Proofpoint: Security, Compliance and the Cloud

At our recent "Proofpoint Inner Circle" customer events, we had a great opportunity to interview several of our enterprise customers about how and why they use Proofpoint Enterprise solutions for email security, data loss prevention, email encryption, regulatory compliance, archiving and electronic discovery.

I've collected several of them in this YouTube playlist. In these videos, representatives from Amalgamated, Liberty Health, PETCO, Graubard Miller, MED3000, Zions Bank and Scottsdale Healthcare share some of the reasons they rely on Proofpoint.

Thanks again to all of our terrific customers who took the time to share their stories with us... And you can find a lot more Proofpoint video content in our YouTube channel at http://www.proofpoint.com/youtube.

Our friends at Osterman Research recently published a new white paper - How Encrypting Content in Transit and at Rest Reduces Liabilities and Costs for any Organization- about email encryption and similar topics. You can get a free copy, compliments of Proofpoint, by following the link or by filling out the form at the bottom of this post.

In this new report, Osterman Research notes that investments in encryption "pay for themselves" through a number of different avenues. As regular readers of this blog are aware, encryption technologies can play a crucial role in regulatory compliance and regulatory fine avoidance. But email encryption and other types of encryption can also enable secure business and deliver other forms of business value, as described in this new paper.

If you're looking for help in creating a business case for deploying an encryption solution (such as the Proofpoint Encryption email encryption solution), this 15-page report can be extremely helpful. It includes a good summary of the various US state laws that govern security breach notification (or that may require or imply encryption) as well as the many US and international regulatory obligations (such as GLBA, PCI-DSS, FINRA, HIPAA, the UK DPA, Canada's PIPEDA) that imply similar requirements.

To read a copy of the complete Osterman Research report, register at the following link — How Encrypting Content in Transit and at Rest Reduces Liabilities and Costs for any Organization — or simply complete the form below:

On the heels of Microsoft's official global launch of Microsoft Office 365, the company's newest cloud-based offering that combines productivity apps with hosted Microsoft Exchange email, Proofpoint has introduced a new solution, Proofpoint Compliance for Office 365.

Proofpoint Compliance for Office 365 (Proofpoint's press release here) adds advanced, enterprise-class email privacy, data loss prevention, encryption and archiving/eDiscovery features to any Office 365 deployment.

While much of the coverage of Microsoft's introduction today has focused on the potential for Office 365 in the small- and medium-sized business market, Microsoft is also targeting the enterprise market with, "an array of choices, from simple email to comprehensive suites to meet the needs of midsize and large businesses, as well as government organizations."

Proofpoint specializes in meeting the advanced security and compliance needs of medium and large enterprises and understands that even in a well-specified product like Office 365, there are gaps between actual product functionality and the needs of large enterprises — especially those in regulated industries.

So, to that end, Compliance for Office 365 combines the features of Proofpoint Enterprise Privacy (data loss prevention, email encryption), Proofpoint Enterprise Archive (archiving and eDiscovery) and Proofpoint Enterprise Protection (inbound/outbound email security) to greatly extend the core security and compliance features of Office 365's messaging environment.

In short, it helps ensure compliance for a wide variety of data protection and privacy mandates including the "alphabet soup" of HIPAA/HITECH, SOX, GLBA, PCI, FERPA, FINRA and SEC regulations.

Proofpoint followers won't really be surprised by this, as the concept is very similar to the work we already do with many large Microsoft BPOS customers such as the USDA.

To learn more about the features of Compliance for Office 365, check out our new product page or register for our July 20th live web seminar, Microsoft Office 365: Meeting Encryption, Privacy and Compliance Requirements, where we'll detail the compliance and security features that come built into Office 365, and  how those match to enterprise requirements for data protection and privacy.

For the PDF-minded, we also have a new datasheet on Compliance for Office 365.

A couple of recent news items I wanted to point out in case you haven't seen them.

First, our VP of Technology, Andres Kohn chatted with security blogger Alan Shimel for his ashimmy blog Security.EXE podcast. Andres and Alan talk about Proofpoint's work with Microsoft on what might be the biggest federal deployment of cloud technology to date (at the USDA), FISMA compliance and the ongoing battle between Microsoft and Google for cloud dominance.

You can also listen to that segment right here:

Next, Proofpoint customer Kelsey-Seybold Clinic of Houston, TX is included in a recent Healthcare Informatics feature, "Secure Messaging via the Cloud and Mobile Devices." In that article, Martin Littmann, director IT systems for Kelsey-Seybold, briefly describes how that healthcare system uses Proofpoint's SaaS email security and data loss prevention solutions to help ensure the security of sensitive data.

Finally, we recently published a new customer case study on Adventist Health, a large California-based health system, that uses Proofpoint's cloud-based solutions for email security, HIPAA compliance and data loss prevention. Download a PDF copy of "Adventist Health gives Proofpoint's cloud-based email security solution a clean bill of health."

We're proud to welcome Adventist Health to the roster of leading healthcare organizations that use Proofpoint Enterprise Protection and Proofpoint Enterprise Privacy to ensure the security, privacy and confidentiality of patient data while also protecting employees from spam, viruses and other malicious email.

Adventist Health is a leading West Coast healthcare provider with 17 hospitals and more than 130 clinics and outpatient facilities located across California, Hawaii, Oregon and Washington—and about 18,000 email inboxes to protect.

When Adventist sought to replace its legacy email security solution with a more flexible, effective and easier-to-manage SaaS solution, they turned to Proofpoint, after consulting Gartner's 2010 Magic Quadrant for Secure Email Gateways.

Quoted in our full press release issued today, Adventist's information security officer, Alain Bouit, explained that improving the security of patient information and providing better service was a primary goal of the switch to Proofpoint.

“In any email security solution, a primary goal is to protect patient information. If a patient believes we are taking care of their personal information properly, it is one of the factors that helps ensure confidence to patients about our abilities as a provider,” says Bouit. “After examining many solutions, Proofpoint was the best fit because it had the flexibility to handle regulatory compliance, as well as protect patient personal health records.”

If you're tasked with protecting personal healthcare information for your organization, you can learn more about how Proofpoint provides superior defense against email-borne threats and comprehensive protection against exposures of HIPAA-regulated data by requesting a Proofpoint HIPAA Risk Assessment.

Visit: http://go.proofpoint.com/HIPAA-Risk-Assessment-Audit.html

Over at the Huffington Post this week, there have been a couple of posts about Google having collected partial Social Security Numbers of children as part of the entry requirements for the company's "Doodle-4-Google" contest. (Helpful to start with Larry Magid's post today, "Why Google Stopped Collecting the Last 4 Digits of Kids' Social Security Numbers" which is a follow-up to Bob Bowdon's article, "Why Has Google Been Collecting Kids' Social Security Numbers Under the Guise of an Art Contest?").

As Bob Bowdon pointed out, collecting even partial SSNs can be a pretty big data security and privacy issue since the complete, accurate SSN can often be guessed based on other data such as the person's city and year of birth (which, apparently, Google was also requesting). See this Datamation article, "Social Security Numbers Easy to Hack", which talks about some really interesting research about predicting social security numbers from publicly-available data.

Apparently what the Google contest organizers were trying to do is use partial SSNs as a way of uniquely identifying contest entrants and "de-duplicating" duplicate/multiple entries. Yeah, probably a bad idea on several levels and I won't belabor that point.

Of course, there are many organizations that do have to collect and ensure the security of private identity, healthcare and financial information about children. Recently, I had the chance to interview Proofpoint customer Matt Johnston,who is the senior security analyst for Children's National Medical Center, a leading pediatric hospital based in the metro Washington DC area.

One of the most interesting things that he told me is that children are one of the top targets for identity theft. I hadn't really thought about this before, but it makes sense.

As Matt told me, children have new or "clean" records. They don't have established credit histories and outside of core identifiers like a social security number and birth record, there aren't many other public records associated with a child's identity. This makes that data easier to use in identity theft/fraud and, as a result, personal identity information about children fetches a premium on the black market.

So organizations like Children's National Medical Center have to take privacy protection and data security extremely seriously. As a healthcare organization, CNMC has to comply with HIPAA healthcare privacy regulations, but as Matt explained to me, they go to great lengths to protect their patients' data not just because its required by law but because its part of their core mission of protecting and caring for children.

