Real Threats, Real Solutions: Data Loss Prevention

Conflict of Interest DisclosureSadik Al-Abdulla

Has no real or apparent conflicts of interest to report.

Brian Comp

Has no real or apparent conflicts of interest to report.

2

• Identify real, viable solutions and steps needed to invest in data loss prevention technologies

• Outline recent advances in data loss prevention technologies

• Identify key techniques for securing buy-in from senior leadership

• Define the Return on Investment needed to implement data loss prevention parameters within technology infrastructures

Presentation Objectives

3

Every Day In Your Organization…

Just Like This – A Nurse Manager has a big presentation and takes a series of screenshot images and puts them into PPT. Unfortunately, the images inserted into the presentation contain PHI

The Enemy is Us – An IS support person is having some technical problems with a system and needs to send sample data to the vendor for support. The file is too big for e-mail so they upload a census file to FTP and successfully send the (real life) sample data that way

The “thumb-drive nightmare” – A disgruntled employee decides to copy a census report to a thumb drive and shows just how easy it is to take PHI out of the system

4

So Far This Year…

Hack

Accident

Hack

ID 3340: Breach of E-mail Date: 1/13/11 Records Lost: 1,800 Location: Indianapolis, INOrganizations: Hospital

ID 3331: Sensitive Information Posted to the Web Date: 1/4/11 Records Lost: 1,086 Location: Lemoyne, PAOrganizations: Health system, Medical Transcription Service

ID 3330: Hacker Gains Access to File Server Date: 1/4/11 Records Lost: 1,000 Location: Germantown, MDOrganizations: Physician Practice

Source: datalosscb.com5

The Threat is Very, Very Real

Lost

Fraud

Accident

Hack

ID 1854: Portable Drive Exposes 280,000 PatientsDate: 10/20/10 Records Lost: 280k Location: Philadelphia, PAData: Names, Addresses, Birth Dates, Social Security Numbers

ID 1821: Employee Walks Out with 30 Patient Identities to SellDate: 10/18/10 Records Lost: 30 Location: Milwaukee, WIData: Names, Birth Dates, Social Security Numbers

ID 1797: Document Posted to Web Contains 3000 Patient IDs Date: 10/16/10 Records Lost: 3000 Location: Socorro, NMData: Names, Birth Dates, Social Security Numbers

ID 1789: Hacker Steals 100k+ Patient Records Date: 10/15/10 Records Lost: 106k Location: Jacksonville, FLData: Names, Birth Dates, Social Security Numbers

Source: datalossdb.org6

Regulatory Environment Now Has Teeth

• Defines 18 identifiers for special treatment as Protected Health Information

HIPAA – Policy layer and necessary standards

• Section 3014 grants for improving the security of exchanged health information

ARRA – Incentives for organizations to ensure HIPAA standards

• Extension of civil and criminal penalties (Fines capped at $1.5 million)• Breach notification requirements (FTC and HHS rules August 2009)• State Attorneys General are enforcing (either via HITECH or state laws):

– Connecticut AG sues insurance company, wins multi-million dollar settlement– Indiana AG sues insurer for $300k

HITECH – Penalties for failing to meet HIPAA standards

7

• Defines 18 identifiers for special treatment as Protected Health Information

HIPAA – Policy layer and necessary standards• Defines 18 identifiers for special treatment as Protected Health Information• Security standards rule issued February 2003 with compliance by April 2005/2006• Enforcement rule sets civil monetary penalties for HIPAA violations – March 2006

RegulatedPatient Health

Information

Data Loss Vectors

Broken Business Processes

Expanding Network Perimeter

Exte

rnal

Thr

eats Internal Threats

• 88% of breaches caused by insiders and partners:– Mistakes handling data– Broken business

processes• 81% of organizations

breached were NOT PCI Compliant:– … vs 92% who ‘were

compliant’ prior to the breach

– ….vs 19% who were!

2010 Ponemon Institute Study

Average cost of a breach: $6.7M 8

Technology Tools – Data at RestRecords on Open Share Technology Tools

• Solution 1: Encrypted Storage

• Solution 2: Encrypted Backups

• Solution 3: Data Loss Prevention – Data At Rest

• Solution 4: Digital Rights Management

9

Technology Tools – Data in Motion

I’ll Just Reply-all….OOPS Technology Tools

• Solution 1: Encrypted E-mail Gateway

• Solution 2: Web Security Filters

• Solution 3: Data Loss Prevention – Data In Motion

10

Technology Tools – Endpoint Storage

File -> Save As… Technology Tools

• Solution 1: Full Disk Encryption

• Solution 2: Endpoint Security

• Solution 3: Endpoint Data Loss Prevention

11

Technology Tools – Endpoint Storage

File -> Save As… Technology Tools

• Solution 1: Full Disk Encryption

• Solution 2: Endpoint Security

• Solution 3: Endpoint Data Loss Prevention

12

Technology Tools – USB Ports

Off With Their Thumbs Technology Tools

• Solution 1: Block / Remove USB ports via Security Software

• Solution 2: … or Endpoint Data Loss Prevention

13

Technology Tools – Web-based Mail/Storage

PHI Sent By Webmail Technology Tools

• Solution 1: Web Security Gateways

• Solution 2: Data Loss Prevention – Data in Motion

14

Understanding Business Priorities

15

$

Time

Operating Expense

Revenue

Operational Risk

Making the Internal SellDefine the Business

Problem

Build Key Stakeholder Group

Deliver No-cost Progress

Demonstrate the Business Value

Validate with Third-party Sources

16

A Model for Return on Investment

Scenario 1

Scenario 2

Scenario 3

Scenarios Cost Analyses

Fines

Legal

Brand

Fixes

Investment

SolutionOne

SolutionTwo

Likelihood

77%

64%

56%

21%

7%

0%

17

•Don’t underestimate your exposure – Get an objective security assessment to identify your vulnerabilities, “warts and all”

•Make security an ongoing priority – Appoint an internal or external resource dedicated to monitoring and managing security issues to keep current (Make sure that the appointed resource reports to someone who needs the independent interpretation)

•Collaboration is key – Security affects everyone; involve key stakeholders inside and outside of the IT department

•Invest wisely – And consistently in security technologies based managing the actual risks you face

Solving The Problem

18

Define Information and Policies Solving the Problem – A System of Change

19

20%

40%

60%

100%

Establish A Baseline

80%

20%

40%

60%

20%

Remediate Open Issues

Notify Users

Prevention

• No brainers: CC#, SS#, PHI• What else?

– HR records– Grant information– Study results– Other unstructured data– Messaging and communication systems– ... MUST discuss outside of IT

Solving the Problem Step 1: Define

20

• Measure environment against definition using presence and awareness as the key metrics

• Perform root cause analysis:– Identify broken processes– Identify where PHI or sensitive data resides– Identify major user education gaps– Identify missing protections

Solving the Problem Step 2: Baseline

21

• Begin by classifying data• Establish the appropriate protections • Organize your data appropriately• Change identified processes

Solving the Problem Step 3: Remediate

22

• Revisit data security policies• Develop an education program• 2nd tier education to most highly effected• Automate real-time notifications

Solving the Problem Step 4: Educate

23

• Leverage administrative controls• Continuously educate users• Audit user processes• Establish technical controls to block breaches

Solving the Problem Step 5: Prevent

24

Sadik Al-AbdullaSecurity Solutions ManagerSadik.al-abdulla@cdw.com

Brian CompChief Technology Officer, Information

ServicesBrian.Comp@orlandohealth.com