|
|
November 27, 2006
Many healthcare organizations focus their data security efforts on stopping intruders. However, information that seeps from inside hospital walls is quickly becoming a top priority as well. Data leakage. It’s a threat that has re-engineered the way healthcare organizations think about information security. No longer is the focus only on keeping the bad guys from getting in. Now, it’s about keeping sensitive data from getting out. A major consideration for all healthcare providers, it was only a few years ago that organizations began to realize the need to address the problem of data leakage at all, according to many healthcare professionals and software vendors. “Five years ago, the number of healthcare organizations addressing this kind of security [was] probably in the single digits,” says Sharon Finney, information security administrator with Georgia-based DeKalb Medical Center. Noting her own experience, Finney says DeKalb Medical began the process of addressing data leakage approximately 41/2 years ago, and it’s only been within the past couple years that any network monitoring tools were in place to prevent loss of sensitive data. Now, with headlines regarding major security breaches occurring more frequently—including recent waves created by the loss of confidential information on 185,000 patients of San Jose Medical Group and the theft of personal data for more than 26 million Americans at the Department of Veterans Affairs—industry predictions suggest there will be an increasing number of companies and solutions coming online to address these occurrences and “cash in” on this new demand in the marketplace. The issue of data leakage may not be a new problem, but it has a new face. Thanks to an increasingly technological and electronic business world, the scope of issues associated with data leakage has broadened significantly in recent years. Add to that a new focus and a push for the adoption of electronic health systems and the risk suddenly increases “10-fold,” according to Finney. “We have been so focused on how to get the data electronic that we didn’t take a step back and ask how to combat the risk,” she says. “There are so many conduits available for people to move digital data.” By using traditional security measures, most healthcare organizations have taken the appropriate steps to implement solid network infrastructure for keeping the “undesirables” out, according to Kevin Schick, chief marketing officer with Texas-based Vincera, a document security software provider that allows the secure distribution of sensitive data. Emphasizing that research firms such as Gartner suggest that 70% to 80% of all leakage starts from the inside going out, Schick says traditional approaches will no longer be adequate and will not eliminate the threat of an employee compromising the network or leaking sensitive information about customers and finances. And whether it’s accidental or malicious, the results are often violations of security policies and regulatory requirements. As a highly regulated industry, it begins with compliance for healthcare organizations, Finney says. “HIPAA was probably the initial driving point,” she notes, adding that healthcare organizations are moving past the point of implementing security specific to data leakage for compliance purposes only. Laws in many states dictate that healthcare organizations provide public notification of security breaches, making the issue of data leakage more of a brand issue than simply a compliance issue. “Organizations are maturing to the point that they are reviewing information as an asset,” Finney says. “Because data is not tangible, it took awhile for organizations to view these massive amounts of data as an asset.” Aside from fines that can be incurred for noncompliance,
Schick suggests that brand damage was possibly the largest indirect
cost associated with security breaches. “We saw one company’s
stock price drop 15% as a result of a breach,” he recalls. “Those
kinds of costs hurt at the economic level and the confidence level.” “Security professionals are always saying, ‘I don’t know how to get around the human element,’” says Gretchen Hellman, director of product marketing with California-based Voltage Security, a provider of encryption solutions. “Humans are still not making the best decisions.” Compounding problems with human error is the fact that “there’s a lot of information flowing everywhere in healthcare environments,” Hellman says, adding that sensitive data is distributed to many outside organizations, including insurance companies, pharmacies, vendors, and other providers. R. “Doc” Vaidhyanathan, vice president of product management with Arcot Systems, a California-based provider of software-based digital signatures and identity solutions, agrees, noting that “the people who need to access the information are typically not technology professionals.” Vaidhyanathan adds that another nuance specific to the healthcare industry lies in the fact that the personal data stored tends to be more detailed than what may be found in other industries. Citing the financial industry as an example, Vaidhyanathan points out that most concerns over data leakage in banking environments are monetary in nature. “The ways other businesses look at losses are different than the way healthcare looks at them … it’s harder to quantify,” Vaidhyanathan says. “The information available has infinite damage potential.” To identify problematic areas, DeKalb Medical Center runs an annual risk assessment and was able to pinpoint early on several areas of high concern. The fact that all employees were given access to the Internet was on the top of the organization’s list. “All 2,100 desktops are accessible to and from the Internet,” Finney says. “Previously, we didn’t have a way to monitor usage.” The organization’s e-mail system was also identified as a high-risk area, especially in instances where employees were e-mailing outside the network. “We found that most people were doing things that created risk for us, but they didn’t understand it,” she recalls, adding that most user populations in healthcare environments are novices when it comes to understanding technology. “The technology we put in front of our users is like a Ferrari. We’ve taken people who have never driven at all and put them in a Ferrari,” Finney says. All types of file transfer processes were also identified
