Data protection: how leaders can minimize information leak

6 min readFeb 8, 2022

Data protection is about keeping PHI, research data, or other sensitive information confidential. It is like having invisible fences for your confidential data.

Threat actors will try to steal and sell confidential information in the black market. In a recent article, Vugar Zeynalov (Cleveland Clinic’s Chief Information Security Officer) observed increased espionage activities targeted at coronavirus vaccine research [1]. Fortunately, they have a capable cyber security operation center (CSOC) team in place that can identify threats early and take swift actions.

Unfortunately, the threat of data loss or theft is not limited to large organizations. Threat actors are equal opportunity sellers. They will steal and sell confidential information from health organizations of all sizes. The challenge is how to enable small health organizations to have data protection capabilities.

The Health Industry Cybersecurity Practice (HICP) document recognizes the threat of data loss and includes a data protection and loss prevention section suitable for small and large organizations.

This article will look mainly at data protection practices for small-medium organizations described by HICP.

We will look at the services available and the projected cost for adopting data protection practices.

Looking at HICP data protection and loss prevention requirement

The data protection lifecycle involves identifying, locating, classifying, labeling, then protecting the data.

HICP document includes data classification policy, data use procedure, and education. The policy section contains policies for data classification (highly sensitive, sensitive, internal, public), data labeling, and encryption.

The procedure section offers various circumstances to keep the confidentiality and integrity of sensitive information. For example, the need to identify authorized users before disclosure, warn and get consent from the patient for unencrypted information, retain and backup only the necessary data, etc.

Finally, the education section suggests having annual training for the policy and procedure.

HICP also contains additional best practices for medium and large health organizations such as data security, backup strategy, data loss prevention, and data flow mapping.

Before diving into solutions, we will look at a few considerations that can help make a decision.

Vendor consolidation and user adoption

Many vendors offer data loss prevention (DLP) solutions, so we need to evaluate which one fits small-medium organizations. One approach would be to consider best of breed vs. platform solutions. However, an essential factor to consider is vendor consolidation.

The idea is to consolidate vendors to a select few. This effort is important to minimize risk, compliance, management burden, cost, training, and maximize user adoption. Without adoption, our investment will not achieve the intended outcome.

With maximizing adoption as a goal, the solution needs to make it easy for users. It has to be embedded in their daily workflow and automated as much as possible without much training. With most staff are using Office 365 and Exchange, it is appealing to evaluate Microsoft solutions.

Microsoft 365 Business Premium subscription includes Azure Information Protection (AIP) Premium P1. The Premium P2 plan targets large enterprises, which focus on automation. However, Microsoft is light on its website when describing features bundled in AIP Premium Plan 1.

I signed up to see what features are available with M365 Business Premium and was pleasantly surprised to see its capabilities. For Premium Plan 1, Microsoft includes Azure Rights Management and Office 365 Data Loss Protection, which we will look at next.

Looking at Azure Rights Management

Azure Rights Management (ARM) allows you to protect files and emails on Microsoft 365 platform by applying labels. This solution consists of two elements: client-side and cloud-side.

The client-side focuses on assigning sensitivity labels and policies to documents and emails. Labels assigned by the client-side allow the cloud-side to take action or enforce policies based on the label. This approach is similar to applying Quality of Service (QoS) in computer networking. With QoS, you assign marking to packets, allowing the network to prioritize packets with higher priority marking.

The newer version of Office Apps (Word, Excel, PowerPoint, Outlook) on Windows computers has a built-in feature to set sensitivity label of their documents. In addition, Microsoft provides a downloadable unified labeling client if you have older office apps or other operating systems (macOS, iOS, and Android).

You can configure the label for encryption, add a watermark [2], protect content in Teams, Groups, SharePoint sites. With the policies, you can set which users and groups can see the label, apply the default label, and require the user to apply a label.

Microsoft also provides connectors for windows server file shares, exchange, and SharePoint for existing files on-prem. However, small organizations should avoid being in the “data center business” and use a cloud-first approach to stay agile and minimize the cost of ownership.

The cloud-side of ARM protects files and emails on multiple devices using encryption, identity, and policy based on the labels created earlier. It ensures that only authorized users can decrypt the file; otherwise, it’d stay unreadable. It also allows the admin to track whether the files were accessed [3] and for users to revoke access to files [4].

Looking at Office 365 Data Loss Prevention

In addition to Azure Rights Management, Microsoft also provides Office 365 Data Loss Prevention.

Office 365 Data Loss Prevention allows you to protect sensitive information across services like Exchange Online, SharePoint Online, and OneDrive for Business [5].

Office 365 Data Loss Prevention works by using policies. You need to plan, prepare, and deploy policies to be effective. The policy allows you to define granular rules.

You can specify what and where to monitor, the conditions, and the associated actions. For example, you might want to monitor Exchange Online, Sharepoint Online, and Teams channel for content with drug enforcement agency (DEA) numbers.

When the conditions are met, you can block people from accessing the content. Another possible action is to warn users that they are taking action prohibited by DLP policy.

As a start, Microsoft provides policy templates suitable for country and industry-specific regulations. For example, Microsoft provides a template to match HIPAA rules [6]. This policy will match social security number, drug enforcement agency number, ICD-9, and ICD-10. However, as different organizations have different requirements, you’d have to fine-tune the policies to produce the desired outcome.

Looking at the cost for an FTE physician with 3 support staff

Microsoft 365 Business Premium subscription includes Azure Information Protection (AIP) Premium P1, Azure Rights Management, and Office 365 Data Loss Prevention at no additional cost.