It seems just like yesterday, when the Veterans Affairs Department (VA) was sending out notices to millions of patients informing them that their personal data might have been compromised. The year was 2006, and my dad called me in a panic immediately after receiving a notice that his information had been stolen. It was the largest data leak of social security numbers (26.5 million) ever, and the incident that led the public to question the security of their sensitive information.
Fast forward to March, 2010–the Veterans Affairs Department’s inspector general has launched a criminal investigation into a physician assistant’s alleged downloading of veterans’ clinical data at its Atlanta medical center. According to an article published in Nextgov News, “the assistant allegedly recorded two sets of patient data on to a personal laptop for research purposes. One set included three years’ worth of patient data and another held 18 years of medical information.” One of the most disturbing parts of this article is that the department is questioning whether or not they plan on notifying the veterans who records were downloaded during this latest breach.
So what happened? Where did the VA’s commitment to protect their patients’ privacy go wrong? Did they not educate their employees about what is acceptable to download and what is not? Do they even know where their unauthorized clinical data is within their organization? What are they planning to do to protect the veterans over the next 4 years?
When it comes to network data loss prevention solutions monitoring SSL encrypted traffic a lot depends on the transparency of the web/ICAP proxy and how it is configured to handle SSL certificates. Some proxies are better at this than others. Pretty much all the network DLP solutions utilize ICAP integration with a web proxy for inspecting SSL traffic and are somewhat/very successful.
When it comes to endpoint data loss prevention solutions monitoring SSL encrypted traffic there are issues.
You can’t monitor traffic from systems that don’t have the endpoint solution on them, for example guest machines, contractors, visitors, etc. Or the endpoint solution may not be available for all the different endpoint operating systems and browsers used on your network. A network based solution monitors/controls anything going through the gateway regardless.
The endpoint solution has to have its inspection/control happen prior to the data being SSL encrypted by the web browser. This can be difficult to build and not all endpoint solutions can do this. If the endpoint solution is built to handle IE browsers you may need to lock the endpoint down to prevent other browsers (chrome, safari, etc) from being installed and used.
The deployment and management issue – network DLP is much easier and less disruptive to deploy and manage than installing an endpoint DLP agent on every desktop in your organization.
I’m not against endpoint DLP, it’s one of the products Code Green offers, but network DLP is a much better solution for web traffic monitoring and control.
Next week, March 1, 2010, Massachusetts will implement the most stringent data protection law in the nation.
Massachusetts Data Protection Law 201 CMR 17.00 will require businesses, engaged in commerce, to adopt written security polices and encrypt personal data, of any Massachusetts resident, stored or transmitted through the Internet or wirelessly. Personal information includes a combination of customers’ or employees’ names and their Social Security, bank account or credit card numbers. The key to this new law is that regardless of where your business is physically or operationally, if you handle or store the personal information of any Massachusetts resident, you are legally obligated to protect that information.
This is the first data privacy law that allows a court to impose a $5,000 civil penalty for each violation—if a ‘violation‘ is interpreted by a judge to mean the unauthorized access to a single individual’s personal information, the potential damages could be enormous. In addition to fines, failure to comply may risk your company to expensive audits and costly civil litigation.
If your organization owns or licenses personal information then you need to ensure that this information does not get transmitted and is not stored in clear text.
I will be speaking at the NAFCU 2010 Technology & Security Conference in Las Vegas next week.
The conference schedule is available here: http://www.bit.ly/aj3xQt
The extract for my speaking engagement is below… hope to see you there!
TITLE: Preventing Member Info Leaks 2.0 & Next Generation E-mail Encryption
EXTRACT: Credit union customer representatives have a mission to provide excellent service but in their continuous efforts to excel their assistance, they may be putting your organization at risk. They may be encouraged to reply to member emails via webmail programs, or they may interact with members on social media sites like Facebook or Twitter. In this discussion you will learn how data loss prevention (DLP) systems can monitor Web 2.0 traffic for member information and what controls are available to remediate potential information leaks.
In this video, I give a quick “chalk talk” about what data loss prevention is, and the two main things you should remember when purchasing a solution to prevent sensitive data from leaving your network.
Tops Covered Include:
* Basics of Data Loss Prevention
* What makes Data Loss Prevention solutions so accurate
Video on YouTube: Introduction to Data Loss Prevention
We recently talked with a customer in the healthcare industry who was concerned about protecting their patient records. While many of us have become quite familiar with HIPAA, or the Health Insurance Portability and Accountability Act, many of us are still learning how to protect those records. And with the flood of devices, widespread access to information, and distributed locations, protecting that data is a real challenge.
When we demonstrated our new discovery capability in our TrueDLP 7.0 data loss prevention solution, a few weeks ago, our client found more than 22 million sensitive patient records were floating around on a variety of PC clients, servers and other devices in various formats and with varying degrees of detail! They had no idea. With discovery, data can be located and identified in data centers and throughout the network. A terabyte of data a day can be scanned from fileservers, SharePoint servers, email servers, web servers, FTP servers and source code repositories, and discovery scans can be scheduled and reported on regularly.
On February 11th CXO Media will host the CSO Executive Seminar on Data Protection and Encryption at the Hilton McLean Tysons Corner in McLean, VA. These events are intended to help you learn the strategies and tactics for taking a comprehensive approach to data loss prevention and better protecting your corporate data.
This year Code Green Networks and Blue Coat will be presenting on the topic of “Managing DLP Before it’s a Crisis”. If you want more information regarding this session or the event, send an email to info@codegreennetworks.com. We hope to see you there.
There was a great article earlier this month, written by Elisabeth Horwitt, posted on searchhealthit.techtarget.com titled “Using Data Loss Prevention Software to Comply with new HIPAA Policies“. The piece highlighted one organization, Cascade Healthcare Community (CHC), and how it was using DLP as a means of monitoring and enforcing security policies organization wide.
It was interesting that the piece quoted the Ponemon Institute LLC security survey in which 540 healthcare IT practitioners from organizations with an average of 1,000 employees, 61% of respondents believe their employers lack the resources to meet the new HITECH privacy and data security requirements.
However, with the Feb. 17th deadline for the HITECH Act’s new provisions for the Health Insurance Portability and Accountability Act (HIPAA), Code Green Networks is seeing more and more healthcare organizations taking action to secure their patients’ sensitive information. We will continue to watch to see how this one develops.
