Security

Ensuring Stronger Data Loss Prevention in Healthcare as Systems Face Insider Threats

A robust DLP strategy takes a proactive approach to monitoring and categorizing data exfiltration risk levels to prevent data loss before it happens.

Nathan Eddy

Nathan Eddy works as an independent filmmaker and journalist based in Berlin, specializing in architecture, business technology and healthcare IT. He is a graduate of Northwestern University’s Medill School of Journalism.

Healthcare organizations create, collect and store some of the most personal and valuable information found in any industry.

In addition to data theft threats posed by malicious actors operating across the globe, healthcare IT workers must also be cognizant of insider threats, ranging from disgruntled former employees to unassuming workers planning to leave a company who feel they own the data they worked on and can take it with them.

To combat any threat, a robust data loss prevention (DLP) strategy should offer a holistic view of data and users within the network, across endpoints and into the cloud, giving IT leaders the ability to make informed security responses and anticipate incidents, says Kevin Oliveira, senior product marketing manager at Forcepoint.

DISCOVER: How Forcepoint's security solutions protect healthcare from evolving threats.

Taking Stock of Potential Insider Threats in Healthcare

From Oliveira’s perspective, risk-adaptive protection — the ability to analyze and predict where and when a data loss incident could arise — is a critical component of any DLP plan.

“Our solution offers over 140 indicators of behavior, which are continually monitored to understand the riskiness of what individuals are doing. This allows us to assign them a risk score,” he says.

For example, an employee might be flagged as a “leaver” — someone who is likely to soon depart from the company — if they are monitored as having uploaded a resume to LinkedIn. This would bump up their risk score from zero to a moderate risk level, Oliveira says.

“If that person starts doing things like sending personally identifiable information with their personal email, we can encrypt the email, which means they can still complete the action, but the files will be encrypted, and then those files can only be seen if connected somewhere to the organization’s network,” he says. “If it’s outside the network, it’s useless.”

The idea is to create a graded system that considers the realities of a modern workforce, where users often have legitimate data usage needs that may not pose a threat but appear to do so.

Oliveira says by the time that person gets to be a serious insider threat, they’re labeled a critical risk, which can be determined thanks to the constant view of risk accumulated over time.

Anyone could get into this boat — even good users could start tampering with firewalls.”

Kevin Oliveira Senior Product Marketing Manager, Forcepoint

If the software notices more worrisome activity, such as a USB drive being filled with files or firewall tampering, the user might receive a prompt in the form of a pop-up, asking them if they’re sure they want to continue with this action.

“Anyone could get into this boat — even good users could start tampering with firewalls,” Oliveira says. “Maybe they’re just trying to clear out their laptop because it is running slowly, and so the one time they do it, they’re considered a medium risk.”

Signs they’re uploading large amounts of data to a network share would raise the person higher on the potential exfiltration threat list, with their activity monitored over a 20-day period.

Once they have reached that critical risk threshold, the user is blocked everywhere on the network, IT security leaders are informed, and managers are notified, Oliveira says.

“That’s the benefit of this continuous evaluation of risk and risky behavior — we can help companies recognize a potential data loss incident before it happens,” he says. “We believe that is the way to best address those insider threats.”

Even at that point, Oliveira adds, the threat level can be reduced if the behavior turns out to be explainable. “It could be a teachable moment, and we're all fine; 30 days pass, the score goes back down to zero because they didn't do anything anomalous,” he says.

GET THE WHITE PAPER: Learn how SASE can improve healthcare security.

Choosing a DLP Solution for Healthcare

An agentless DLP solution may be the best option for some healthcare organizations with the increasingly decentralized nature of the workforce, the rise of cloud-based applications and the use of mobile devices for telehealth, says Oliveira.

Forcepoint’s agentless DLP solution is part of Forcepoint ONE, the company’s Security Service Edge solution and SD-WAN offering. It provides single-vendor secure access service edge and includes an integrated DLP capability that is agentless. Oliveira says this option is ideal for healthcare organizations that have a large cloud footprint and runs devices that are not Windows- or Mac-based.

“We are bringing this to our customers who don’t have the ability to have an endpoint for whatever reason so they can’t use an endpoint DLP,” he says. "If they are already looking to protect data in the cloud and using Chromebooks, tablets, phones or Linux-based devices, this provides a solution for endpoints where agents are not typically available."

It’s more important than ever for healthcare organizations to have a strong DLP solution Oliveira adds.

“The central idea is that a strong data security solution covers all of the channels for exfiltration, whether it’s with the endpoint, like people’s laptops, or emails or private cloud applications, which are very common for healthcare — and that’s just within the network,” he says. “These are the main points of data exfiltration.”

Brought to you by: