Some companies in the healthcare industry worry that employees will accidentally or intentionally expose sensitive medical information. MedAvant Healthcare Solutions is doing something about it.

MedAvant, one of the largest providers of healthcare technology and transaction services, offers transaction processing, cost-containment, and business process outsourcing services. Through Phoenix, a proprietary IT platform that supports both real-time and batch processing, MedAvant provides direct connectivity among more than 450,000 providers, 30,000 pharmacies, 500 clinical laboratories, and more than 100,000 payer organizations.

Because it handles financial transactions as well as sensitive insurance claims and other medical data, MedAvant has a double-helping of security requirements. One of the company's biggest concerns is that MedAvant employees will inadvertently or intentionally send out unencrypted, sensitive information to people who should not be receiving it: a violation of federal regulations, such as the Health Insurance Portability and Accountability Act (HIPAA).

To address this concern, MedAvant recently began using PortAuthority Technologies' PortAuthority 4.0, a Windows Server-based application that can monitor and block the transmission of information over a variety of communications channels, including outgoing and internal email, encrypted and unencrypted Web channels, File Transfer Protocol (FTP), instant messaging, and networked printing.

PortAuthority 4.0 has a three-tiered architecture that allows centralized security management as well as hierarchical, role-based administration. Using a technology called PreciseID, the product allows companies to detect and identify content across a wide variety of data sources, including databases and more than 300 file formats, using multiple identification techniques such as keywords, patterns, lexicons, and information fingerprinting.

Using the software, MedAvant can create and update custom policies by user, group, department, location, partner, domain, and other criteria to ensure that all distribution of information over its network is authorized. MedAvant also uses PortAuthority to produce Web-based, customizable reports on policy violations, as well as compliance reports based on pre-defined templates such as "dictionaries" for HIPAA, the Sarbanes-Oxley act, and other regulations.

MedAvant evaluated PortAuthority for about six months as the company sought a way to keep employees from sending out potentially troublesome data, says Robert Mims, vice president for security and network engineering at MedAvant. "We needed to put in a solution that could let me know who is sending confidential information outbound," he says, whether by email, personal Web mail, FTP, IM, or other means.

Prior to deploying the security software, Mims's team had no way of seeing what employees were sending out over the MedAvant network. They could be releasing intellectual property owned by the company, corporate financial data, internal memos, or other information that could violate HIPAA or SOX. Mims doesn't believe there were any such leaks: "If it was happening, I didn’t know about it.”

PortAuthority also includes a Linux-based appliance that lets Mims's team monitor all outbound and internal communication protocols for any sensitive information in transit, and then enforce applicable security policies, such as blocking and encrypting data. The appliance is set up to send out alerts anytime someone violates a security policy, he says.

With the increased traffic visibility provided by PortAuthority, Mims can now see whether users are adhering to policies. For example, if someone is sending unencrypted "protected health information" (PHI), a clear violation of HIPAA, Mims will automatically be notified. He can then counsel the user who sent the information to encrypt the data first.

Likewise, if a user sends out an email message with a Social Security number or credit card number, Mims and his team will be alerted about the transgression so he can put a stop to it.

"I didn't have this kind of visibility into the network before; every week I'm learning something new about how I can block [restricted] outbound traffic or get [activity] reports." The software hasn't inhibited employee productivity, he says, since it only blocks content that users shouldn't be sending out in the first place.

— Bob Violino, Contributing Reporter, Dark Reading

Organizations mentioned in this story