Matt talks about these issues, how his organization uses Proofpoint's SaaS email security and email encryption solutionsand why he chose Proofpoint (and why deploying those solutions in the cloud was the right decision for CNMC) in this short video:

My thanks once again to Matt for graciously taking the time to share his insights with us!

Regular Proofpoint followers and readers of this blog are familiar with the many email security and compliance concerns around private healthcare information ("PHI").

Ensuring compliance with the data security and privacy rules of HIPAA (and the more recent "HITECH" updates to the HIPAA regulation) is critical for healthcare organizations, obviously, but these rules also apply to many other organizations that also handle healthcare information.

Today's Proofpoint press release, "Demand for Proofpoint’s Security and Compliance Cloud Solutions Grows in Healthcare" highlights three healthcare industry customers who use Proofpoint's SaaS security and compliance solutions to secure inbound email, detect and protect (or encrypt) private healthcare information in outbound email and archive email to meet compliance and eDiscovery requirements.

Proofpoint is (not coincidentally) also exhibiting this week at the HIMSS 2011 conference (the leading healthcare IT conference and exhibition) in Orlando, Florida. If you're attending that event, do visit the friendly and knowledgeable staff at Proofpoint's booth (#4001) to learn more about how Proofpoint can help your organization with HIPAA/HITECH compliance and data security.

For example, our announcement today explains how Scottsdale Healthcare, a not-for-profit healthcare system based in Arizona, uses Proofpoint's SaaS solutions for anti-spam as well as for email encryption, ensuring that HIPAA-regulated healthcare information is protected in outgoing email. Scottsdale Healthcare is also the subject of a new case study (PDF format), which you can download via this link: "Case Study: Scottsdale Healthcare Relies on Proofpoint to Cure Spam and Email Encryption Challenges."

Mike Gleason, director of information services at Scottsdale Healthcare, explains, “For our organization, if any information in the body of an email or an attachment contains a social security number, a credit card number, patient identifier, or other sensitive data, it will be captured and secured. These types of data are automatically encrypted, and then forwarded on, which helps us avoid sending out emails that contain sensitive information or patient privacy data to domains outside our organization.”

Another organization, Kelsey Seybold Clinic of Houston, Texas, is moving its deployment of the Proofpoint Enterprise Protection email security solution from an on-premises deployment to Proofpoint's cloud-based (SaaS) offering.

Martin Littmann, director IT systems for Kelsey Seybold Clinic, says, “After comparing costs between different deployment types, we were convinced that moving Proofpoint’s protection solution to the cloud would save us time and money, and that our resources would no longer be stretched.”

And at Community Memorial Health System (Ventura County, California), Proofpoint's entire suite of SaaS security and compliance solutions guards against inbound threats, ensures patient privacy and  archives email for 2000 mailboxes.

Explaining his organization chose Proofpoint, Thomas Kniss, CMHS's director of clinical information systems, noted that, “Proofpoint has a very impressive list of current healthcare customers, and it was important that our vendor have experience and a successful track record of providing security solutions to healthcare organizations. Proofpoint’s knowledge and capabilities of smart identifiers and HIPAA dictionaries was a key deciding factor as well.”

Another good resource for healthcare organizations is the Proofpoint whitepaper, HIPAA and Beyond: An Update on Healthcare Security Regulations for Email (click the link to register).

Proofpoint's senior director of eDiscovery solutions, Robert Cruz, recently presented a web seminar with legal publication InsideCounsel.

In "What are Your Obligations to Retain Email and Other Forms of Electronic Content?", Robert discusses the content retention challenges faced by organizations in the midst of stringent litigation and regulatory compliance demands, and offers practical advice for how to address those challenges.

Topic covered included:

• Key legal, business and regulatory drivers for archiving email and other electronic content
• The impact of regulations—including FINRA, HIPAA and newer or less well known regulations—on your organization’s retention policies
• Recommendations for taking a proactive approach to content retention and litigation hold procedures
• Given the sweeping impact of the Dodd Frank Wall Street Reform Act and introduction of "preventative compliance," what steps can you take to prepare your organization for greater regulatory information access and transparency?
• How organizations in both regulated and previously non-regulated industries are tackling retention challenges

To watch this replay now (no registration required!) visit the following link:

http://webcast.streamlogics.com/audience/index.asp?eventid=52552431 

In this first of a series of videos about security and compliance issues in today's enterprise, