What is Data Loss Prevention (DLP)?
DLP is a program designed to detect potential data loss/leak and prevent them by monitoring, detecting and blocking data while in use, in motion and at rest.
The Sutter Health Data Security Office (DSO) is implementing a DLP application that will identify confidential data in our organization and how it is being used. DLP enables an organization to reduce the risk of unintentional disclosure of confidential information by identifying, monitoring and protecting confidential data.
How will the DLP technology reduce risk?
The current two DLP enhancements reduce risk in two ways:
(1) It blocks unapproved confidential information sent to personal email accounts (i.e., Yahoo, Gmail, etc.).
(2) Encryption may be applied to email messages when confidential information is detected in an outgoing message and/or attachment.
If my email has been blocked or if I have a question about the Data Loss Prevention (DLP) program who do I contact?
For assistance with DLP issues, please contact the Sutter Health Service Desk at 1-888-888-6044 or email ServiceDesk@sutterhealth.org.
Is there another contact besides the Service Desk?
Although the Data Security Office (DSO) is sponsoring this project, for DLP issues we recommend using the Service Desk process to properly document issues. The Service Desk is available 24/7, can manage a large volume of calls, and has been given DLP information to help support our customers. Major incidents will be escalated to the Sutter Health East Bay Regional Information Security Officer.
Why do Sutter Health and SMU need DLP?
HIPAA/HITECH regulations require organizations to identify confidential data within their information systems and minimize security and privacy risks associated with the use of that data. Sutter Health patients and SMU students have the expectation that we will only use their personal information as required to deliver quality services and will guard that information against inappropriate access, use and disclosure.
Is email the only system affected by the DLP program?
No. Email is the first phase of our DLP program. The DLP technology will include monitoring and preventing use of unauthorized USBs, and scanning desktops and file shares for confidential information. Communication will be distributed as new DLP features are implemented.
Why am I receiving a notification that my email is being blocked?
Effective Friday, November 22, 2013, unapproved email containing confidential information, such as PHI, Social Security numbers, and credit card numbers, being sent to a personal email accounts (i.e., Yahoo, Gmail, etc.) will be blocked.
What should I do if a legitimate email has been blocked?
Contact the Sutter Health Service Desk at 1-888-888-6044 or email ServiceDesk@sutterhealth.org to initiate a service ticket.
What are the steps to obtain an exception for sending legitimate email messages to an external personal account?
- Contact the SH Service Desk to obtain the DLP Exception Request Form.
- Fill out the DLP Exception Request Form
- Discuss the exception request with your supervisor to obtain his/her approval in the form of a signature.
- Submit the form to the SH Service Desk by email at ServiceDesk@sutterhealth.org.
How do I encrypt or securely send email that contains confidential information?
- Click here to log in to your secure email account (Cisco Registered Envelope Service). If you do not already have an account, request access now.
- Address your message to specific recipients. Individuals will not be able to retrieve a message addressed to a distribution group.
- Compose your message and include any attached files.
- Click SEND. Your message will be encrypted and sent to intended recipients.
Your recipients will receive a link to the encrypted message in their regular email inboxes, and then access the encrypted message using Cisco Registered Envelope Service. First time recipients will be required to register online.
You will receive notifications in you SMU inbox as secure messages are read by intended recipients.
Will my manager be notified if an email message is blocked?
An email notification may be sent to your supervisor/manager and privacy officer depending on the circumstance. During the initial phase, the goal will be to obtain an understanding of business needs. Eventually, it is planned to send notifications to supervisors/managers as part of the DLP program.