Enterprises are required to protect data according to regulatory requirements such as HIPAA, PCI, and Safe Harbor laws. For example, PCI requires cardholder data to be encrypted at all times, HIPAA requires data breaches to be reported, and Safe Harbor prohibits the transmission of personally identifiable data (PII), without the approval of the data's owner. Furthermore, HIPAA Omnibus requires protected health information (“PHI”) data to be protected throughout the entire chain of trust in the healthcare industry. Despite the existence of these regulations, enterprises struggle to comply with the laws due to the lack of a comprehensive method and system for data protection.
Healthcare organizations are now realizing that securing sensitive patient information is critical to the broader mission of providing comprehensive patient safety. Existing security measures which involve network infrastructure (firewalls, VPNs, encryption), or which limit access to systems and applications (passwords, biometrics, two-factor authentication) often fail to prevent breaches of sensitive data. The present invention augments these existing measures by focusing on the actual data, the rising need to understand the context and origin of it, where it has been, and who has seen it. These growing demands, also referred to as “Data Provenance”, are cornerstones of OCR's (Office of Civil Rights) enforcement of HIPAA Privacy and Security Rules, as well as ONC's (The Office of the National Coordinator for Health Information Technology) Meaningful Use and Interoperability standards.
The HIPAA Omnibus 2013 Final Rule requires covered entities such as hospitals and insurance companies to now be operationally and financially responsible for tracking and protecting all patient information throughout their service provider networks, including partners and affiliates where up to 70% of all breaches occur.
In recent years there have been many innovations designed to protect data at rest and while in transmission. Encryption for example is commonly used for this purpose. Encryption may be useful to protect data at rest including: individual files, entire data bases, specific data base fields, and even specific fields within documents. Encryption is also commonly used to protect data in transmission. Common methods for protecting data in transmission include Secure Socket Layer (SSL) encryption which creates an encrypted tunnel between the sender and receiver of data. Another method of protecting data in transmission is through the use of a data transmission encryption key. This data transmission encryption key is used to encrypt the data before transmission. Taken together, the above uses of encryption can be effective to protect sensitive data when the data is stored on an authorized system or when the data is transferred between two or more authorized systems.
However, data can occasionally leak outside of the boundaries of the authorized (e.g. protected) environment. For example, employees may copy an unencrypted version of a sensitive file onto a USB flash drive. Or for example, an unencrypted version of a file may be attached to an email and sent to an unauthorized user or device. Or for example, sensitive data can be stored on a public cloud storage system (such as the service provided by Box and Dropbox) and later downloaded to an authorized user onto an unsecure computer or endpoint. There may be no record of this act of downloading the document to an unsecure computer.
In order to address the above and other common causes of data leakage, some companies have implemented tools to prevent the data leakage. These Data Loss Prevention (DLP) tools can be effective in preventing the leakage of much data much of the time. However DLP tools cannot prevent the leakage of all sensitive data all of the time. Therefore, there are occasions when sensitive data escapes from the most sophisticated environments resulting in the data being stored within an unprotected environment. At this point, it is very problematic to either control or track the movement or use of the data.
Therefore, a need exists for a method and system that addresses these shortcomings in the prior art by tracking the movement of data files and data elements as they are shared and moved between authorized and unauthorized devices, within various cloud storage systems, and among authorized and unauthorized users based on the classification of the data.