Content Examination Policies: Healthcare Dictionaries and Entities

Document created by user.3AEuBpAOr2 Expert on Jul 17, 2017Last modified by user.3AEuBpAOr2 Expert on Jul 17, 2017
Version 2Show Document
  • View in full screen mode
The use of entities and healthcare related dictionaries is restricted to customers with the healthcare package enabled on their Mimecast account.

Overview

 

Without the addition of the healthcare package, content examination policies only allow you to search for message content using:

  • Keywords or phrases
  • Regular expressions

 

The healthcare package allows you to search for message content using entities. Entities are records maintained by Mimecast that include the regular expressions, keywords, and phrases required to find content. Using entities simplifies the process by allowing you to search for sensitive content without the need for regular expressions.

 

Entities can be used inside content examination policies in the following ways:

  • Using a single entity: Use this method where an entity has a low percentage of false positives, or has a broad criteria for matching content.
  • Using multiple entities: Use this method to trigger a content match when two entities are found.
  • Using operators (e.g. AND, OR)

 

Single Entity Example

 

Say you wish to hold all messages that contain references to credit card numbers. Instead of manually adding a regular expression, including the card number validator for each credit card type you want to identify, use the "creditcard" entity as follows to find any credit card numbers:

 

Regular Expression SyntaxEntity Syntax
The following regular expression can be used to find all Visa credit card numbers, but not Mastercard, Amex, etc. The entry below would have to be repeated for each credit card type.
1 regex,cardnumber 4(?<=\b(?<!\.)4)\d{3}[\W\s]?\d{4}[\W\s]?\d{4}[\W\s]?\d{4}\b
With the entity syntax, no regular expression is required. Using the "creditcard" entity finds all credit card numbers, regardless of the credit card type. For example, the following would match any credit card number found in the specified areas of an email (header, body, attachment).
1 detect creditcard

 

Using Multiple Entities with Operators

Read the following in conjunction with the Content Examination Definitions: Word / Phrase Match List Examples page.

           

 


For example: An administrator may only want to hold messages that contain 1 piece of PII (Personal Identifiable Information) and one piece of financial information that are a specific distance away from each other.

 

 

1 (detect aba) Proximity:50 (detect date_dob)

The above search criteria will detect any instances of an ABA number and any instances of a  Date of Birth (DOB), within a range of 50 characters from each other before a match is made.

 

By default the Proximity operator has a default distance of 300 characters, specifying a number value after proximity will override the default distance.

                          

Supported Entities

Mimecast currently supports the following Entities that can be used individually within Content Examination policies:

 

Financial Entities

Entity NameExample Usage

CreditCard (Individual Credit Card types can also be specified using their unique entity name when matching specific card types.)

  • Visa
  • MasterCard
  • American Express
  • JCB
  • Diners Card

To match any kind of credit card an administrator only needs to specify the 'creditcard' entity.

 

For example:

1 detect creditcard

However if you only wish to detect Visa credit cards, an administrator only needs to specify the 'Visa' entity.

 

For example:

1 detect visa

ITIN (Individual Tax Payer Number)

To detect the presence of any ITIN numbers within a message or attachments. Administrators will only need to use the 'itin' entity.

 

For example:

1 detect us_itin

IBAN Number (International Bank Account Number)

To detect the presence of any IBAN numbers within a message or attachments. Administrators will only need to use the 'IBAN' entity.

 

For example:

1 detect iban

ABA Number (American Bankers Association Number)

To detect the presence of any ABA numbers within a message or attachments. Administrators will only need to use the 'aba' entity.

 

For example:

1 detect aba

Tax File Number

To detect the presence of any Tax File Numbers within a message or attachments. Administrators will only need to use the 'tfn' entity.

 

For example:

1 detect tfn

 

PII (Personal Identifiable Information) Entities

Entity NameExample Usage

Passport Numbers:

  • Au
  • Ca
  • De
  • Fi
  • Fr
  • Jp
  • Pl
  • Se
  • Tw
  • UK
  • US

To detect the presence of any passport numbers within a message or attachments. Administrators will only need to use the 'passport' entity.

