It’s clear that noncompliance with the GDPR could be a real threat to the future of many organizations. But on the other hand, personal data has tremendous value. If it’s managed properly, it can create significant competitive advantage. For
healthcare companies that need to comply with HIPPA, even though they can’t really extract values from the PHI, they are required to protect those data the same as by GDPR. HIPAA defines protected health information (PHI) as individually
identifiable health information held or disclosed by a covered entity and it is widely inclusive. It can include a patient's name, Social Security number or medical record number; specific dates such as birth, admission, discharge or death;
or any other information that may be used to identify a patient. This may include information about past, present or future physical or mental conditions, the provision of health care to anindividual, or the past, present or future payment
for the provision of health care.
For those organizations that holds consumer information and PHI in unstructured or semi-structured data, UDS make managing compliance with GDPR a lot easier.
Organizational approach to GDPR or HIPPA compliance involve following steps:
1. Identify the data that covered by GDPR and HIPPA
2. Make unified and enforceable organization-wide governing policies regarding accessing to the relevant data, allowing only authorized user to access permitted data related to their role. This requires roles and definitions must be established in a governance model to detail who can access what.
3. Ensure the consumer data or PHI are being protected from unauthorized access from internal user or external illegalactivities. Delete unneeded data is simplest and safest way, but it also limit the future use of the data as technology advances.
4. A clear audit of what being access by who for what purpose.
It is relatively easy if all the consumer information or PHI data is structured as it is all in one place and access control can be put in
place through applications that access the data. If there are in unstructured format, however, the path to compliance become unclear technologically. For example, whenever the data is being access by human, it is possible that a copy of the data are being downloaded from central location to other server or personal computer. From that point on, more copies can be made and stored outside designated storage and it becomes easy to be uncompliant since it is difficult to keep track those copies for audit purpose. This could be a real liability when data are being access by the outside organization. They can keep a separate copy even when the
agreement calls for the destruction of data after it servers the purpose. In any cases, to have a clear access audit report to unstructured data is highly unreliable with current technology when multiple copy exits, and they always do for various reasons, backup being one. Besides, data breach is always a possibility, especially true for unstructured data.
Unstructured data Shield is designed from ground up to counter those issues and provides an easy path to GDPR and HIPPA compliance.
1. Strong encryption satisfy the protection requirement.
2. Data classification can be associate with the nature of personal data it contains
3. The centralized access policies levels the data classification and user roles to make the governing rules enforceable, not just
4. Ensures all copies of the data are enforced by the same access rules, leaves no backdoors.
5. Audit report for data access is handily available.
6. Minimize the damage when data breach does happen. Hackers can’t access to the content of the protected data even they may
have the copy
7. When customer request to be forgotten, UDS ensures the data being removed no matter how many copies may exist.
Unstructured data shield makes the protection and management of unstructured data as easy as it can be, so is your path to GDPR and HIPPA compliance.
New York State’s Department of Financial Services (DFS) has put in place a rigorous, first-in-the-nation cybersecurity regulation for financial institutions, and others that do business in the state. The requirements from DFS go beyond what
we have historically seen from regulators and apply to allentities operating under or required to operate under DFS licensure, registration, or charter, or which are otherwise DFS-regulated, as well as, by extension, unregulated third
party service providers to regulated entities. At minimum, covered entities need to implement the following controls and stay compliant
to ensure compliance:
1. Information Security
2. Data Governance and Classification
3. Asset Inventory and Device Management
4. Physical Security and Environmental Controls
5. Disaster Recovery planning
6. Systems and network security
7. Regular risk assessment
8. Third-Party Vendor Management
9. Board Education
Currently data governance and classification applies to structured data and the copy of unstructured in designated storage. The unstructured data that resides outside of the designated storage are unregulated and unprotected. Those could be the same data as in the designated storage but there is no way to know for sure. Due to the nature of unstructured data, there will always be many copies that reside on various devices which poses great risk for data security. The data could be in email, personal computer or ever mobile devices or storage. Given the volume of unstructured data, this is simply a risk too big to ignore.
By providing the protection to unstructured data, Unstructured Data Shield allows the data governance and classification to cover the entire enterprise data set, both structured and unstructured, and every copy of it, as well as the ability to manage the unstructured data with clear visibility. The UDS extends the same protection as to the structured data to all unstructured data:
1. Data classification
2. Data Governance and Access Control
3. Audit Report for data access
4. Data protection
Leaving unstructured data unmanaged and unprotected pose a great risk to overall data security. Not only it itself contains the very information the regulation is to protect, but also the gateway information to the structured data. Unless all data are being protect, none of the data are safe.