Everyone in healthcare knows that new HIPAA regulations, implemented as part of the HITECH Act this year, have raised the bar on compliance. In particular, data leak prevention has become a hot spot for many healthcare organizations. As we’ve noted before, we identified more than 22 million sensitive records floating around one such healthcare organization. The HITECH act mandates federal data breach notification requirement for security breaches involving protected health information. And it covers not just the actual healthcare organization but any individual or company acting on that organization’s behalf. As a result, healthcare orgs are looking closely at how to prevent data breaches.
CynergisTek, a leading provider of security solutions for healthcare organizations, has stepped up and taken the lead on providing a new Data Loss Prevention (DLP) solution as a way to prevent PHI from leaving healthcare organizations. Using Code Green Networks TrueDLP cutting-edge detection technology, combined with the company’s analytical expertise, healthcare organizations are eliminating leaks of confidential information especially via channels such as the network, personal email accounts, social media, removable storage and mobile devices.
Sharon Finney, Corporate Data Security Officer at Adventist Health System says, “DLP solutions have traditionally been so cost prohibitive that few organizations are ever able to tackle this issue in a meaningful way. Solutions like CynergisTek’s make thorough DLP analysis and reporting much more accessible. We take a very rigorous approach to evaluating and selecting security solutions, and the CynergisTek offering clearly stood out from the pack as the best combination of quality and value for our organization.”
For more information visit, www.cynergistek.com.
It seems just like yesterday, when the Veterans Affairs Department (VA) was sending out notices to millions of patients informing them that their personal data might have been compromised. The year was 2006, and my dad called me in a panic immediately after receiving a notice that his information had been stolen. It was the largest data leak of social security numbers (26.5 million) ever, and the incident that led the public to question the security of their sensitive information.
Fast forward to March, 2010–the Veterans Affairs Department’s inspector general has launched a criminal investigation into a physician assistant’s alleged downloading of veterans’ clinical data at its Atlanta medical center. According to an article published in Nextgov News, “the assistant allegedly recorded two sets of patient data on to a personal laptop for research purposes. One set included three years’ worth of patient data and another held 18 years of medical information.” One of the most disturbing parts of this article is that the department is questioning whether or not they plan on notifying the veterans who records were downloaded during this latest breach.
So what happened? Where did the VA’s commitment to protect their patients’ privacy go wrong? Did they not educate their employees about what is acceptable to download and what is not? Do they even know where their unauthorized clinical data is within their organization? What are they planning to do to protect the veterans over the next 4 years?
When it comes to network data loss prevention solutions monitoring SSL encrypted traffic a lot depends on the transparency of the web/ICAP proxy and how it is configured to handle SSL certificates. Some proxies are better at this than others. Pretty much all the network DLP solutions utilize ICAP integration with a web proxy for inspecting SSL traffic and are somewhat/very successful.
When it comes to endpoint data loss prevention solutions monitoring SSL encrypted traffic there are issues.
- You can’t monitor traffic from systems that don’t have the endpoint solution on them, for example guest machines, contractors, visitors, etc. Or the endpoint solution may not be available for all the different endpoint operating systems and browsers used on your network. A network based solution monitors/controls anything going through the gateway regardless.
- The endpoint solution has to have its inspection/control happen prior to the data being SSL encrypted by the web browser. This can be difficult to build and not all endpoint solutions can do this. If the endpoint solution is built to handle IE browsers you may need to lock the endpoint down to prevent other browsers (chrome, safari, etc) from being installed and used.
- The deployment and management issue – network DLP is much easier and less disruptive to deploy and manage than installing an endpoint DLP agent on every desktop in your organization.
I’m not against endpoint DLP, it’s one of the products Code Green offers, but network DLP is a much better solution for web traffic monitoring and control.