 

For example:

1 detect passport

 

However if an administrator only wishes to match passports from a specific region, they can use a region specific entity.

 

For example:

1 detect passport_au

 

 

Date of Birth (DOB)

 

To detect the presence of a date of birth (DOB) within a message or attachments. Administrators will only need to use the 'date_dob' entity.

 

1 detect date_dob

Drivers Licenses:

  • UK
  • US
    • ak
    • al
    • ar
    • az
    • ca
    • co
    • ct
    • dc
    • de
    • fl
    • ga
    • hi
    • ia
    • id
    • il
    • in
    • ks
    • ky
    • la
    • ma
    • md
    • me
    • mi
    • mn
    • mo
    • ms
    • mt
    • nc
    • nd
    • ne
    • nh
    • nj
    • nm
    • nv
    • ny
    • oh
    • ok
    • or
    • pa
    • ri
    • sc
    • sd
    • tn
    • tx
    • ut
    • va
    • vt
    • wa
    • wi
    • wv
    • wy

To detect the presence of any UK or US Driver's License numbers within a message or attachments. Administrators will only need to use the '' entity.

 

1 detect drivers_license_us

1 detect drivers_license_uk

However if an administrator only wishes to match driver's licenses from a specific region, they can use a region specific entity.

 

For example: US region variant

1 detect drivers_license_us_ak

VIN Number (Vehicle Identification Number)

To detect the presence of VIN numbers within a message or attachments. Administrators will only need to use the 'VIN' entity.

 

For example:

1 detect vin

SSN (Social Security Number)

To detect the presence of Social Security numbers within a message or attachments. Administrators will only need to use the 'SSN' entity.

 

For example:

1 detect ssn

SIN (Canadian Social Insurance Number)

To detect the presence of Canadian Social Insurance numbers within a message or attachments. Administrators will only need to use the 'SIN' entity.

 

For example:

1 detect sin

Telephone Number:

  • UK
  • US
  • Au

To detect the presence of Telephone Numbers within a message or attachments. Administrators will only need to use the 'Telephone_number' entity.

 

For example:

1 detect phonenumber

However if an administrator only wishes to match Telephone Numbers from a specific region, they can use a region specific entity.

 

For example:

 

1 detect phonenumber_uk

Email Address

To detect the presence of an Email Address within a message or attachments. Administrators will only need to use the 'Email' entity.

 

For example:

1 detect email

Fax Number

 

UK Electoral Roll

To detect the presence of Electoral roll numbers within a message or attachments. Administrators will only need to use the 'UK_Electoral_roll' entity.

 

For example:

 

1 detect uk_electoral_roll

South Africa ID

To detect the presence of South Africa ID Numbers within a message or attachments. Administrators will only need to use the 'south_africa_id' entity.

 

For example:

 

1 detect south_africa_id

 

Healthcare Entities:

Entity NameExample Usage
HICN (Healthcare Insurance Claim Numbers)

To detect the presence of Health Insurance Claim Numbers (HICN) within a message or attachments. Administrators will only need to use the 'HICN' entity.

 

For example:

1 detect hicn

1 detect hicn_rrb

1 detect hicn_cms

NHS Number (National Health Service Number)

To detect the presence of National Health Service Numbers (NHS) within a message or attachments. Administrators will only need to use the 'NHS' entity.

 

For example:

1 detect nhs

CHI Number (Community Health Index Number)

To detect the presence of Community Health Index Numbers (CHI) within a message or attachments. Administrators will only need to use the 'CHI' entity.

 

For example:

1 detect chi

DEA Number (Drug Enforcement Agency Number)

To detect the presence of Drug Enforcement Agency Numbers (DEA) within a message or attachments. Administrators will only need to use the 'DEA' entity.

 

For example:

1 detect dea

NDC - (National Drug Codes)

To detect the presence of National Drug Code Names (NDC) within a message or attachments. Administrators will only need to use the 'NDC' entity.

