2013 CHECK POINT ANNUAL SECURITY REPORT
04
_ DATA LOSS INCIDENTS IN YOUR NETWORK
Our research shows that in 29% of organizations, at least one
event was found during the analysis time that indicated that
PCI-related information was sent outside the organization.
We found that within 36% of financial organizations, which
are usually obligated to be compliant with PCI regulations,
at least one PCI-related event occurred.
HIPAA
The HIPAA Privacy Rule provides federal protections
for personal health information and gives patients an
array of rights with respect to that information. At the
same time, the Privacy Rule is balanced so that it permits
the disclosure of personal health information needed for
patient care and other important purposes.
27
The HIPAA Privacy Rule permits health care providers
to use email to discuss health issues with their patients,
provided they apply reasonable safeguards. Encryption
is not mandated; however, other safeguards should
be applied to reasonably protect privacy. How do you
keep email communication channels open with patients
and partners while safeguarding privacy and keeping
organizations compliant with HIPAA?
In our research, we monitored the outgoing traffic from
organizations while scanning all parts of messages and
attachments, searching for emails containing patient
private information by identifying personal information
(such as Social Security Number) and related medical
terms (CPT, ICD-9, LOINC, DME, NDC terms, etc.).
We found that in 16% of Healthcare and Insurance
organizations, HIPAA - Protected Health Information
was sent outside the organization, to an external email
recipient or posted online.
Security Recommendations
In today’s world of increasing data losses, organizations
have little choice but to take action to protect sensitive
data. The best solution to prevent unintentional data
leaks is to implement an automated corporate policy that
will catch protected data before it leaves the organization.
Such a solution is known as Data Loss Prevention
(DLP). Content-aware DLP products have a broad set
of capabilities, and organizations have multiple options
for approaching deployments. Before deploying the DLP
solution, organizations need to develop clear DLP strategies
with concrete requirements such as what is considered to be
confidential information, who can send it, and so on.
of Healthcare and Insurance
organizations, HIPAA - Protected
Health Information was sent
outside the organization
16
%
IN
1...,23,24,25,26,27,28,29,30,31,32 34,35,36,37,38,39,40,41,42,43,...50