How to create a custom Content Control List for US Medical Record Number detection

  • Article ID: 112192
  • Rating:
  • 3 customers rated this article 4.0 out of 6
  • Updated: 31 May 2013

Summary

The HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Heath) Act require companies holding electronic protected health information (EPHI) to secure it.

This knowledge base article is designed to guide you through the process of creating a custom Content Control List for the MRN format used in your health organization. Please note that Sophos does not provide technical support for the creation of custom Content Control Lists.

Introduction

Sophos provides a set of Content Control Lists (CCLs) that allow administrators to track/block the movement of EPHI. Relevant CCLs have been tagged with the "HIPAA" identifier and are provided within the following products:

  • Endpoint Security and Data Protection
  • Email Security and Data Protection

A Medical Record Number (MRN) is classified as EPHI so it is important to be able to identify the use of the MRN within outbound documents and email communications. Typically, a HIPAA data control rule would be configured to identify an MRN alongside other EPHI e.g. a Social Security Number or National Health Provider Identifier.

Across the US there is not a widely adopted standard for Medical Record Numbers. There are likely to be hundreds of MRN formats in use, so Sophos is unable to provide a universal CCL for Medical Record Number detection.

How to create custom Content Control Lists (CCLs) using the Sophos template

SophosLabs have created a template custom CCL for MRN detection. The goal for this custom CCL is to identify a number/code which can match the MRN format used in your organization. It may be necessary to also identify qualifying terms such as "MRN" or "Medical Record Number" to reduce the risk of false positives (numbers being identified as an MRN when they are not).

  • Click here to download XML file sample 

    Note: For download purposes this file is saved in .zip format. Unzip the download and open the sample file MRN.xml contained within it. You must use the XML contained in this file, do NOT copy and paste the XML from this knowledgebase article as it may not be imported correctly.

Example Medical Record Number identification CCL

<?xml version="1.0" encoding="utf-16"?>
<contentConditions xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xmlns:xsd="http://www.w3.org/2001/XMLSchema"xmlns="http://www.sophos.com/xml/msys/datacontrol.xsd">
<contentCondition triggerWeight="2" comment="An example custom CCL for identifying data tagged with a Medical Record Number." name="Medical Record Number">
<simpleExpressionSet>
<!-- Exp1 <expression value="&quot;Medical Record Number&quot; OR MRN" count="Q" weight="1" nearDistance="50" /> -->
</simpleExpressionSet>
<regularExpressionSet>
<!-- Exp2 <expression value="\b\d{6}\b" count="1" weight="1" /> -->
<!-- Exp3 <expression value="\b\d{4}[ -]?\d{3}\b" count="1" weight="1" /> -->
<!-- Exp4 <expression value="\b(?:\d{2}[ -]?){3}\d{2}\b" count="1" weight="1" /> -->
<!-- Exp5 <expression value="\b(?:\d{3}[ -]?){2}\d{3}\b" count="1" weight="1" /> -->
<!-- Exp6 <expression value="\b[a-zA-Z]{3}-\d{3}-[a-zA-Z]{3}\b" count="1" weight="1" /> -->
</regularExpressionSet>
<tag idRef="17" /><tag idRef="5" />
</contentCondition>
</contentConditions>

How to customize the Medical Record Number XML file

To customize the MRN XML file you will need to uncomment at least two of the provided expressions. Provided below is an example of a "commented" expression and what it looks like after being "uncommented".

  • Before (commented): <!--ExpX <expression value=”expression” count=”X” weight=”X” /> -->
  • After (uncommented): <expression value=”expression” count=”X” weight=”X” />

The following steps will guide you through the process of customizing the XML:

  1. Open the supplied XML file (see link above) in a text editor (e.g. notepad).

  2. You can change the name of the CCL (label: name) and the description (label: comment) by editing the underlined text:

    <contentCondition triggerWeight="2" comment="An example custom CCL for identifying data tagged with a Medical Record Number." name="Medical Record Number">

  3. Medical Record Numbers are often shown alongside a text label, such as Medical Record Number or MRN. We recommend that you uncomment Exp1 to make use of these qualifying terms. This will significantly reduce the risk of false positives.

    Terms are case insensitive so the term medical record number will match Medical Record Number and Medical record number.

  4. You can add additional qualifying terms alongside those already supplied. This can be done by adding an extra OR operand within the expression. To match an exact phrase enclose the phrase using &quot;. For example OR &quot;Acme Medical Record&quot; will match Acme Medical Record.

    • If your MRN is a 6 digit number then uncomment expression (Exp2). This expression detects a string of 6 digits exactly.
    • If your MRN is a 7 digit number of the form: 1234-567, 1234 567 or 1234567 then you can uncomment expression (Exp3). This expression detects a string of 7 digits with an option hyphen (-) or space between the 4 and 5 digit. If your MRN is of the form 123-4567 then this expression can be easily edited to fit.
    • If your MRN is an 8 digit number of the form: 12-34-56-78, 1234 5678 or 12345678 then you can uncomment expression (Exp4). This expression detects a string of 8 digits with optional hyphens or spaces between digits 2 and 3, 4 and 5, and 6 and 7.
    • If your MRN is a 9 digit number of the form: 123-456-789, 123 456789 or 1233456789 then you can uncomment expression (Exp5). This expression detects a string of 9 digits with optional hyphens or spaces between digits 3 and 4, and 6 and 7.
    • If your MRN is a 9 character string of the form: ABC-456-GHI, abc 456 ghi or ABC456GHI then you can uncomment expression (Exp6). This expression detects a string of 9 alphanumeric characters (3 alphabetic, 3 digits and 3 alphabetic).
    • If your MRN is different to the formats provided in the example then you will need to add your own expression or modify one of the existing expressions. A regular expression “primer” is provided at the end of this article.

  5. The CCL expects the phrase expression (Exp1) and one of the number format expressions (Exp2-Exp6) to be used. If you have only uncommented one expression then change the value associated with the triggerWeight from 2 to 1.

  6. Once you have finished editing the CCL it can be saved. Ensure that you save the file with a .xml file extension rather .txt.

  7. You can verify the format of the edited XML file by reviewing it using a web browser.
    Note: in Firefox you may see the following message which can be ignored: 'This XML file does not appear to have any style information associated with it. The document tree is shown below.'

  8. Once you have reviewed the changes made you can import the XML file into either Sophos Enterprise Console or the Email Security Appliance web interface:
    • Sophos Enterprise Console: Open the Tools | Manage data control | Data Control Content Control Lists | Import. The CCL Import dialog box is displayed.
    • Email Security Appliance: Under Content control lists, click Import. The CCL Import dialog box is displayed.

For additional information on testing Content Control Lists please refer to:

Addendum - Regular Expression primer

Value Description
\b Matches a word boundary (space, comma, period etc.)
\d Matches any single digit.
\d{3} Matches 3 digits.
[ -] Matches either a space or a hyphen (always ensure the hyphen is the last thing in these brackets.
? Matches zero or one of the thing before it in the case of [ -]? this means zero or one of either a space or a hyphen.
[a-z] Matches all lowercase alphabetic characters between a and z.
[a-zA-Z] Matches all alphabetic characters.
[A-HK-NP-Z] Matches all uppercase alphabetic characters except I, J and O (which could be mistaken for numbers).
(?:...) Is a non-capturing grouping of an expression.

For more detail refer to this external web page: http://perldoc.perl.org/perlre.html

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments