Palisade: Healthcare Meets Data Loss Prevention (Again)
Back in October 2009, Palisade Systems announced its first data loss prevention (DLP) offering geared toward managed services providers. The company, which targets the SMB market, has since received a boost from an unexpected source: Connecticut’s attorney general’s office. Here’s how.
The AG’s office in January 2010 sued a managed healthcare company for “failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers endangered by the security breach,” according to the state.
The HITECH Act, a health information technology-related law passed as part of the economic stimulus package, authorized state AGs to enforce the Health Insurance Portability and Accountability Act privacy and security provisions. HITECH and the Connecticut suit have combined to spark interest in DLP among healthcare customers, noted Christian Renaud, chief executive officer of Palisade Systems.
Some healthcare organizations have opted for Palisade Systems’ traditional PacketSure DLP appliance. Renaud said large healthcare systems and hospitals have purchased multiple appliances in some cases, with deals in the $80,000 to $150,000 range. Smaller medical centers and satellite offices, however, are going the MSP route, he added.
In those cases, customers go with Palisade Systems’ PacketSure Managed DLP. MSPs can host the product as a VMware virtual machine offering.
In general, the federal initiative to promote the adoption of electronic health record (EHR) systems among the nation’s physicians and hospitals also raises the profile of DLP. Some EHR solutions are hosted in the cloud, which raises security concerns.
“SaaS providers doing it all in the cloud need some sort of story about how they are keeping their data secure,” Renaud said.
With that in mind, Renaud said his company is discussing DLP with EHR vendors he declined to identify.
Palisade Systems, meanwhile, is readying a SaaS solution of its own: the SaaS version of PacketSure is in beta.
Renaud said the company’s PacketSure 8 code base, the latest version, is replicated across its on-premise, MSP and SaaS products. Features included in PacketSure 8 include a new reporting engine and contextual analysis.
In addition to healthcare, financial services and state and local government are active markets for Palisade’s DLP offerings.
Sign up for MSPmentor’s weekly Enewsletter, Webcasts and Resource Center. And follow us via RSS; Facebook; Identi.ca; and Twitter. Plus, check out more MSP voices at www.MSPtweet.com.
5 Required Elements of a Data Loss Prevention System:
1. Comprehensive channels coverage.
It is impossible to predict which outbound channel the next data leak will occur. Some expected avenues are: corporate email, private email, webmail, blog, instant messenger, P2P application, internal web or FTP server etc. Therefore, the DLP system must cover ALL the relevant channels.
The majority of “DLP” systems do not even try to cover all network channels. Typically, they cover SMTP, FTP, HTTP (client side), sometimes HTTPS and instant messaging. This coverage is further handicapped. For example, scanning SMTP, these systems require integration with the corporate email server and inspect only emails sent through it. Emails sent through an external ISP are overlooked. Emails accessed from outside the perimeter through POP3 or HTTP (server side) are ignored by such solutions. The dangers of file sharing applications and exposure of the internal web servers are disregarded.
2. Enforcement – Blocking
Data Leak Prevention, by its definition, requires electronic enforcement of the data security policy ? i.e. the product must be able to effectively block transmission of protected data.
Many “DLP” products being sold are actually DLD ? Data Leak Detection products. They are designed to report what data breaches have occurred, instead of stopping them in real time.
3. Content Inspection
The true DLP solution must inspect content. Making decisions based on the form (file type, file attributes etc.) or meta-data (author, language, size of attachment etc.) is not enough.
4. Accuracy
The DLP solution must be sufficiently accurate.
Among two types of errors (false positives and undetected leaks) the more dangerous error is a false positive. In the enforcement mode, even a small amount (0.1%-0.2%) of false positives can wreak havoc in the organization. Therefore, a DLP solution has to employ detection technology with virtually zero false positives.
Another aspect of accuracy is that the DLP system must protect data and not a specific form of its representation. Therefore, the DLP system must be resilient to typical modifications of the data, such as excerpting, embedding, changing file format, re-ordering, re-typing, text re-formatting etc.
5. Non-duplicating protected data.
The DLP solution must not duplicate the protected data in any form! If it does, then DLP becomes Data Leak Provoking. But many vendors still sell products, copying the data they are supposed to protect into their internal database. Encrypting such data, or keeping it in the form of the search index is not enough to satisfy this requirement!