real threats, real solutions: data loss prevention
DESCRIPTION
Real Threats, Real Solutions: Data Loss Prevention. Conflict of Interest Disclosure Sadik Al-Abdulla Has no real or apparent conflicts of interest to report. Brian Comp Has no real or apparent conflicts of interest to report. Presentation Objectives. - PowerPoint PPT PresentationTRANSCRIPT
Real Threats, Real Solutions: Data Loss Prevention
Conflict of Interest DisclosureSadik Al-Abdulla
Has no real or apparent conflicts of interest to report.
Brian Comp
Has no real or apparent conflicts of interest to report.
2
• Identify real, viable solutions and steps needed to invest in data loss prevention technologies
• Outline recent advances in data loss prevention technologies
• Identify key techniques for securing buy-in from senior leadership
• Define the Return on Investment needed to implement data loss prevention parameters within technology infrastructures
Presentation Objectives
3
Every Day In Your Organization…
Just Like This – A Nurse Manager has a big presentation and takes a series of screenshot images and puts them into PPT. Unfortunately, the images inserted into the presentation contain PHI
The Enemy is Us – An IS support person is having some technical problems with a system and needs to send sample data to the vendor for support. The file is too big for e-mail so they upload a census file to FTP and successfully send the (real life) sample data that way
The “thumb-drive nightmare” – A disgruntled employee decides to copy a census report to a thumb drive and shows just how easy it is to take PHI out of the system
4
So Far This Year…
Hack
Accident
Hack
ID 3340: Breach of E-mail Date: 1/13/11 Records Lost: 1,800 Location: Indianapolis, INOrganizations: Hospital
ID 3331: Sensitive Information Posted to the Web Date: 1/4/11 Records Lost: 1,086 Location: Lemoyne, PAOrganizations: Health system, Medical Transcription Service
ID 3330: Hacker Gains Access to File Server Date: 1/4/11 Records Lost: 1,000 Location: Germantown, MDOrganizations: Physician Practice
Source: datalosscb.com5
The Threat is Very, Very Real
Lost
Fraud
Accident
Hack
ID 1854: Portable Drive Exposes 280,000 PatientsDate: 10/20/10 Records Lost: 280k Location: Philadelphia, PAData: Names, Addresses, Birth Dates, Social Security Numbers
ID 1821: Employee Walks Out with 30 Patient Identities to SellDate: 10/18/10 Records Lost: 30 Location: Milwaukee, WIData: Names, Birth Dates, Social Security Numbers
ID 1797: Document Posted to Web Contains 3000 Patient IDs Date: 10/16/10 Records Lost: 3000 Location: Socorro, NMData: Names, Birth Dates, Social Security Numbers
ID 1789: Hacker Steals 100k+ Patient Records Date: 10/15/10 Records Lost: 106k Location: Jacksonville, FLData: Names, Birth Dates, Social Security Numbers
Source: datalossdb.org6
Regulatory Environment Now Has Teeth
• Defines 18 identifiers for special treatment as Protected Health Information
HIPAA – Policy layer and necessary standards
• Section 3014 grants for improving the security of exchanged health information
ARRA – Incentives for organizations to ensure HIPAA standards
• Extension of civil and criminal penalties (Fines capped at $1.5 million)• Breach notification requirements (FTC and HHS rules August 2009)• State Attorneys General are enforcing (either via HITECH or state laws):
– Connecticut AG sues insurance company, wins multi-million dollar settlement– Indiana AG sues insurer for $300k
HITECH – Penalties for failing to meet HIPAA standards
7
• Defines 18 identifiers for special treatment as Protected Health Information
HIPAA – Policy layer and necessary standards• Defines 18 identifiers for special treatment as Protected Health Information• Security standards rule issued February 2003 with compliance by April 2005/2006• Enforcement rule sets civil monetary penalties for HIPAA violations – March 2006
RegulatedPatient Health
Information
Data Loss Vectors
Broken Business Processes
Expanding Network Perimeter
Exte
rnal
Thr
eats Internal Threats
• 88% of breaches caused by insiders and partners:– Mistakes handling data– Broken business
processes• 81% of organizations
breached were NOT PCI Compliant:– … vs 92% who ‘were
compliant’ prior to the breach
– ….vs 19% who were!
2010 Ponemon Institute Study
Average cost of a breach: $6.7M 8
Technology Tools – Data at RestRecords on Open Share Technology Tools
• Solution 1: Encrypted Storage
• Solution 2: Encrypted Backups
• Solution 3: Data Loss Prevention – Data At Rest
• Solution 4: Digital Rights Management
9
Technology Tools – Data in Motion
I’ll Just Reply-all….OOPS Technology Tools
• Solution 1: Encrypted E-mail Gateway
• Solution 2: Web Security Filters
• Solution 3: Data Loss Prevention – Data In Motion
10
Technology Tools – Endpoint Storage
File -> Save As… Technology Tools
• Solution 1: Full Disk Encryption
• Solution 2: Endpoint Security
• Solution 3: Endpoint Data Loss Prevention
11
Technology Tools – Endpoint Storage
File -> Save As… Technology Tools
• Solution 1: Full Disk Encryption
• Solution 2: Endpoint Security
• Solution 3: Endpoint Data Loss Prevention
12
Technology Tools – USB Ports
Off With Their Thumbs Technology Tools
• Solution 1: Block / Remove USB ports via Security Software
• Solution 2: … or Endpoint Data Loss Prevention
13
Technology Tools – Web-based Mail/Storage
PHI Sent By Webmail Technology Tools
• Solution 1: Web Security Gateways
• Solution 2: Data Loss Prevention – Data in Motion
14
Understanding Business Priorities
15
$
Time
Operating Expense
Revenue
Operational Risk
Making the Internal SellDefine the Business
Problem
Build Key Stakeholder Group
Deliver No-cost Progress
Demonstrate the Business Value
Validate with Third-party Sources
16
A Model for Return on Investment
Scenario 1
Scenario 2
Scenario 3
Scenarios Cost Analyses
Fines
Legal
Brand
Fixes
Investment
SolutionOne
SolutionTwo
Likelihood
77%
64%
56%
21%
7%
0%
17
•Don’t underestimate your exposure – Get an objective security assessment to identify your vulnerabilities, “warts and all”
•Make security an ongoing priority – Appoint an internal or external resource dedicated to monitoring and managing security issues to keep current (Make sure that the appointed resource reports to someone who needs the independent interpretation)
•Collaboration is key – Security affects everyone; involve key stakeholders inside and outside of the IT department
•Invest wisely – And consistently in security technologies based managing the actual risks you face
Solving The Problem
18
Define Information and Policies Solving the Problem – A System of Change
19
20%
40%
60%
100%
Establish A Baseline
80%
20%
40%
60%
20%
Remediate Open Issues
Notify Users
Prevention
• No brainers: CC#, SS#, PHI• What else?
– HR records– Grant information– Study results– Other unstructured data– Messaging and communication systems– ... MUST discuss outside of IT
Solving the Problem Step 1: Define
20
• Measure environment against definition using presence and awareness as the key metrics
• Perform root cause analysis:– Identify broken processes– Identify where PHI or sensitive data resides– Identify major user education gaps– Identify missing protections
Solving the Problem Step 2: Baseline
21
• Begin by classifying data• Establish the appropriate protections • Organize your data appropriately• Change identified processes
Solving the Problem Step 3: Remediate
22
• Revisit data security policies• Develop an education program• 2nd tier education to most highly effected• Automate real-time notifications
Solving the Problem Step 4: Educate
23
• Leverage administrative controls• Continuously educate users• Audit user processes• Establish technical controls to block breaches
Solving the Problem Step 5: Prevent
24
Sadik Al-AbdullaSecurity Solutions [email protected]
Brian CompChief Technology Officer, Information