That commonality matters. From its origins in the Internet more than 30 years ago, the basic email in use does not bring along an agreed-upon layer of security present in every computer and device that creates and reads email.
Instead, software such as Zix works by encrypting sensitive email, then sending a recipient a pointer to a secure Web portal where he or she can open that email securely.
It's a necessary inconvenience to these recipients, and as electronic medical records proliferate, more and more patients are familiar with the ritual of visiting secure email portals. But if the emails are flowing from provider to provider, or provider to payer, and so on, the inconvenience becomes a nightmare. ZixCorp and others who would provide secure email are able to offer their customers an alternative, provided that sender and recipient share the same DLP security layer. Each system can recognize that the other is using similar security technology and arrange it so the emails in question flow straight into the recipient's mailbox, rather than being sent to a separate portal.
ZixCorp has added so many partners, "it makes that process easier; the likelihood is that we're going to have a partner that just delivers end to end, mailbox to mailbox," Molacek says. Currently Zix boasts more than 32 million members in its ZixDirectory, which the company bills as "the world's only shared email encryption community."
So far, electronic medical record software being rapidly adopted by providers does not offer this provider-to-provider capability, Molacek says.
Data-loss prevention offers some set-and-forget features. But even at Valley County, Molacek has a HIPAA compliance officer who scrutinizes information and sets policy for any data exchange that would break PHI, HIPAA, or Payment Card Industry guidelines.
Email and computers' data ports used to be the primary concern of DLP managers, but the advent of cloud computing put emphasis on the potential for new services to be a source of data breach. One strategy employed at many institutions is to simply block newer cloud-based data exchange services such as Dropbox. "We do not feel comfortable at this time to allow access to any online storage," says Hussein Syed, director of IT security at Barnabas Health in Livingston, N.J. "We have no relationship with those entities."
Employing DLP technology from Symantec, Syed is able to set custom policies as needed. The software can scan for medical record numbers that fit a particular profile: so many digits, with leading characters such "MR." But that can be just the start of a process as his staff works to educate others at the health system about proper handling of PHI or PII (personally identifiable information) not just during transmission, but also as the data is made available for any number of analytical tasks.