Like all hospitals and medical facilities, Baptist Memorial Health Care Corporation (BMHCC) must comply with the Health Insurance Portability and Accountability Act (HIPAA), which requires medical services providers to provide security measures for all stored patient health information. But the organization realized that its compliance efforts were threatened by the ease with which sensitive information could reside unprotected on USB flash drives and other portable devices.
BMHCC, which has more than 12,000 employees working in nine hospitals in Tennessee and five in Mississippi, mitigated these risks with two endpoint-security solutions that secure mobile data and ensure that sensitive data remains private through encryption and password protection.
When BMHCC purchased its current desktops, it purposely excluded writable media, which at that time included floppy drives and CD burners, says Lenny Goodman, IT director of desktop management, corporate information systems. “We felt the endpoints were secure—there was not a way for users to take data out of our endpoints and take it home.”
But, says Goodman, the organization had no way to back up data, so when USB flash drives became affordable and popular, many tech-savvy users bought one so they could do it themselves. “We didn’t condone it; we didn’t condemn it,” says Goodman. “We didn’t see it coming.”
About two years ago, BMHCC looked for a solution. Goodman and his IT team evaluated everything that they could find. After winnowing down the possible contenders to three, the team decided that Auditor and Protector, two products made by Safend Ltd. of Tel Aviv, Israel, “had the most mature approach,” Goodman states.
Auditor is a software utility that queries network endpoints, locating and documenting all removable media devices—past and present—that have ever been connected to each endpoint machine. “The way that it gathers and organizes the data into useful audit reports far exceeded any of the other products,” Goodman says.
Protector detects and allows or restricts devices by device type, model, or specific device serial number. It also monitors traffic in real time and provides logs to administrators to make it easier to create policies for removable media.
Installation was simple and without glitches, Goodman reports. Just as important was the rapport he built with Safend representatives. He says he developed a wish list for the company that Safend was happy to accommodate. For example, could he get a log of all file transfers between the host machine and the flash drives—both inbound and outbound? “They said, ‘Yeah, we’ll go back to the drawing board and we’ll do that.’”
BMHCC began using Auditor about a year ago, and is in the process of identifying all devices enterprisewide. “We’re still in the ratchet-down phase, as I call it, trying to approach a day when the only thing left on our system is approved devices,” Goodman says.
Goodman is also creating administrative processes to determine who is responsible for identifying end users with legitimate business reasons to carry data on flash drives and other portable devices. “This means a written approval process and a chain of authority,” he says. An example of such an approved end user is a staff member who develops PowerPoint nurse-in-service training programs and then presents them at different BMHCC sites.
Goodman and his team decided that approved devices had to be password protected as well as fully encrypted because users tend to lose them regularly. They also had to be plug-and-play and offer a user-friendly interface to ensure fail-safe security practices.
They found DataTraveler Elite-Privacy Edition (DTEP) by Kingston Technology Company of Fountain Valley, California, a USB drive that allows users to fully encrypt data without having to install additional software on the host machine. The device is protected by a password control mechanism that locks out users after 25 failed password attempts.
To date, BMHCC has deployed about 100 DTEP devices to approved users and plans to provide 500-700 more this year as the approval process continues to take place companywide. “We’re implementing in stages,” Goodman explains. “One of the things you don’t want to do is say, ‘In two weeks you won’t be able to use your device anymore’ because you don’t want to encourage a rush to bad behavior. On the other hand, you don’t want to just turn everything off and wait for people to holler, because you may have just crippled a really vital business process that you weren’t aware of.”
Goodman says that it has cost about $20 dollars per endpoint for the software. Additionally, the DTEPs cost about $100 each. The cost is justified by the high cost of a single HIPAA violation, which is “potentially $200,000,” he states. “And then there’s the public relations cost,” which “can be incalculable.”