with dlp
play

with DLP Real World Scenarios My Journey into Patient Data - PowerPoint PPT Presentation

Sep 01, 2022 •270 likes •603 views

Stopping PHI Theft with DLP Real World Scenarios My Journey into Patient Data Protection 10+ years in Data Loss Prevention Dozens of customer installations across the finance and healthcare industries Chris Leffel My story in

  1. Stopping PHI Theft with DLP Real World Scenarios

  2. My Journey into Patient Data Protection  10+ years in Data Loss Prevention  Dozens of customer installations across the finance and healthcare industries Chris Leffel  My story in healthcare data protection really starts 5 years ago …

  3. Shiva Kashalkar Bio • Leads Product Marketing for DLP Managed Shiva Kashalkar Services and Advanced Threat Protection Director, Product Marketing Marketing Professional • ~13 years of marketing, business development & product management experience • Previously at Managed Service Providers and Big Data Analytics companies • Wipro, Oracle, KPN, Empirix 3

  4. Foundations – Get to know your data  You know where most of the data is …  If you don’t… your AR team does! Confidential 4

  5. Foundation – How fingerprinting works Keywords CONTENT RULES Common Inspection Engine Regular Expressions 600 file formats. Format Independent. Archive files. Dictionaries Language independent. Multibyte File Metadata (Type, Size, Name) File Category Email Network Web Discovery Endpoint Exact & Partial File DB Record Monitoring Scanners Fingerprints Fingerprints Examples DB Record Matching CustName AND (AcctNum OR SSN) from Database Partial File Matching Paragraph match from fingerprinted file Patterns Credit Card Number, SSN, Passport Num Regular Expressions Medical Record Number, Email Address Record1: CustName,AcctNum,SSN Record2: CustName,AcctNum,SSN Dictionaries HIPAA Code Sets - NDC, LOINC, HCPCS Record3: CustName,AcctNum,SSN US Addresses . . . Confidential 5

  6. Foundation – Data Base Record Matching  Database Record Matching delivers unmatched PII/PHI identification and control Confidential 6

  7. Foundations – Where can your data go?  Anywhere?  Who have you signed a BAA with and what is their domain? Confidential 7

  8. Case Studies Who let the PHI out? Inspired by True Stories Confidential 8

  9. Who sent all that Patient Data to Gmail!  Suspect emailed a spreadsheet that contained • Patient Names, Patient MRNs, Patient Socials • And information about the Physician • How many minutes the visit took • Focused on physician efficiency … (time spent per patient, etc.) Confidential 9

  10. Who sent all that Patient Data to Gmail!  Suspect emailed a spreadsheet that contained • Patient Names, Patient MRNs, Patient Socials • And information about the Physician • How many minutes the visit took • Focused on physician efficiency … (time spent per patient, etc.)  Who Dunnit? • The CEO hired a small external consulting firm to study physician efficiency … that did not have their own domain and email address Confidential 10

  11. How did we catch them? Internet smtp Confidential 11

  12. Who uploaded file to the UK?  Suspect uploaded a spreadsheet of patient information to a server in the UK • Contained patient name, Treatment dates, Amount owed • Account Aging report (i.e. 30 day, 60 days, 90 days, or more) Confidential 12

  13. Who uploaded file to the UK?  Suspect uploaded a spreadsheet of patient information to a server in the UK • Contained patient name, Treatment dates, Amount owed • Account Aging report (i.e. 30 day, 60 days, 90 days, or more)  Who dunnit? • The AR team was working with an external collections agency. Because email was blocked the AR person decided to upload the data using a file sharing and collaboration service. The server for the service just happened to be in the UK Confidential 13

  14. How did we catch them? http/https http/https Secure Web Internet Gateway icap Confidential 14

  15. Who is sending data via FTP?  Suspect file upload via unsecured FTP detected • Data was in HL7 format • Patient Name, Patient SSN, Patient MRN • And More Confidential 15

  16. Who is sending data via FTP?  Suspect file upload via unsecured FTP detected • Data was in HL7 format • Patient Name, Patient SSN, Patient MRN • And More  Who Dunnit? • A CT Scanner had been down for repair two weeks before. • As part of the diagnostics the technician turned on application logging. This caused the CT to log the full patient record in the system log. • The system log was uploaded to the vendor as matter of routine ‘health monitoring’ provided by the CT Vendor. Confidential 16

