How DLP Helps Target EncryptionInterview with Steve Scott of St. Charles Health System
In an exclusive interview, Scott explains how the three-hospital organization is using DLP for "detective work, such as to:
- Identify where patient information is stored, including vulnerable spreadsheets and documents;
- Track when users attempt to transmit patient information via unencrypted e-mail; and
- Determine when business associates send the hospitals patient information without adequately protecting it.
The Oregon provider organization is in the early stages of encrypting patient data no matter where it resides, targeting the information through the DLP system. The strategy is part of its effort to comply with the HITECH Act.
It's also more strictly enforcing its policy of using secure e-mail. It uses DLP reports to educate staff members about messages they've attempted to send that contain unprotected sensitive information.
HOWARD ANDERSON: This is Howard Anderson of Information Security Media Group. We're talking today with Steve Scott, IT security manager at St. Charles Health System in Central Oregon. Thanks for joining us today, Steve.
STEVE SCOTT: I'm happy to be here. Thanks, Howard.
ANDERSON: Tell us a little bit about your organization's size and scope.
SCOTT: We have three hospitals here in central Oregon, and then we also help in the management of another hospital, and we have about 20 clinics. We've got about 3,300 employees, and about the same number of computers.
ANDERSON: I understand that your organization conducted a baseline security risk assessment last year. What prompted that assessment, and what major areas of risk did you discover?
SCOTT: We decided that we needed the assessment because we had never had one. We discovered that we've got several areas where we can certainly do better, including encryption, and controlling our content, and doing a better job of logging as well.
ANDERSON: Did you conduct that risk assessment yourself, or did you have help?
SCOTT: We had a third party come in and do the risk assessment. We will do an...ongoing internal risk assessment, evaluating all the applications that we use and our processes. But, again, we wanted to get that third party perspective, to make sure that we were on target.
ANDERSON: Based on that assessment, I understand that you decided to implement a data loss prevention application. Why did you decide to make that investment?
SCOTT: As part of that assessment, they brought in a tool....We found that some of our partners weren't handling our data appropriately, or in a manner that we had been told that they were. And we were seeing unencrypted data leaking out through the front door. So, that's why we decided that DLP was a great tool that helped us identify where we were, internally, as well as with our partners.
ANDERSON: So, help us to understand a little more about how you are using DLP now, and the risks it has helped you mitigate so far.
SCOTT: We chose Code Green Networks, and they do network-based and host-based data loss prevention. So, network-based, we're watching for unencrypted traffic traversing the Internet...we're watching for e-mails that are going out that contain protected health information. And then, host-based, you can actually scan and identify data that may be stored inappropriately on machines. And so, we just have a much better idea of where our data lives, and how it moves inside the organization, and then, how it needs to be protected as it leaves the organization.
ANDERSON: So, do you or someone else on your team get daily alerts?
SCOTT: We get alerts, the configuration is pretty simple. You can alert on a whole bunch of different things. We send e-mail alerts that go to the security team when a large event happens. That would be 50 or more individual discrete pieces of PHI going out. And what we found is, fortunately, most of those are false positives. And then, we also go in daily and comb through some of the lesser events that have been identified, to verify that those are, indeed, false positives, as well.
ANDERSON: So, how is DLP supporting your efforts to comply with the HITECH Act, which toughened the HIPAA privacy security rules? Is it playing a role in that?
SCOTT: It's addressing the encryption issue. Under HITECH, if your data is encrypted, then you don't need to report a breach. So, we are identifying local machines where data is stored. If we're seeing it unencrypted, then we can work with the user to get it encrypted. We're also identifying if it leaves the network unencrypted, we're going to catch that, and work with the user. The next step which we are planning on doing is actually disallowing the transaction to happen. And so, that will really get us on the right track.
ANDERSON: So do you have a secure e-mail system in place?
SCOTT: We actually use the Microsoft encryption tool, and have had that in place for quite a while. But we found that people weren't using it as often as they needed to. DLP identifies when data is leaving inappropriately, and we can go work with the user and educate them about the encryption tool. Interestingly enough, a lot of what we are seeing is not actually patient data, but we are seeing sensitive company information that is not being properly protected.
ANDERSON: Tell us a little bit about your use of encryption. Are you encrypting mobile devices and other devices as well?
SCOTT: We have encrypted our machines that travel off the network for home healthcare and things like that. We haven't addressed the encryption as heartily as we need to, and that's our next objective. And again, with the DLP, we are actually identifying where the data lives and figuring out where we need to get the encryption in place.
ANDERSON: So it sounds like DLP is helping you to do detective work?
SCOTT: It's got a great discovery component to it.
ANDERSON: What other security technologies do you plan to invest in?
SCOTT: We are looking at a log management solution that is tied to a SIM. We don't have a real good log solution. Right now, we just dump log messages to a box and have to sort through them by hand. So, we're looking at a more proactive tool.... And then, eventually, we will get to the encryption.
ANDERSON: How frequently do you anticipate conducting follow-up risk assessments, and will you do those internally?
SCOTT: Yeah, as I mentioned, we will do a continuous risk assessment on our different applications, and we will get that external view every three years.
ANDERSON: Thanks, Steve. We've been talking with Steve Scott of St. Charles Health System. This is Howard Anderson of Information Security Media Group.