Approximately a year ago, Cascade Healthcare Community Inc. hired CynergisTek Inc., an independent security consulting firm, to do a baseline risk assessment. Cynergistek used Code Green Networks Inc.’s TrueDLP for Healthcare platform to scan Cascade’s databases, monitor outgoing transmissions and identify any data, such as patient information, that was not being adequately protected.
The results of that assessment convinced Cascade’s CIO to purchase and deploy Code Green’s data loss prevention software internally, as a means of monitoring and enforcing security policies organizationwide.
One major payback has been peace of mind, said Steve Scott, IT security manager at Bend, Ore.-based Cascade. His people aren’t scrambling to comply with the Feb. 17 deadline for the HITECH Act’s new provisions for the Health Insurance Portability and Accountability Act (HIPAA). “We’re feeling pretty comfortable,” he said.
Cascade may be ready, but many health care IT staffs aren't so fortunate. According to a recent Ponemon Institute LLC security survey of 540 health care IT practioners from organizations with an average of 1,000 employees, 61% of respondents believe their employers lack the resources to meet the new HITECH privacy and data security requirements.
Although most respondents had deployed traditional security measures such as policies and procedures (81%), antivirus and antimalware (69%), training and awareness programs (67%), and perimeter controls such as firewalls (61%), a majority nonetheless said their organizations had one or more data breaches involving patient health information.
Critical layer of health information security
Only 23% of respondents said they were using data loss prevention (DLP) software. This is a serious omission, according to CynergisTek CEO Mac McMillan. “If you think of security as a series of concentric security layers, DLP is the critical inward layer that puts controls around the data itself, helping to ensure it doesn’t leave the organization either by the wrong path, or to the wrong address, or unencrypted.”
In its “Magic Quadrant for Content-Aware Data Loss Prevention” report, published last June, Gartner Inc. defined data loss prevention software as a set of technologies and inspection techniques used to classify information in a file, email, packet or storage device, while at rest (in storage), in use or in transit. DLP software can then apply policies to content classified as sensitive; these include encrypting content, moving material to a secured device and blocking unsecured transmissions.
The Code Green TrueDLP appliances installed at Cascade’s two hospitals and two medical centers continually monitor outgoing network traffic. The data loss prevention software then notifies the user or administrator when it identifies sensitive information that is being transmitted unencrypted or via an unsecured medium such as webmail.
On top of monitoring where and how sensitive data is stored, TrueDLP periodically scans databases and storage devices, Scott said. This function is crucial, because end users often have no idea what’s in their files, he added: “They may have taken out a subset of data years ago and just forgot.”
HITECH Act will motivate use of data loss prevention software
Currently, health care organizations such as Cascade, which have implemented proactive, enterprise-wide encryption and security policies, are very much in the minority. IT decision makers have chosen not to encrypt data because of the projected cost and overhead and because they were rarely penalized for failing to report any breaches that occurred, McMillan explained.
The new HITECH provisions are changing all that. As of Feb. 17, when an organization suffers a security breach involving sensitive data that was not adequately protected (i.e., encrypted), it must report it to the Department of Health and Human Services, all major local newspapers and all individuals affected. Apart from the negative publicity, this can mean a civil suit and/or a hefty fine: California, for example, levies a $250,000 fine per person, per incident.
However, if a health care organization can demonstrate that the sensitive data was encrypted at the time of the breach, it is neither penalized nor required to disclose information about the incident, McMillan said. Currently, few hospitals encrypt data at rest (in storage) or in transit between two systems, while about half encrypt data over the network, he added.
By automating policy enforcement and limiting encryption and other security measures to sensitive data, DLP software can help organizations meet the new HIPAA provisions without breaking the budget.
The past couple of years have seen a major DLP market consolidation, with point solution vendors being snapped up by major players such as McAfee Inc., CA Inc., Symantec Corp. and EMC subsidiary RSA. Many of these vendors are embedding content-aware DLP into their other security offerings, including enterprise-scale security and governance platforms.
On the plus side, this paves the way to “broad, effective application of protection and governance policies across the entire enterprise IT ecosystem and throughout all the phases of the data lifecycle,” Gartner said in its DLP report.
For many health care organizations, however, such enterprise-scale, all-in-one platforms may be overkill, both in scale and price. Small- to medium-sized providers may prefer to go with point solution providers such as Code Green, RSA, GTB Technologies Inc., Palisade Systems Inc. and Trustwave, which recently acquired Vericept’s Corp.’s DLP product and plans to develop a Software as a Service (SaaS) offering. These vendors provide out-of-the-box support for health care data definitions and HIPAA compliance.
One key differentiator for DLP software is the policy engine -- that is, whether it deploys a full set of HIPAA policies and recognizes medical data out of the box and how easy it is to add new types of data definitions and policies.
DLP is the critical inward layer [of security] that puts controls around the data itself, helping to ensure it doesn’t leave the organization.
Mac McMillan, CEO, CynergisTek Inc.
With Code Green, for example, “I can set up a rule that a lab report for blood work can live in a patient record, laboratory or medical errors database -- but nowhere else,” said CynergisTek’s McMillan.
Granularity is key. Wholesale security policies, such as telling end users to encrypt all their emails, tend to be costly, and ultimately unenforceable, industry experts agree. Deploying focused policies via DLP can not only save money but also makes security enforcement less painful for end users.
Cascade’s IT group, for example, has historically prevented data from escaping via thumb drives by disabling the USB ports on the majority of desktops and laptops. “Users keep asking us if they can save a document to a USB stick, and we keep saying no,” Scott said. Once TrueDLP agents have been installed on all 3,000 computers, however, Scott’s group can discard the older policy. Administrators can block any attempt to download sensitive data via a USB port and allow end users to download anything else, Scott noted. ”So instead of having a blanket policy, we have a granular one that helps people do their jobs.”
Elisabeth Horwitt is a contributing writer based in Waban, Mass. Let us know what you think about the story; email firstname.lastname@example.org.
This was first published in January 2010