  17. How did we catch them? tcp/ip tcp/ip Internet Switch Confidential 17

  18. What files can the janitor see?  Suspect in question placed several large files on an internal file share without adequate access control • File was very large. Contained almost every patient the organization had ever treated • Contained full patient records in CSV file format Confidential 18

  19. What files can the janitor see?  Suspect in question placed several large files on an internal file share without adequate access control • File was very large. Contained almost every patient the organization had ever treated • Contained full patient records in CSV file format  Who Dunnit? • The IT team was migrating patient data between systems. The file was too large for the internal IT file share and the main EMC filer was used as a temporary repository. • The file was more than 10 years old. Nobody currently working at the organization owned the file or even knew it was there Confidential 19

  20. How did we catch them? File Shares Data Bases Laptops Confidential 20

  21. Summary  Understand where your data is (EHR, AR)  Understand where it can go (and white list those destinations)  Work with legal / compliance to come up with your risk framework  Apply detective controls  Discuss results and set objectives with your peers  Apply corrective controls Confidential 21

  22. Digital Guardian • Founded 2003 to protect all data Magic Quadrant against theft Leader • Began with protecting IP on the endpoint - the most challenging use case • Simplified compliance and cloud data protection with DG appliance • Launched industry’s first Managed Security Program for DLP Wave Leader Confidential 22

  23. Threat Aware Data Protection Deepest Visibility Real-Time Analytics Flexible Controls  Network  Endpoint  Filters out the noise  Controls that don’t slow down your business  Cloud  Accelerates investigation  Controls across network,  Databases/Shares  Delivers incident storage, cloud and e ndpoints discovery  Structured and  Controls that are enforceable Unstructured Data on all OS’s Confidential 23

  24. Digital Guardian’s Data Protection Program Framework

  25. Data Protection Program Framework VISIBILITY ANALYTICS CONTROL Enforce & Understand Build Assess & Improve Educate Confidential 25

  26. Understand: What Data to Protect Upload/Download Source/Destination User Application Mac Joe Smith Computer Network State 462-81-5406 DWG Classification Operation 42 Wallaby Cook 200+ Email Drive Type Parameters Classified Session Time of Day Content-based Context-based User-Based File inspection to identify, tag Identify & tag sensitive data Enable users to classify and fingerprint sensitive data for (structured and unstructured) sensitive data based on lowest false positives even before you develop policies business requirements Most comprehensive data discovery & classification on the market today Confidential 26

  27. Understand: When Data is at Risk View & Open Attach to Email Email Network Upload Cut & Paste Cloud Application USB Devices Delete & Recycle Remote Drives Application Launch File Encrypt Save to Local Drive Burn to CD DVD File Create Send to Printer Print Screen Connect Device Confidential 27

  28. Build: Smart Policies & Controls Based on Your Real Data Usage Total Egress – 90 Days Total Files Total GB 10,000,000 1,000,000 6,801,689 1,708,903 100,000 145,968 10,000 39,976 14,241 1,000 SMART Policies Share with 100 614 10 76 52 & Controls Business Leaders 1 Removable Printing Uploads Emails “Digital Guardian helped us change the conversation with business unit leaders.” - John Graham, Chief Information Security Officer, Jabil Confidential 28

  29. Enforce & Educate: Flexible & Automated Controls You have attempted to transfer PST file(s) to removable drive. Please provide a justification for moving PST file(s) to removable drive Content, context and behavior based rules can automatically prompt or block insider and outsider threats Confidential 29

  30. Assess: Analytics & Reports that Drive Continuous Improvement 1000 800 Incidents Per Week 600 400 200 Understand Build Enforce & Educate Assess & Improve 0 Risk Reduction Over Time Confidential 30

  31. Summary  You can’t protect what you can’t see. The deepest visibility enables you to go from reactive to proactive  Identifying and focusing on your most important data dramatically increases your security program’s effectiveness  Automated and flexible controls that won’t slow down your business 31

  32. Thank You Any Questions? 32

Recommend

More recommend