How to use the Healthcare Mimecast Managed Reference Dictionaries within Content Examination policies

Document created by user.3AEuBpAOr2 Expert on Jul 17, 2017Last modified by user.3AEuBpAOr2 Expert on Sep 1, 2017
Version 4Show Document
  • View in full screen mode

Mimecast offers a number of Managed Reference Dictionaries that take the complexity out of implementing Content Examination policies that search for common sensitive information types (credit card numbers, profanity etc) within messages.

 

With the introduction of our new Healthcare orientated Dictionaries and Entities it is now possible to search for multiple sensitive information types with only a few steps and with greater control.

 

This guide explains how to:

  • Insert the new healthcare dictionary into a new or existing Content Examination Definition
    • Customise the default Healthcare policy including:
      • Exclude Entities from content matches
      • Add additional Entities

 

What You'll Need

  • The Healthcare Dictionaries package enabled on your Mimecast account.
  • Access to the Administrator Console, with edit rights to the Administration | Gateway | Policies menu item.

 

1. Configuring a Content Examination Definition to use the Mimecast default Healthcare policy.

 

To configure a content examination definition with the Healthcare policy, you will need to follow the steps below:

  1. Log in to the Administration Console.Click on the Administration menu item. A menu drop down is displayed.
  2. Click on the Gateway | Policies menu item.
  3. Hover over the Definitions button.
  4. Select Content Definitions from the drop down menu.
  5. Select a Folder in the hierarchy. Any existing definitions are listed.
  6. Either click the:
    • New Definition button to create a definition.
    • Definition to be changed.
  7. In the Description field, provide a description of the definition. This is kept in the archive for messages that have this definition applied.
  8. Leave the Definition Type as Independent Content Definition.
  9. Specify an Activation Score, this is the overall score that any content matches must reach before the Content Examination policy is applied.
  10. Click on the Insert menu.
  11. Select Mimecast Managed Reference Dictionary.

    There are 2 Healthcare Shared Reference Dictionaries to choose from:

     

    US Healthcare - Fixed: Allows administrators to quickly and easily start searching messages for restricted content with minimal effort.

     

    US Healthcare - Configurable: Allows administrators to configure the content checks performed as part of the US Healthcare dictionaries to meet their needs.

  12. Click Lookup.
  13. Select Reference Dictionary from the folder view.
  14. Click Select next to the Healthcare dictionary.
  15. Click Save and Exit.
  16. The Word/Phrase Match List will now be populated with the default Mimecast Healthcare policy syntax.
  17. Complete the following sections as required:
    1. Policy Definition: See the Policy Definition section of the Configuring a Content Examination Definition article for full details.
    2. Scanning Options: See the Scanning Options section of the Configuring a Content Examination Definition article for full details.
    3. Inbound and Outbound Settings: See the Inbound and Outbound Settings section of the Configuring a Content Examination Definition article for full details.

      Please note: The inbound and Outbound settings should be configured to match the compliance regulations of your organization.

    4. Journal Settings: See the Journal Settings section of the Configuring a Content Examination Definition article for full details.
    The "Inbound and Outbound Settings" and "Journal Settings" sections are only displayed if your account has Internal Email Protect enabled.

18. Click Save and Exit.

 

The Mimecast default Healthcare policy contains searches for the following content. It is possible to add additional content searches via the use of search terms or Entities.

 

ICD10cm in proximity (within 300 characters) of the following PHI information types:

  • Names
  • Date of Birth (DOB)
  • Social Security Number (SSN)
  • Medicare ID
  • Phone Number
  • URL
  • Vehicle Identification Number (VIN)
  • IP Address
  • Email Address

 

FDA Drugs in proximity (within 300 characters) of the following PHI information types:

  • Names
  • Date of Birth (DOB)
  • Social Security Number (SSN)
  • Medicare ID
  • Phone Number
  • URL
  • Vehicle Identification Number (VIN)
  • IP Address
  • Email Address

 

ICD10cm in proximity (within 300 characters) of the following PII information types:

  • Passports
  • US Driver's License
  • IBAN Numbers
  • Credit Card Numbers

 

FDA Drugs in proximity (within 300 characters) of the following PII information types:

  • Passports
  • US Driver's License
  • IBAN Numbers
  • Credit Card Numbers

 

More information relating to the use of Entities can be found in the Content Examination Policies: Healthcare Dictionaries and Entities article.

