"DLP is one tool in an overall information security program," Herold says, and must be used in conjunction with security policies, procedures, training and awareness communication.
In an interview (transcript below), Herold:
- Points out that DLP is limited in scope and cannot prevent hacking attacks or malware entering a network.
- Explains how the technology works to scan network traffic and how it also can scan storage to pinpoint the location of specifically defined data, such as protected health information. This can help a hospital to, for example identify patient data on laptops that lack encryption and take appropriate action.
- Outlines features and functions to look for in a DLP system, including the ability to inspect e-mail, instant messaging, blogs, wikis, peer-to-peer communications, links to social media, voice-over- internet-protocol transmissions, traffic to personal webmail and file-transfer-protocol systems. She also advises organizations to look for an application that can spot suspicious use patterns and provide alerts, block inappropriate transmissions and provide comprehensive logging and reporting capabilities.
Herold, owner of Rebecca Herold & Associates, is known as the Privacy Professor. For more than two decades, she has specialized in information security privacy, security and compliance. She has served as an adviser to organizations in a number of industries, including healthcare.
Earlier, she was featured in a podcast on wireless security.
HOWARD ANDERSON: For starters, tell us a bit about your firm and the services you offer.
REBECCA HEROLD: I've been in the information security, privacy and compliance business for over two decades now, and I work with a wide range of organizations helping them to create their security and privacy compliance programs. In the past year, I launched a new service called Compliance Helper. ...
ANDERSON: As the list of major health information breaches reported to federal authorities continues to grow, healthcare organizations are looking for ways to prevent breaches. So what role can data loss prevention software plays in all that?
HEROLD: Technology solutions such as DLP can certainly provide one tool in an organization's overall information security management program. It cannot replace basic security management components, such as policies, procedures, regular training and ongoing awareness communications and activities. However, DLP solutions can provide an effective way to reduce the amount of sensitive data, including patient information, which may, accidently, be leaked out of an organization through forwarded e-mails and e-mail attachments or through other paths such as through peer-to-peer connections and instant messaging. DLP solutions can search for specific types of sensitive information and then take automatic actions to block the data leakage, to alert the security area that such leaks are occurring, to log them and also a variety of other actions.
But it is important to understand that DLP systems are limited in scope in the types of security activities they perform. They do not prevent malware ... from getting on to the corporate network, and they do not prevent denial-of-service attacks or other types of hacking. DLP solutions are limited to trying to identify and prevent specific types of data from getting outside of the organization, or from being accessed internally by unauthorized network users.
But DLP solutions can definitely help to prevent breaches by preventing sensitive data from leaving the organization in an unauthorized way.
How DLP Works
ANDERSON: Could you explain how data loss prevention software actually works, and more important, how hospitals and others can use it to identify vulnerabilities?
HEROLD: DLP software monitors the network traffic and also storage locations and searches for specific types of data, and then it takes actions appropriate for each type of situation. DLP solutions can typically do a fairly wide range of activities. For one, they can identify security holes in business processes. For example, they can detect if a file transfer process for protected health information is allowing PHI to leak or be accessed inappropriately. DLP solutions can also catch accidental data disclosure by employees -- for example, employees sending un-encrypted e-mail that contains clear text PHI data. DLP solutions can catch and stop unauthorized data movement by employees. For example, it can help detect if you have a disgruntled employee who wants to steal data or an employee who is leaving the company and trying to send sensitive data out of the network to an external location.
Also, DLP can assist in creating and maintaining an inventory of where all PHI is located throughout the organization. This can be very helpful to find PHI in inappropriate locations, such as on USB drives and public folders and on unapproved laptops. And DLP can assist with business associate management, by helping to catch when associates ... are not providing the required safeguards, such as encryption, before sending out information through a public network, such as the Internet.
ANDERSON: So what kinds of alerts should DLP users be sure to set up to help them prevent breaches?
HEROLD: With regards to hospitals and clinics, they need to first identify the types of protected health information that they have and can configure in their systems to check for them. They also need to check for items may be within unstructured data. This will typically take a more sophisticated type of DLP system than one that just looks at specific fields or specific types of text or character formatting. Hospitals and clinics will want to know when such things as X-rays and other types of imaging files are leaving their networks or when other types of images are being accessed by individuals. DLP solutions can help security managers detect when images are accessed. But it is important to keep in mind that most DLP solutions cannot indicate what the images actually show. ... You still need to have human intervention for some types of files to actually determine what the images are showing.
This distinction can be addressed and identified by DLP systems if strict naming standards are followed for such image files. The image files that do not follow the naming standards would still be problematic and definitely would require more human intervention. ...
Essential DLP Features
ANDERSON: So when folks are shopping for a data loss prevention application, what features should they look for and what questions should they be asking?
HEROLD: It really depends upon the types of data that you want to locate and track, and also the capabilities of your existing security technologies. But as a general list, you want to look for a DLP solution that has the ability to inspect e-mail; instant messaging communications; what is in blogs on your internal network and maybe out on your corporate website; wikis and peer-to-peer communications. You want a solution that can check on data that is being sent out to certain social media sites, such as Facebook or LinkedIn ... and that is able to look at voice-over-internet protocol transmissions; there are a lot of organizations using Skype now. So make sure your DLP solution can monitor those types of communications.
Also, DLP should be able to check traffic to personal webmail-based accounts, such as Yahoo and Google. ... And also you want a solution that can check file-transfer-protocol systems. These are typically set up to send large files that e-mail cannot support, or as an alternative for e-mail transmission of files.
Organizations should ask to ensure that these basic transmission paths can be monitored and scanned. And you should also look for a solution that can spot suspicious usage patterns on the network and report on them, including the data involved in those suspicious activities. DLP solutions should also provide comprehensive logging supported by a wide range of reporting capabilities.
ANDERSON: Any other advice on how to make the most of a DLP investment?
HEROLD: Organizations really need to clearly understand that DLP is just one tool within the information security management program that they create. They should not spend their entire security budget on a DLP solution, because many other components are needed within their full comprehensive security management program.
So first, before investing in DLP, be sure that your organization has created a comprehensive set of policies and procedures based upon your organization's identified risks along with supporting compliance requirements, such as HIPAA and the HITECH Act. . ... You cannot successfully deploy a DLP solution without having data classification policies and procedures in place.
After you have your policies and procedures established, your risks identified and your security strategy defined, you can then determine the full set of security technology tools you need to support your strategy. You may find that some of your existing tools, such as your use of encryption for e-mails or on USB drives or hard drives, and maybe your security event monitoring tools, may already provide some protections that actually are part of the features of certain types of DLP solutions. So you need to know the security technologies and features that you already have in place in order to choose a DLP system that will provide your organization with the most value and add the most security to your confidential data.