Skip to content Skip to navigation

Protecting Information Assets with Data Loss Prevention

July 26, 2016
by Mac McMillan, CEO of CynergisTek
| Reprints

The modern healthcare ecosystem is all about data and what we can do with it, which is why Data Loss Prevention (DLP) tools should be on everyone’s list of priority solutions to implement. I used to say that DLP solutions paid for themselves based on their ability to control exfiltration, and therefore reduce the risk of breaches, but these solutions are becoming far more important than that. DLP tools have the ability to help users take control of information and do what is really important—manage it from cradle to grave.

DLP is often characterized as a security technology, but more accurately it should be characterized as an enterprise-level information management solution. DLP tools enable users to identify where sensitive information lives within the enterprise, as well as where it’s going, how it’s getting there, and who is using it. Users can also use DLP tools to manage access and storage of data on endpoints, including external destinations like the cloud. In short, it enhances awareness of what is going on with information, enables users to better control those actions, and helps to protect against unauthorized disclosures and loss of data.

Mac McMillan

Whether conducting a risk assessment, trying to determine where data should live based on criticality or need, performing a Business Impact Analysis (BIA) for contingency planning, or just trying to limit the risk of breach by reducing exposure, organizations first need to know where the data is. Through “discovery” DLP makes it possible for organizations to identify exactly where the information that they are concerned about is, down to the file share, data base, and endpoint. This accurate mapping of where sensitive information is allows a more accurate determination of risk.

Organizations no longer have to guess whether PHI is on a particular workstation, who has access to it, what controls are present to protect it, or whether it should be there in the first place, they can answer those questions with certainty with DLP tools. This allows risk assessments to become more meaningful, BIAs more accurate, and access, storage and retention decisions better informed. Organizations can also cut down on duplicative retention of information, reducing storage requirements and lowering IT costs.

Information has a funny way of ending up in the darndest places due to a lack of effective controls to monitor its movements or manage the actions workforce members are permitted to take. When that is allowed data is at much greater risk of compromise and the chances of breach are higher. Once organizations know where its data is, the next step is to determine whether it needs to be moved and establish rules regarding location and storage. Organizations can also set rules to govern user permissions and volumes to limit chances of breaches. Organizations can also limit exposure further by setting rules regarding what destinations are and are not permitted, so the chances of thousands of records ending up on a workstation, tablet, laptop or thumb drive is lower, and with it, the risk of breach. Likewise, the possibility of someone inadvertently or deliberately sending out thousands of patient records or other sensitive information becomes less and less likely.  Hackers will find it more difficult to steal information.

Hospitals today have thousands of endpoints and secondary locations where PHI and other sensitive information can and will end up. The overwhelming majority of breaches involving PHI also involve an endpoint device. DLP as an end-to-end enterprise solution provides the ability to better manage those devices and reduce this risk. Deploying DLP tools to the endpoint device allows organizations to restrict actions like saving, copying, or transmitting data without disabling overall functionality. So instead of shutting down the USB port on a workstation, organizations can set rules to manage what is permitted via that USB port. Organizations can specify the type of USB device that will work, the requirements of the USB device that must be present (encryption) and who can save data using USB. Organizations can allow laptops to access PHI, but not save it locally or ensure that encryption be enabled first.

DLP is an incredibly powerful enterprise-level tool capable of enhancing awareness of where sensitive information is located, improving the ability to manage that information and reduce the risk of unauthorized data exfiltration. So why don’t organizations get better results out of their DLP deployments? Simple: this enterprise solution is all too often treated as just another security technology. Successfully committing to achieving results with DLP requires a commitment to people, process and technology. It means not only deploying the solution, but acquiring the resources to support it properly. Like other enterprise-level systems in the hospital (EHR, PAX, Lab, etc.), people with the right skills to run the system, create the rules, monitor its output and interact with the rest of the hospital staff are required. This is a big commitment of resources, but it pays tremendous dividends to the business and enables not only more security, but also better overall management to protect the most important and sensitive information.