When reading Henk’s thoughts on DLP, I have to concur that DLP must go beyond simple dirty word filtering and similar technical attempts. DLP properly done must include a comprehensive scheme to protect proprietary information that should likely include a data tagging and labeling strategy. Tagging and labeling of information is reasonably well understood, and – essentially – also a prerequisite for mandatory access control.
Interestingly enough, the HL7 Security WG has started to think along the lines of data labeling and tagging to enable data separation for privacy. Mike Davis presented yesterday a proposal that would introduce a tagging and labeling scheme akin to the information control systems commonly found in the intelligence community. It includes the concepts of classification labels, aligned with the CDA confidentiality codes. In addition Mike also attempted to map the concept of compartmentalization to a Need-To-Know principle aligned with the more restrictive information categories such as the information identified in U.S. Title 38 (Drug abuse, Sickle Cell, etc.).
While the current momentum for data tagging in HL7 is largely focused on access control, it would be nice to see more DLP systems deployed in healthcare environment, using these emerging concepts.