA), a federal regulation that governs health information privacy and security. According to the hospital’s associate director of IT enterprise applications, “It’s all about preventing PHI data loss.”
The hospital system turned to Lookout to help secure their increasing reliance on cloud services. With an initial mix of both on-premises and cloud solutions, the challenge of protecting all their data in a compliant manner as they migrated to full cloud adoption became even more complicated when the pandemic accelerated the process.
Securing the hybrid cloud
The hospital’s IT team began its cloud migration in 2013 with the deployment of Box cloud storage to supplement their on-premises IT operations. Their initial app supported shared access to an enterprise-wide master patient index.
This blend of on-premises and public-cloud services provided flexibility, cost savings, scalability, and improved performance. However, as with any change to enterprise infrastructure, adopting a hybrid cloud model meant looking at security practices already in place and determining how they may need to be adapted. The hospital’s main concern was assuring that PHI data remained HIPAA compliant in an environment where it could be easily shared between these private and public clouds.
The IT team first collaborated with Lookout to secure their Box deployment. Lookout Secure Cloud Access was deployed to provide secure access, visibility, and data protection for Box. With integrated enterprise digital rights management (EDRM) capabilities, user and entity behavior analytics (UEBA), and flexible integration with their existing on-premises data loss prevention (DLP) solution, the hospital could be confident that PHI was secure while conforming to all applicable regulations.
In 2020, the pandemic pushed them to expand their cloud footprint further with three new cloud services — Microsoft SharePoint for web-based collaboration, Microsoft OneDrive for file hosting, and Microsoft Teams for business communication. With Secure Cloud Access already in place for Box, the hospital simply pushed their existing compliance and data protection policies to SharePoint, OneDrive, and Teams, ensuring all data was protected and compliant under well-tested and verified policies regardless of where it was hosted.
With Lookout, organizations can provide secure access and enforce consistent policies, even in a hybrid environment that uses both on-premises and cloud services.
Bridging together the old and the new
While these additional cloud services enabled productivity by making data accessible from anywhere, tying cloud data into the hospital’s legacy DLP presented another new challenge. Simply put, since certain data was no longer stored within the network perimeter, the hospital’s on-premises DLP hardware could no longer protect it. They needed a cloud DLP solution deeply integrated with their cloud apps using APIs that could scan and classify cloud data during creation, upload, and collaboration.
However, that legacy on-premises DLP solution had been in place for years. A great deal of effort had gone into customizing and configuring DLP rules and policies, testing for accuracy and effectiveness, and further refining to eliminate noise and false positives. With years of validation, the customer was confident in its ability to keep sensitive data safe.
In addition, their IT team had an embedded workflow in place to quickly route and resolve a daily stream of DLP incidents. The ability to integrate the Lookout cloud DLP while leveraging those legacy DLP capabilities and workflows became a prerequisite to reduce the cost of incident remediation and increase effectiveness.
Extending the hospital’s legacy on-premise DLP to cloud apps with our cloud-delivered DLP gave the hospital the ability to discover, monitor, and protect their sensitive data from virtually anywhere — on premises or in the cloud. They’re also able to leverage existing DLP policies and workflows to extend finely-tuned rules and business logic to cloud control points like Box, SharePoint, OneDrive, Teams, and more. With this combined capability, the IT team can apply advanced data protection actions such as encryption, redaction, and information masking to data wherever it resides.
But integration with the hospital’s legacy DLP tools was just a starting point. The Lookout Cloud Security Platform’s extensive DLP feature set actually enabled the hospital to stay ahead of changes in compliance and data privacy regulations. Lookout enforces these sensitive data policies on both data in motion and at rest across Box, OneDrive, and SharePoint.
“We use Lookout with exact data matching (EDM) to flag information like social security numbers, names, and medical record numbers in our master patient index,” said the hospital’s IT director. “Our policies are set to encrypt data at rest, remove external collaborators, remove public links and insert a marker PDF file informing users to proactively encrypt data.”
Protecting data across the extended enterprise
As a research and teaching hospital, employees often require remote access to sensitive data while operating in the field. This often means downloading PHI data to a local disk or USB drive.
In a world of electronic data transfers and remote devices, there are dozens of ways that security can break down and lead to HIPAA non-compliance. HIPAA requires encryption of PHI when the data is at rest, which includes data stored on a disk, USB drive, or other local resource. To accommodate this requirement, the hospital employs Lookout EDRM for file encryption and access policy enforcement. Once encrypted, rules can be applied to a document to allow or deny specific activities.
EDRM addresses the data protection needs of the enterprise as users collaborate and share PHI across both internal and external stakeholders. It allows PHI to be created, viewed, modified, and distributed securely while protecting it from unauthorized access, use, and distribution.
“We had people working remotely internationally in places like Uganda and Vietnam who needed access to this sensitive data after it left our control,” the IT director said. “That’s critical for HIPAA safe harbor. With Lookout’s advanced encryption, we can guarantee that anything that’s left our control will remain encrypted.”
Expanding the possibilities
This leading university hospital system moves confidently through each step of its migration to the cloud knowing sensitive data will remain safe and HIPAA compliant. And as new use cases emerge, Lookout will be there alongside the hospital’s IT team to help meet the security challenges.
“We’re constantly getting answers about what’s possible now along with what’s coming soon in terms of capabilities,” the IT director noted. “Lookout helps us securely scale a very successful deployment, and it feels like a partnership.”
Book a personalized, no-pressure demo today to learn:
Discover how adversaries use non-traditional methods for phishing on iOS/Android, see real-world examples of threats, and learn how an integrated security platform safeguards your organization.