Data Loss Prevention

 View Only

  • 1.  DLP Scans for PHI

    Posted Sep 09, 2016 09:04 AM

    I am using Symantec DLP to identify PII/PHI on my networks. What I'm finding is that the stock PHI search agents produce almost all false positives and fail to identify known PHI.

    Has anyone successfully created a PHI search agent that limits false positives?



  • 2.  RE: DLP Scans for PHI
    Best Answer

    Posted Sep 09, 2016 09:26 AM

    My recommendation is to never use the out of box policies as they are not opimized at all.  They can be used to collect data for analysis.  Once you identify true positives in the sea of false positives, use document collection and term frequency to build a PHI dictionary(ies).  The dictionaries I build are never based on drug names or diagnosis rather they are focused on topics like, Background Investigation, Drug Pre-screening, Medical Records, Medical Claims...These sorts of dictionaries are easy to build by simply using Date of Birth and/or SSN (NINO/SIN) as an original primary attribute.

    Although Symantec has no formal support for dictionaries the key to understanding how to use them is all based on "match unique".

     



  • 3.  RE: DLP Scans for PHI
    Best Answer

    Posted Sep 12, 2016 10:40 AM

    So tuning policies is more of an art than a science as you are fining out.  BUt s Daniel H mentions the standard HIPPA/HITECH policy can generate a ton of noise. 

    THere are a couple of ways that I've dealt with this in the past:

    1. Leverage an EDM w/ MRN instead of SSN plus keywords

    2. FIngerprint documents (IDM) + keywords to track data

    3. Work w/ the diagnostic codes instead the keyword list that is in the HIPPA/HITECH policy.

    It takes a combination of the advanced detection technologies to track this stuff correctly



  • 4.  RE: DLP Scans for PHI

    Posted Sep 26, 2016 02:19 PM

    Does the DLP have a report or tool to perform term frequency checks, and keyword tracking?



  • 5.  RE: DLP Scans for PHI

    Posted Sep 27, 2016 04:56 AM

    Hello,

     

    To help you counting the "keyword matches"? AFAIK Symantec doesnt provide a tool for that unless you do it manually: you can extract the mactches using the XML report and then do your self a report. 

     

    BR,



  • 6.  RE: DLP Scans for PHI

    Posted Sep 27, 2016 08:28 AM

    Thank you Morgado, however, when I export the scan results, it doesn't show me the keywords that were matched... it only shows me the number of matches per file. 



  • 7.  RE: DLP Scans for PHI

    Posted Sep 27, 2016 09:07 AM

    Even exporting in XML format? Thought XML would bring these types of details.



  • 8.  RE: DLP Scans for PHI

    Posted Sep 27, 2016 03:05 PM

    Unless there are other steps I need to take, exporting the scan results to xml just produces a massive file containing no valid information - just a bunch of "violation" text