1 / 25

Real Threats, Real Solutions: Data Loss Prevention

Real Threats, Real Solutions: Data Loss Prevention. Conflict of Interest Disclosure Sadik Al-Abdulla Has no real or apparent conflicts of interest to report. Brian Comp Has no real or apparent conflicts of interest to report. Presentation Objectives.

kalea
Download Presentation

Real Threats, Real Solutions: Data Loss Prevention

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Real Threats, Real Solutions: Data Loss Prevention

  2. Conflict of Interest Disclosure Sadik Al-Abdulla Has no real or apparent conflicts of interest to report. Brian Comp Has no real or apparent conflicts of interest to report.

  3. Presentation Objectives Identify real, viable solutions and steps needed to invest in data loss prevention technologies Outline recent advances in data loss prevention technologies Identify key techniques for securing buy-in from senior leadership Define theReturn on Investment needed to implement data loss prevention parameters within technology infrastructures

  4. Every Day In Your Organization… Just Like This – A Nurse Manager has a big presentation and takes a series of screenshot images and puts them into PPT. Unfortunately, the images inserted into the presentation contain PHI The “thumb-drive nightmare” – A disgruntled employee decides to copy a census report to a thumb drive and shows just how easy it is to take PHI out of the system The Enemy is Us – An IS support person is having some technical problems with a system and needs to send sample data to the vendor for support. The file is too big for e-mail so they upload a census file to FTP and successfully send the (real life) sample data that way

  5. So Far This Year… ID 3340: Breach of E-mail Hack Date: 1/13/11 Records Lost: 1,800 Location: Indianapolis, IN Organizations: Hospital ID 3331: Sensitive Information Posted to the Web Accident Date: 1/4/11 Records Lost: 1,086 Location: Lemoyne, PA Organizations: Health system, Medical Transcription Service ID 3330: Hacker Gains Access to File Server Hack Date: 1/4/11 Records Lost: 1,000 Location: Germantown, MD Organizations: Physician Practice Source: datalosscb.com

  6. The Threat is Very, Very Real ID 1854: Portable Drive Exposes 280,000 Patients Lost Date: 10/20/10 Records Lost: 280k Location: Philadelphia, PA Data:Names, Addresses, Birth Dates, Social Security Numbers ID 1821: Employee Walks Out with 30 Patient Identities to Sell Fraud Date: 10/18/10 Records Lost: 30 Location: Milwaukee, WI Data:Names, Birth Dates, Social Security Numbers ID 1797: Document Posted to Web Contains 3000 Patient IDs Accident Date: 10/16/10 Records Lost: 3000 Location: Socorro, NM Data:Names, Birth Dates, Social Security Numbers ID 1789: Hacker Steals 100k+ Patient Records Hack Date: 10/15/10 Records Lost: 106k Location: Jacksonville, FL Data:Names, Birth Dates, Social Security Numbers Source: datalossdb.org

  7. Regulatory Environment Now Has Teeth HIPAA – Policy layer and necessary standards HIPAA – Policy layer and necessary standards • Defines 18 identifiers for special treatment as Protected Health Information • Security standards rule issued February 2003 with compliance by April 2005/2006 • Enforcement rule sets civil monetary penalties for HIPAA violations – March 2006 • Defines 18 identifiers for special treatment as Protected Health Information • Defines 18 identifiers for special treatment as Protected Health Information ARRA – Incentives for organizations to ensure HIPAA standards • Section 3014 grants for improving the security of exchanged health information HITECH – Penalties for failing to meet HIPAA standards • Extension of civil and criminal penalties (Fines capped at $1.5 million) • Breach notification requirements (FTC and HHS rules August 2009) • State Attorneys General are enforcing (either via HITECH or state laws): • Connecticut AG sues insurance company, wins multi-million dollar settlement • Indiana AG sues insurer for $300k