as high risk to the organization. According to Andrew Krcik, vice president of marketing with California-based PGP Corporation, a provider of encryption solutions, the core technology for combating data leakage has been in place for numerous years, but until recently it was difficult to implement and use. “Adoption had been modest because it had been kind of an experts market,” he notes. Hellman concurs, noting that newer encryption solutions offer a more simplified approach to implementation and take the decision-making ability from the hands of the end user. Because of the nuances of how information travels in the healthcare market, she says “any security system has to be automated, policy-based, and cannot depend on the end user” to be effective. Krcik says in healthcare environments, traditional security approaches also created a decentralized problem in that there were “a lot of people doing a lot of different things. IT was running around department to department trying to figure it all out. We’re trying to find a way to do this centrally.” Emphasizing that many newer technologies focus on the “what” instead of the “who,” Schick says managing documents and information is much easier than trying to monitor what everyone is doing. “Managing these security environments is very expensive [when you are trying to keep up with what every user is doing],” he says. “You want to take the focus off monitoring people.” If an organization is trying to manage the end user, considerations will have to be made for “who’s receiving the information,” “what their rights are,” and “what they are receiving,” Schick says. In the case of the Vincera solution, documents are assigned a security level and document threads are created to securely control the distribution of data. According to Timothy Sullivan, CEO of Fidelis Security Systems, a provider of extrusion prevention software, “You want to make sure that your solution sees all traffic going outbound. You want to be able to see it and block it. The real challenge is traffic going directly to the Internet such as Web mail and instant messaging.” Previous approaches have allowed or disallowed communication methods rather than managed the flow of content inside of them. In other words, Sullivan explains, users may be allowed to use e-mail or instant messaging but not use peer-to-peer technologies. To truly get a handle on information leakage, solutions must actually inspect the content flowing through approved channels of communication. “Once you have open channels of communication, it’s not just the leakage of private information that can jeopardize a company,” Sullivan says. “You want to protect the good stuff getting out and the bad stuff getting in.” Most security companies suggest a multilayer approach to preventing data leakage. While some solutions are designed to eliminate unwanted outbound network traffic, other solutions address data leaving the premises. DeKalb Medical chose solutions from PGP to cover e-mail security and file encryption. “We wanted a standardized platform to use throughout,” Finney says. “What we look for in technology is a company that has [its] finger on the pulse of healthcare.” Cutting Costs Sullivan concurs, further noting that the highest costs associated with technology implementation is often related to the number of people necessary to make the project successful. To eliminate some of these human costs, he suggests purchasing solutions with prepackaged policies. Sullivan also emphasizes that single solutions also tend to be less expensive than solutions that require a lot of add-ons or plug-ins. In the case of DeKalb Medical Center, Finney runs her security department with two people. She recalls considerations for additional staffing early on, but reality dictated that costs associated with those kinds of resources would be too high. With 30,000 Internet-related events occurring in her facility on any given day, it was also apparent that the organization would not be able to monitor every user. “You can’t have eyes on that all the time,” she says. “You have to have technology-based tools.” With monitoring solutions, another means of reducing the overall size of the problem is to eliminate communication channels that can prove problematic to an organization. “It’s not just the cost of the solution but the cost of managing the content,” Sullivan says. Examples of controlling channels would include permitting Web mail but only those messages without attachments. In this way, monitoring only occurs in one place. “Get control over channels of communication first. Then put content monitoring on what you actually allow,” Sullivan says. According to Sullivan, security solutions that adequately monitor and block data leakage can range in price from falling in line with typical network infrastructure solutions such as intrusion prevention or enterprise firewalls to estimates of more than $1 million depending on the organization’s size. The major costs most healthcare organizations face with the implementation of data leakage security include those associated with new hardware, software, and initial deployment, Krcik says. “Operating costs are not what people worry about,” he says. “It’s more about the impact on productivity.” The challenge of implementing new systems with which users will comply lies primarily in the effectiveness of ongoing training programs—another indirect cost healthcare organizations will face. Vaidhyanathan notes that training programs in healthcare settings also hold their own set of challenges because they “[have] to span across multiple provider networks” such as affiliated doctors offices. Finney says the extensive training programs at DeKalb Medical had brought positive results. Along with mandatory annual training programs, the organization also sends out regular e-mails to users regarding best practices. — Selena Chavis is a Florida-based freelance
journalist whose writing appears regularly in various trade and consumer
publications covering everything from corporate and managerial topics
to healthcare and travel.
|
 |