Using Perceptive Search from Lexmark, ACS developed a network scanning, audit and risk-assessment tool that proactively scans a government client’s user workstations for potentially sensitive information protected by HIPAA and company policies. This solution protected the customer from potential compliance violations and resulting fines by mitigating 95 percent of risk.
ACS, a Xerox company, specializes in business process and information technology services, including business process outsourcing.
Business Services, Government
Document Management, Records Management, Search & Analytics
When ACS contracted with a government client to conduct a compliance audit, they were asked to perform a risk assessment and address any issues arising from the voluntary audit.
The factors that drive today’s information management strategies—risk assessment, compliance, information overload—have spawned several emerging technologies designed to provide commercial and public sector organizations with peace of mind. Speaking specifically to risk and compliance, organizations are increasingly adopting “early warning systems” to help them proactively manage risk associated with information security and privacy.
By driving these voluntary audits, organizations stay out of the news and instead focus on their core charter of building stakeholder value. ACS chose to build an early warning system for their government client to highlight potential regulatory compliance exposure
Paul McDonough ACSWe looked at Perceptive Search as being a strong candidate, and what we were particularly impressed with during our initial tests was Perceptive Search's ability to scan multiple computers across multiple networks very effectively and efficiently.
Enacted in 1996 by the United States Congress, the Health Insurance Portability and Accountability Act (HIPAA) was created, in part, to provide a national standard for ensuring the security and privacy of medical health records. The Act outlines the various types of non-compliance offenses, along with the criminal and civil penalties associated with each. These standards were meant to improve efficiency and effectiveness, and encourage the widespread use of electronic data interchange in the U.S. healthcare system.
But the original HIPAA Act was just the first step. Wanting to further expand the use of medical records, the federal government passed the HITECH Act to extend HIPAA compliance to business associates of covered entities. This legislation requires business associates of HIPAA-covered entities who provide transmission of protected health information or require access to that information are required to comply with regulations established by the HITECH Act.
To carry out this work on behalf of its customers, ACS recognized the need for intelligence gathering tools that would enable them to scan a client’s entire infrastructure and perform iterative research. This need led ACS to the enterprise search capabilities of Perceptive Search from Lexmark. ACS representatives were immediately impressed with the ability of Perceptive Search to quickly and easily build a collection of knowledge in a manner that wasn’t disruptive to worker productivity.
“We looked at Perceptive Search as being a strong candidate, and what we were particularly impressed with during our initial tests was Perceptive Search’s ability to scan multiple computers across multiple networks very effectively and efficiently,” said Paul McDonough from ACS (Xerox). “What’s more, Lexmark proposed a very stealthy solution, which enabled us to carry out our work behind the scenes without any end-user disruption.”
ACS started out its Perceptive Search implementation with initial test data. This enabled the team to begin building the different categories, or metrics, of potential interest. “What we needed to do was look for certain terms and aggregate terms into different categories of potential risk,” McDonough said. “So for our first step, we took a random sample of computers and began finessing and honing the search terms we would eventually use across the entire knowledge base. In doing so, Perceptive Search helped us establish some pretty good markers of success, which in this case represented indicators for potential compliance issues.”
Using Perceptive Search, ACS developed a network-scanning, audit and risk assessment tool that proactively scans user workstations for potentially sensitive information protected by HIPAA and company policies.
Specific risk areas addressed by the solution include medical records and personal identifiers classified as PHI, personal data or other sensitive financial data. “We identified about a dozen metrics, or clusters of synonyms and related terms,” McDonough said. “For example, this might include date of birth, birth date, DOB. We then combined the cluster approach with some pattern matching to identify things that might actually look like a social security number, for example. And what we found was a pretty high precision rate in identifying key areas of concern.”
Paul McDonough ACSThrough this system, we helped shield the customer from legal implications or costly penalties that are routinely levied by the government for HIPAA non-compliance. We see the Perceptive Search system as a valuable solution that will help our customer perform annual voluntary compliance audits.
ACS considers its initial customer project to be a success. More importantly, the work provided a proven framework for voluntary compliance auditing. Some key features and benefits of the Perceptive Search implementation included the ability to identify program data and files that need to be “locked down” or purged, dynamically configure client-specific data search and algorithms, and cluster and define risk at the computer and organizational level. In addition, Perceptive Search enabled ACS to help its client identify patterns of inter- and intra-department information sharing that may suggest potential projects for data consolidation and centralization; and to reduce burdensome and redundant efforts. This resulted in the creation of a proactive compliance plan that limited the risk of HIPAA compliance violations.
“Cost avoidance was one of the primary benefits of this engagement,” McDonough said. “Through this system, we helped shield the customer from legal implications or costly penalties that are routinely levied by the government for HIPAA non-compliance. We see the Perceptive Search system as a valuable solution that will help our customer perform annual voluntary compliance audits.”