  8. Data Loss Vectors 2010 Ponemon Institute Study Broken Business Processes • 88% of breaches caused by insiders and partners: • Mistakes handling data • Broken business processes • 81% of organizations breached were NOT PCI Compliant: • … vs 92% who ‘were compliant’ prior to the breach • ….vs 19% who were! Regulated Patient Health Information External Threats Internal Threats Expanding Network Perimeter Average cost of a breach: $6.7M

  9. Technology Tools – Data at Rest Records on Open Share • Technology Tools • Solution 1: Encrypted Storage • Solution 2: Encrypted Backups • Solution 3: Data Loss Prevention – Data At Rest • Solution 4: Digital Rights Management

  10. Technology Tools – Data in Motion I’ll Just Reply-all….OOPS • Technology Tools • Solution 1: Encrypted E-mail Gateway • Solution 2: Web Security Filters • Solution 3: Data Loss Prevention – Data In Motion

  11. Technology Tools – Endpoint Storage File -> Save As… • Technology Tools • Solution 1: Full Disk Encryption • Solution 2: Endpoint Security • Solution 3: Endpoint Data Loss Prevention

  12. Technology Tools – Endpoint Storage File -> Save As… • Technology Tools • Solution 1: Full Disk Encryption • Solution 2: Endpoint Security • Solution 3: Endpoint Data Loss Prevention

  13. Technology Tools – USB Ports Off With Their Thumbs • Technology Tools • Solution 1: Block / Remove USB ports via Security Software • Solution 2: … or Endpoint Data Loss Prevention

  14. Technology Tools – Web-based Mail/Storage PHI Sent By Webmail • Technology Tools • Solution 1: Web Security Gateways • Solution 2: Data Loss Prevention – Data in Motion

  15. Revenue Operating Expense Operational Risk Understanding Business Priorities $ Time 15

  16. Making the Internal Sell Define the Business Problem Build Key Stakeholder Group Deliver No-cost Progress Demonstrate the Business Value Validate with Third-party Sources 16

  17. A Model for Return on Investment Likelihood Cost Analyses Investment Scenarios 77% Scenario 1 Fines 21% Solution One Legal 64% Scenario 2 7% Brand Solution Two 56% Fixes Scenario 3 0% 17

  18. Solving The Problem • Don’t underestimate your exposure– Get an objective security assessment to identify your vulnerabilities, “warts and all” • Make security an ongoing priority– Appoint an internal or external resource dedicated to monitoring and managing security issues to keep current (Make sure that the appointed resource reports to someone who needs the independent interpretation) • Collaboration is key– Security affects everyone; involve key stakeholders inside and outside of the IT department • Invest wisely– And consistently in security technologies based managing the actual risks you face 18

  19. Solving the Problem – A System of Change Define Information and Policies Establish A Baseline 100% Remediate Open Issues 80% 60% 60% Notify Users 40% 40% 20% 20% 20% Prevention 19

  20. Solving the Problem Step 1: Define • No brainers: CC#, SS#, PHI • What else? • HR records • Grant information • Study results • Other unstructured data • Messaging and communication systems • ... MUST discuss outside of IT

  21. Solving the Problem Step 2: Baseline • Measure environment against definition using presence and awareness as the key metrics • Perform root cause analysis: • Identify broken processes • Identify where PHI or sensitive data resides • Identify major user education gaps • Identify missing protections

  22. Solving the Problem Step 3: Remediate Begin by classifying data Establish the appropriate protections Organize your data appropriately Change identified processes

  23. Solving the Problem Step 4: Educate Revisit data security policies Develop an education program 2nd tier education to most highly effected Automate real-time notifications

  24. Solving the Problem Step 5: Prevent Leverage administrative controls Continuously educate users Audit user processes Establish technical controls to block breaches

  25. Brian Comp Chief Technology Officer, Information Services Brian.Comp@orlandohealth.com Sadik Al-Abdulla Security Solutions Manager Sadik.al-abdulla@cdw.com

More Related