November 2008
Transparent Data Loss Protection for Healthcare

By Rod Murchison

Hospital networks have basic data security for HIPAA compliance, but IT administrators often worry about what happens to data after an authorized user gains access. Patient information can be leaked by physicians or other staff using webmail programs, for example, putting the data into non-secure networks where it could be compromised. Data Loss Prevention (DLP) solutions allow hospital IT administrators to monitor the use of sensitive information and block or encrypt it as needed. This makes it possible to enforce HIPAA compliance rules by controlling user behavior - an area where the IT department previously had little or no control.

Hospitals have addressed HIPAA requirements through password and network access controls, but once a user has access to the data there are many ways for security regulations to be breached. Physicians may want to exchange test results or other patient information, for example, and there is nothing to stop them from doing that via web-mail programs. Administrators or nursing staff may want to review files at home by copying them to a USB memory stick or another portable storage device. At this point, the data becomes inherently insecure.

DLP products are designed to prevent the deliberate or inadvertent transfer of sensitive data via e-mail, webmail, ftp, transfers to portable devices, and other methods. The heart of a DLP system is an appliance that connects to the rest of the network via taps to monitor data "in motion" across the network. To monitor and protect data at network endpoints such as desktop or laptop computers, a comprehensive DLP system also includes software agents installed on end-user computers and servers to prevent unauthorized transfers of data to external networks or media.

To set up a DLP system, the IT administrator installs the appliance and registers the hospital's data by determining precisely what constitutes sensitive data and inspecting the corresponding databases and file servers to find out where that data resides. The administrator then establishes policies will be enforced to prevent unauthorized use or transmission of the data.

The DLP system then enforces security policies by monitoring data "in motion" on the network and "in use" at network endpoints. Based on the established policies, the appliance or endpoint agent can then block a data transfer, alert the user to the problem, encrypt the data before transfer, or quarantine the data and alert the IT administrator or department head about the issue.

DLP systems are most effective when they meet the following criteria:
Accurate data registration: The DLP system should be able to identify both structured data such as Patient Health Information (PHI) from a database or spreadsheet and unstructured data such as sensitive peer review documents. To do this, it must support a variety of data characterization methods, including database fingerprinting, pattern matching, pre-defined lexicons, dictionaries, regular expressions, and document classes. With a full complement of data registration tools, the IT administrator gains better control and also reduces false positives that waste IT staff time.

Network-wide data identification: The system should use a combination of appliances and endpoint agents to locate and block transfers of sensitive data anywhere on the network.

Policy-based enforcement: The DLP solution should make it relatively easy for IT administrators to translate hospital security policies into logical security controls that simplify how protection is implemented for different users, user groups, types of data, and network locations.

Centralized monitoring and management: To minimize the use of IT resources, the DLP system should be centrally managed from a single console, regardless of how many appliances or endpoint agents are in use.

End user remediation: The system should support a tiered system of end-user remediation, ranging from notifying end users about a policy violation and allowing them to self-correct the issue to blocking transfers and alerting department heads or IT staff.

Non-disruptive operation: The DLP system should perform its function without reducing network response times or interfering with end-user activities.

Integrated e-mail encryption: The DLP system's appliance should either incorporate an e-mail encryption engine or integrate with a discrete encryption server. For ease of deployment, the system should integrate with web-based e-mail encryption services from companies such as Cisco, Voltage Security, and ZixCorp.

Naturally, DLP systems should also be evaluated in terms of ease of deployment and cost of ownership. Early DLP systems required multiple servers, for example, while newer ones handle all functions within one appliance.

Every IT administrator knows that user behavior is one of the most difficult things to change, and this is particularly true in hospitals where physicians and staff are carrying out critical work. Data loss prevention systems allow hospitals to plug the holes in their data security infrastructure by enforcing policies whenever sensitive data is used, and without relying on end users to do it.

Rod Murchison is the Vice President of Marketing & Strategic Alliances at Code Green Networks. Rod has more than 17 years of experience building industry-leading security and networking solutions and has held executive-level management positions at NetScreen Technologies, Juniper Networks (NASDAQ: JNPR), Ingrian Networks, CacheFlow (NASDAQ: BCSI) and Newbridge Networks (NYSE: ALA). Rod holds a Bachelor of Science degree in Industrial Engineering from Penn State University.

Copyright 2008
Nelson Publishing, 2500 Tamiami Trail North, Nokomis, FL 34275