 

For example:

1 detect ndc

FDA Approved Prescription Drugs

To detect the presence of Prescription Drug codes within a message or attachments. Administrators will only need to use the 'FDA_APD' entity.

 

For example:

1 detect fda_drugs

Medicare Account Number

To detect the presence of Medicare Account numbers within a message or attachments. Administrators will only need to use the 'MA' entity.

 

For example:

1 detect medicard_id

 

Generic Entities

Entity NameExample Usage

Dates

  • Full Date (Year/Month/Day)
  • Partial Date (Month/Year)

To detect the presence of Dates within a message or attachments. Administrators will only need to use the 'date' entity.

 

1 detect date

 

However, if an administrator wants to customize the date format or search, they can use the following entities.

 

Specific Date Formats:

SyntaxBehavior
1 detect date_dmyDetects dates in the Day/Month/Year format.
1 detect date_mdyDetects dates in the Month/Day/Year format.
1 detect date_ymdDetects dates in the Year/Month/Day format.
1 detect date_myDetects dates in the Month/Year format.

 

IP Address

To detect the presence of IP addresses within a message or attachments. Administrators will only need to use the 'IP' entity.

 

For example:

 

1 detect ip

URL

To detect the presence of URLs within a message or attachments. Administrators will only need to use the 'url' entity.

 

For example:

 

1 detect url

 

 

Entity Groups

Mimecast also provides a set of Entities Groups that contain either a list of search terms or a selection of Entities that align to a particular area, for example PHI.

Mimecast currently offers the following Entities Groups that are made up of multiple search terms or Entities:

Entity Group NameExample Usage
ICD10cm: A list of medical terms that can be used in the diagnosis of a medical condition.

To detect the presence of a medical condition being mention within a message or attachments. Administrators will need to use the 'icd10cm' entity.

 

For example:

1 detect icd10cm

PII: A collection of entities that focus on the identification of personal information.

 

This includes the following Entities:

  • Passports
  • US Drivers Licenses
  • Telephone Numbers
  • Fax Numbers
  • Email Addresses
  • IP Addresses
  • Date of Birth (DOB)
  • Social Security Number
  • URL
  • Vehicle Identification Number (VIN)

To detect the presence of any piece of personally identifiable information being mentioned within a message or attachments. Administrators will need to use the 'pii' entity.

 

For example:

1 detect pii

PHI: A collection of entities that focus on healthcare related personal information.

 

This includes the following Entities:

  • Date of Birth (DOB)
  • Social Security Number (SSN)
  • Medicare ID
  • Telephone Number
  • Fax Number
  • Vehicle Identification Number (VIN)
  • IP Address
  • Email Address
  • URL

To detect the presence of any piece of Protected Health Information (PHI) being mentioned within a message or attachments. Administrators will need to use the 'phi' entity.

 

For example:

1 detect phi

FDA Prescription Drugs: A collection of FDA approved prescription drugs in list format.

To detect the presence of any FDA prescription drug being mentioned within a message or attachments. Administrators will need to use the 'fda_prescrpt' entity.

 

For example:

1 detect fdadrugs

Names: A collection of first and surnames gathered from the US Social Security Administration.

To detect the presence of any names being mentioned within a message or attachments. Administrators will need to use the 'Names' entity.

 

For example:

1 detect names

 

It is recommended to use the Names Entity in conjunction with another individual Entity or Entity Group, to minimise the number of false positives.

                      

 

Each of the above Entity Groups (icd10cm, hipaa_phi, pii, fda_drugs and names) can be used within Content Examination policies, with other search terms or other Entities.

 

For example:

 

1 (detect icd10cm) Proximity (detect Email)

 

or

 

1 (detect icd10cm) Proximity ("diagnosed with")

                            
                      

The contents of the  icd10cm, FDA Prescription Drug and Names Entity Groups will not be viewable via the  Mimecast Administration Console due to the size of these lists.

                    

See Also...

 

Attachments

    Outcomes