Overlooked Breach Prevention StepsGoing Beyond Encrypting Mobile Devices
In an interview (transcript below), Herzig pinpoints other vital risk management steps that include:
- Encrypting information on USB drives, CDs and DVDs.
- Disposing of media, such as hard drives or backup tapes, properly. For example, UAB uses an industrial crusher to destroy old drives.
- Using two-factor authentication to control access to protected health information.
- Making sure that companies hired to shred documents keep the material secure every step of the way.
- Using data loss prevention software to generate reports on how patient data can be exposed, such as through misuse of e-mail. UAB uses examples from such reports to educate staff about following privacy and security policies.
In addition to serving as information security officer at Birmingham, Ala.-based UAB Medicine, Herzig is HIPAA security officer. He heads a team of three security specialists at the delivery system, which includes a 1,000-bed hospital and numerous outpatient facilities throughout the state. He is editor of the book, "Information Security in Healthcare: Managing Risk," published by HIMSS.
Herzig also is the featured speaker in a webinar on developing a policy for protecting information on mobile devices.
HOWARD ANDERSON: I wanted to talk to you today about some of the strategies for preventing breaches and implementing security controls that might be overlooked. What are some of the major other strategies that folks might be overlooking that they really need to pay attention to?
TERRELL HERZIG: When you go out to the Department of Health and Human Services' website and you see the amount of breaches due to lost devices and theft of devices, the immediate reaction is to go out and encrypt everything, specifically laptops and things like that. What we're really missing in the industry right now is a more holistic approach -- to look at data leakage as a whole. What information is flowing across the organization? How is it coming into the organization, as well as going out? By looking at that, I think we'll get a better appreciation for a layered control approach, things that people aren't thinking about right now -- things like how they dispose properly of media that they no longer need.
You know, one of the key breach incidents that we saw involved hard drives left in a warehouse and not appropriately disposed of, and that's an issue.
I think people are looking a lot at encrypting laptops, but they may be forgetting USB drives and other media like CDs and DVDs, which a lot of people don't think can be encrypted. For some strange reason, I get that reaction: "You mean you can encrypt a CD and DVD?" There are actually vendors that make products that you can just drop a DVD in and it will self-encrypt the data that you're sending to it, and that really provides an extra level of protection.
Plus, you need to pay attention to things like encrypting e-mail and file transfers and working with our business partners. How are they handling the flow of information between your organization and theirs? All those controls need to be looked at and evaluated.
ANDERSON: What about paying closer attention to how the company you hire to shred paper is doing it? What's your experience?
HERZIG: ... We had spent several years with one particular shredding company, and it came time for renewal of our contract. We had a competitor come in at a lower price that we had not done business with before, so through the contracting process, we worked with them to specify the certain controls we wanted. We had the option, for example, to allow our vendor to remove the material from our site and truck it to a secure disposal facility and take care of it out of state. And our risk management people, along with us, decided that it would be better to have it shredded on site so we had some idea that the paper was adequately being shredded.
Then, through an audit of the vendor once they were onsite fulfilling the contract, we discovered that, in actuality, they were leaving a lot of the material insecure, in an unsecure location, to pre-stage it before they were shredding it; this was a fully public area. So, of course, we had to go back to them and say, "No guys, you need to bring it out and shred it onsite at the point of collection, just like you had committed to in the contract."
That was a small bump. We got that worked out, but it's a case in point. You've really got to go out and audit these controls -- every one of your controls -- to make sure they are operationally effective.
ANDERSON: Something that's very easy to overlook.
HERZIG: Very easy to overlook. Even not having a sufficient number of properly placed bins can be a risk to your security model, because if people don't have a depository bin nearby that they can put their papers in, they're liable to just to throw them in the trash rather than walk that extra length down a hallway to find a bin. So you've got to make sure the coverage of the controls is sufficient.
Destroying Storage Media
ANDERSON: You also invested in equipment that's located at UAB to destroy storage media when it's out of use. Describe how that works.
