2013 CHECK POINT ANNUAL SECURITY REPORT
04
_ DATA LOSS INCIDENTS IN YOUR NETWORK
Our research shows that in 29% of examined organizations,
at least one event was found during the analysis period which
indicated that PCI-related information was sent outside of
the organization. Our findings also indicate that within 36%
of tested financial organizations, which are usually obligated
to be compliant with PCI regulations, at least one PCI-
related event had occurred.
HIPAA
The HIPAA Privacy Rule provides federal protection for
personal health information and grants patients with an
array of rights with respect to that information. At the
same time, the Privacy Rule is balanced so that it permits
the disclosure of personal health information needed for
proper patient care and other important purposes.
27
The HIPAA Privacy Rule permits healthcare providers
to use email to discuss health issues with their patients,
provided that reasonable safeguards are applied.
Encryption is not mandated. However, other safeguards
should be applied to reasonably protect privacy. How
do healthcare providers keep email communication
channels open with patients while safeguarding privacy
and maintaining HIPPA compliance?
In our research, we monitored the outgoing traffic from
organizations while scanning all parts of messages and
attachments, searching for emails containing patient private
information by keying on personal information identifiers
(e.g. Social Security numbers) and related medical terms
(e.g. CPT, ICD-9, LOINC, DME, NDC terms, etc.).
We found that in 16% of healthcare and insurance
organizations, HIPAA - Protected Health Information
was either sent outside of the organization to an
external email recipient or was posted online.
Security Recommendations
In today’s world of increasing data losses, organizations
must take action to protect sensitive data. The best solution
to prevent unintentional data loss is to implement an
automated corporate policy that catches such incidents
before the data leaves the organization. Such solutions are
known as Data Loss Prevention (DLP). Content-aware
DLP products have a broad set of capabilities and present
organizations with multiple deployment options. Before
deploying the DLP solution, organizations need to develop
a clear DLP strategy with concrete requirements such as:
What is considered to be confidential information? Who
can send it? and so forth.
Data Classification Engine
High accuracy in identifying sensitive data is a critical
component of a DLP solution. The DLP solution must be
of Healthcare and Insurance
organizations WE EXAMINED, HIPAA -
Protected Health Information was
sent outside OF the organization
16
%
IN
