Data loss prevention (DLP) sounds like a no-brainer, but in some cases it has been a challenging technology to implement, primarily because of the complexity of some of today’s enterprise solutions.
However, there are some organizations that have found enterprise DLP without the complexity, and those organizations that have implemented a solution have found it critical to their IT Security success.
This week, in HealthInfoSecurity.com, Steve Scott, IT security manager for the St. Charles Health System in Oregon, talks about how his organization decided it needed DLP, how it was implemented and how it’s managed. After a base security risk assessment, conducted by CynergisTek, St. Charles implemented the Code Green Networks TrueDLP solution.
From HealthcareInfoSecurity.com: Scott explains how the three-hospital organization is using DLP for detective work, such as to:
- Identify where patient information is stored, including vulnerable spreadsheets and documents;
- Track when users attempt to transmit patient information via unencrypted email; and
- Determine when business associates send the hospitals patient information without adequately protecting it.
More information on the organization’s DLP strategy and the complete podcast can be found at, http://www.healthcareinfosecurity.com/podcasts.php?podcastID=529.
Everyone in healthcare knows that new HIPAA regulations, implemented as part of the HITECH Act this year, have raised the bar on compliance. In particular, data leak prevention has become a hot spot for many healthcare organizations. As we’ve noted before, we identified more than 22 million sensitive records floating around one such healthcare organization. The HITECH act mandates federal data breach notification requirement for security breaches involving protected health information. And it covers not just the actual healthcare organization but any individual or company acting on that organization’s behalf. As a result, healthcare orgs are looking closely at how to prevent data breaches.
CynergisTek, a leading provider of security solutions for healthcare organizations, has stepped up and taken the lead on providing a new Data Loss Prevention (DLP) solution as a way to prevent PHI from leaving healthcare organizations. Using Code Green Networks TrueDLP cutting-edge detection technology, combined with the company’s analytical expertise, healthcare organizations are eliminating leaks of confidential information especially via channels such as the network, personal email accounts, social media, removable storage and mobile devices.
Sharon Finney, Corporate Data Security Officer at Adventist Health System says, “DLP solutions have traditionally been so cost prohibitive that few organizations are ever able to tackle this issue in a meaningful way. Solutions like CynergisTek’s make thorough DLP analysis and reporting much more accessible. We take a very rigorous approach to evaluating and selecting security solutions, and the CynergisTek offering clearly stood out from the pack as the best combination of quality and value for our organization.”
For more information visit, www.cynergistek.com.
It seems just like yesterday, when the Veterans Affairs Department (VA) was sending out notices to millions of patients informing them that their personal data might have been compromised. The year was 2006, and my dad called me in a panic immediately after receiving a notice that his information had been stolen. It was the largest data leak of social security numbers (26.5 million) ever, and the incident that led the public to question the security of their sensitive information.
Fast forward to March, 2010–the Veterans Affairs Department’s inspector general has launched a criminal investigation into a physician assistant’s alleged downloading of veterans’ clinical data at its Atlanta medical center. According to an article published in Nextgov News, “the assistant allegedly recorded two sets of patient data on to a personal laptop for research purposes. One set included three years’ worth of patient data and another held 18 years of medical information.” One of the most disturbing parts of this article is that the department is questioning whether or not they plan on notifying the veterans who records were downloaded during this latest breach.
So what happened? Where did the VA’s commitment to protect their patients’ privacy go wrong? Did they not educate their employees about what is acceptable to download and what is not? Do they even know where their unauthorized clinical data is within their organization? What are they planning to do to protect the veterans over the next 4 years?
We recently talked with a customer in the healthcare industry who was concerned about protecting their patient records. While many of us have become quite familiar with HIPAA, or the Health Insurance Portability and Accountability Act, many of us are still learning how to protect those records. And with the flood of devices, widespread access to information, and distributed locations, protecting that data is a real challenge.
When we demonstrated our new discovery capability in our TrueDLP 7.0 data loss prevention solution, a few weeks ago, our client found more than 22 million sensitive patient records were floating around on a variety of PC clients, servers and other devices in various formats and with varying degrees of detail! They had no idea. With discovery, data can be located and identified in data centers and throughout the network. A terabyte of data a day can be scanned from fileservers, SharePoint servers, email servers, web servers, FTP servers and source code repositories, and discovery scans can be scheduled and reported on regularly.
For more information on this and the other new features in Code Green Networks TrueDLP 7.0 visit: www.codegreennetworks.com/truedlp
There was a great article earlier this month, written by Elisabeth Horwitt, posted on searchhealthit.techtarget.com titled “Using Data Loss Prevention Software to Comply with new HIPAA Policies“. The piece highlighted one organization, Cascade Healthcare Community (CHC), and how it was using DLP as a means of monitoring and enforcing security policies organization wide.
It was interesting that the piece quoted the Ponemon Institute LLC security survey in which 540 healthcare IT practitioners from organizations with an average of 1,000 employees, 61% of respondents believe their employers lack the resources to meet the new HITECH privacy and data security requirements.
However, with the Feb. 17th deadline for the HITECH Act’s new provisions for the Health Insurance Portability and Accountability Act (HIPAA), Code Green Networks is seeing more and more healthcare organizations taking action to secure their patients’ sensitive information. We will continue to watch to see how this one develops.