 

2. Customising the Mimecast Default Healthcare policy

There may be scenarios where the default Mimecast Healthcare policy is too strict and generating too many false positives or that you wish to add further content checks.

 

Excluding Entities from content searches:

There may be a time when one of the checks performed within an Entity Group becomes unwanted or yields too many false positives. This is where using negative scores comes into play, as any matches that are found for the search term with a negative line score is applied to the total number of hits.

 

For example:

An Administrator is using the PHI Entity Group, which contains the following individual Entities:

  • Name
  • DOB
  • SSN
  • MedicareID
  • PhoneNumber
  • FAX
  • VIN
  • IP
  • EmailAddress
  • URL

 

They are seeing a high number of false positives with the Phone Number Entity, and would like to check if ignoring this check resolves the problem.

This can be achieved by using one of the following methods.

 

1. Remove the entry for the PHI Entity Group from the Content Examination Definition and enter all of the Individual Entities that you wish to use.

 

So from this:

1 detect PHI

To be replaced with the following individual Entities:

1 detect Name
1 detect DOB
1 detect SSN
1 detect MedicareID
1 detect FAX
1 detect VIN
1 detect IP
1 detect EmailAddress
1 detect URL

 

 

2. Use a negative line score for the 'Phone Number' Entity.

 

Original word/phrase match list content:

 

1 detect PHI

 

New word/phrase match list content including the negative score for the Phone Number Entity.

1 detect PHI

-1 detect PhoneNumber

 

So if we break example 2 down, the following will occur. A total of 10 matches will be found (assuming that one piece of content exists within a message for each search term) as the PHI Entity Group contains 10 individual Entities, which means the total score will be 10.

 

  • Name
  • DOB
  • SSN
  • MedicareID
  • PhoneNumber
  • FAX
  • VIN
  • IP
  • EmailAddress
  • URL

 

We then process the negative line score entry "-1 detect PhoneNumber" search term, this then causes the total score of 10 to become 9 as we have removed the score (-1) for the Phone Number match.

 

Adding additional Entities:

The list of entities that are included within our healthcare policy are a suitable in most use cases, however there may be instances where further content checks need to be added to the Healthcare Content Examination policy.

 

This can be done by manually adding an Entity into the Content Examination policy, Entities can be used in conjunction with other Entities or Entity Groups via the use of operators.

 

For example:

An administrator has had reports of Canadian Social Security Numbers (SIN) being present within emails being sent externally. This is due to the SIN number entity not being present in the hipaa_phi Entity Group.

 

To add a check for SIN numbers the administrator would need to add the following policy syntax.

 

1 detect SIN

 

If they wish to only trigger a Content match when the presence of a name is found, the administrator can use the AND operator and the "Names" Entity Group.

 

1 (detect SIN) AND (detect Names)

 

Another example would be when an Administrator wants to combine a word or phrase with an Entity, so that they can cover another use case.

 

With the new Content policy syntax changes it is possible to combine search works or phrases with another word or phrase or Entity.

 

For example:

You may wish to search for the term "Admission Date" followed by a date in the Month/Day/Year format.

 

This can be achieved by using the following policy syntax.

1 ("Admission Date") Proximity (detect date_mdy)

 

If we break the above example down into sections:

 

1 = is the line score and is applied when a match is found.

 

("Admission Date") = This is the first check performed, this needs to be encased within brackets to mark the boundaries of the search text.

 

Proximity = Is the operator, in this case the phrase "Admission Date" needs to be within 300 characters of a date in the Month/Day/Year format.

 

(detect date_mdy) = This is the second check performed, again this is contained within brackets to mark the boundaries of the search term. In this case a date in the Month/Day/Year format.

 

A full list of the Entities, Entity Groups and Operators supported by Content Examination policies can be found in the following articles.

Attachments

    Outcomes