Streamlining compliance efforts in the health care industry
Unfortunately, this was not an isolated incident. Hospitals and clinics regularly handle thousands of medical records—as well as other personal information such as patient social security and credit card numbers. Preventing sensitive information from getting into the wrong hands is a huge and complicated challenge for information security professionals. Manual audits can't begin to analyze the volumes of information generated each and every day, 365 days a year.
Importance of HIPAA compliance
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress in 1996 to protect personal information. Failure to guard the privacy and security of sensitive and confidential healthcare data disseminated over networks can be costly to an institution, both in terms of fines and the potential for litigation and serious damage to the organization's reputation. And while security professionals may begrudge the onerous task of complying with HIPAA, none are willing to say, “Let's ignore it.”
How health care organizations can safeguard data
Information security professionals have adopted a number of methods and techniques over time to help achieve compliance with HIPAA. These have traditionally included ongoing employee education (at best a voluntary measure), firewalls at the edge of the network, and filtering technologies that look for specific data patterns. For most institutions, however, there used to be no good method to technically validate that the data leaving the organization was properly protected.
More recently, healthcare organizations have been turning to data loss prevention (DLP) technologies to ensure that information is being handled responsibly and policies are being followed. One example DLP solution is from Reconnex, whixh consists of a content monitoring appliance that can monitor, capture, analyze, and index threats entering or leaving the network regardless of port or protocol and, a data-at-rest appliance that scans content on PCs and servers. It can capture critical information at rest, monitor for data in motion, and prevent breaches through blocking and alerts. In addition, the solution can capture data for after-the-fact investigation and search with a rolling storage “window” that retains months of information. This helps determine what risks the network has been exposed to in the past.
Misconfigured network devices can provide “holes” through which hackers can gain access to secure data. Some DLP solutions can detect whether video traffic, for example, is getting through, enabling security professionals to identify where the anomalous traffic is coming from and correct the misconfigured security device. Without the DLP technology, these security vulnerabilities might go undetected for long periods of time.
Enforcing internal policies
In addition to protecting sensitive patient data, virtually all health care organizations have internal policies that govern how employees can use the network. Inappropriate use includes movies, MPEG files, pornography, harassing emails, and unsuitable web sites.
Some organizations rely on blocking technology to deter inappropriate access to web sites banned by corporate policies. But employees were still often able to access sites due to the dynamic nature of the web. DLP solutions can enable organizations to create a policy that looks for images that have skin tone colorations. Images can be identified whether they are downloaded or attached to messages. Security staff can determine where the images traveled on the network and run specific searches against target IP addresses if further investigation is warranted. A case can be fully documented in a matter of hours.
Internal policies at some organizations prohibit employees from using internet phone services. A DLP system can often identify those trying to use unauthorized VoIP services and block those protocols on the network.
Benefits of monitoring data as a means to safeguard it
A DLP can provide unprecedented visibility into the organization and what is taking place on the network. Security professionals can be proactive instead of reactive. Unlike traditional network security devices that only provide information about when, where, and who is communicating with whom, the DLP solution delivers the who, when, where, and what they are communicating about in a single tool. It is possible to chose a DLP system that did not require the user to know all the rules about content to protect. Instead, it can allow professionals to use their own communications to learn what information is going where. This enables them to investigate, to define business policies, and to identify broken policies.
The underlying benefit of DLP technology for health care organizations is the added control it delivers, not only to meet HIPAA guidelines, but to protect their brand and reputation.