HERZIG: We actually kind of got lucky. Being a large organization, we had bought industrial crushers to crush other stuff that we wanted to recycle or break down and get rid of. And that primary use had been outsourced ... so that left us with a big industrial crusher that no one was using. And when we were trying to map out how we were going to securely destroy our hard disks, we knew, for example, that degaussing equipment is not always effective because of the new drives coming out and the amount of magnetic force that they contain; it's very hard to degauss them. Plus, doing secure overwrites and can take a lot of time. So we wanted to make sure that if we had hard drives going offsite that we could physically destroy them.
We looked at maybe outsourcing that to people who could crush the drives. As we were talking with our equipment accounting folks, we discovered there was this big industrial grinder that no one was using, so we said, "Hey, we can put that thing to work." And so we pulverize our hard drives into basically half-inch squares when they come out of the compactor. So I can turn around and give a department a certificate of destruction and say, "On this date we destroyed those 200 hard drives, and, no, they're not sitting anywhere."
ANDERSON: At what point do you take that step to destroy drives?
HERZIG: If you're a person within our organization who has any kind of media that you don't know how to get rid of, but know that sensitive information may be on it, you can go to our privacy and security website and fill out an online electronic ticket, or you can just pick up the phone and contact my office and we'll come pick it up.
I felt like if we were serious about collecting this media and getting rid of it, we had to make it easy for our departments and end-users to work with us. So we take the burden off them, plus we need to do a chain-of-custody accounting anyway. So it's more efficient if we go to them instead of them coming to us.
ANDERSON: I understand you're moving to a new form of two-factor authentication. Describe the old and the new and why you made the shift.
HERZIG: Our two-factor authentication has always been the hard token devices. And because of the proliferation of portable devices, we were starting to hear people say, "The hardware token takes so much room in my pocket or on my keychain, and it's not backlit."
So with portable devices coming out, we had the idea that if we could give them a soft token that they could run on the device and not have to carry a separate hard token, maybe it would help their workflow a little bit. (See also: RSA Breach: A CISO's Action Items).
ANDERSON: So by soft token, it's a piece of software that runs on their cell phone or smart phone?
HERZIG: It's a little applet. It generates that one-time password just like a hard token does, synched up to the same hardware in the background, and it allows them to mimic the hard token but in a software version.
ANDERSON: How widely do you have that deployed at this point?
HERZIG: Right now, we've got probably 1,100 people using it, and we're about to go to one-time soft token provisioning and deployment and temporary token provisioning and deployment, which basically means that if we have people outside the organization, we can validate who they are, validate their need for access to information. We can give them a token that expires in a certain time period, and they can sign up for it and go through that verification process, and we can electronically implement it instead of putting our sign-on team through a large number of steps that they've had to do with the hard token.
ANDERSON: And this two-factor is for remote access only or for the internal network as well?
HERZIG: It's remote access only at this point, because internally, we've got enough controls ... with the firewalls ... and all the other things that we implement, that we can get by without the two-factor inside the firewall. But then for anything outside, we require two-factor.
Data Loss Prevention
ANDERSON: And finally, how big a role does your data loss prevention application play?
HERZIG: It gives me some of the metrics on how well we're doing about keeping information inside and not letting it go out. Our DLP system produces automated reports each week that are e-mailed to me and my assistant and my other security person. We all three will sit down Monday morning and go through them and look at what we're seeing and what the metrics mean. And it's been working pretty well.
ANDERSON: And you use the results primarily for educational purposes?
HERZIG: Yes, we'll use them for educational purposes. ... For example, we informed staff that we had a lot of people that would e-mail their credit card information out for personal purchases. They'd go to websites that for some reason didn't have secure e-pay gateways, so they would just e-mail their information. One individual used e-mail to pay her daughter's tuition with a credit card payment. The e-mail had the credit card number, expiration date, and PIN code, as well as the security code on the back of it. Why she thought they needed her PIN code, I don't know. I actually had called the lady and said, "You might want to keep an eye on your accounts," having released that much information.
But we sanitize all that data from the DLP reports and use it in our corporate compliance education courses to put it back in the community. And I get comments after an educational session about, "I didn't know that e-mail wasn't encrypted," or "I didn't know that this could be sitting out here on the Internet for such a period of time," or "I didn't know by going to Facebook I could get hit to a site that has malware on it." People just don't know. So the more education you can give them, the better off we're all going to be.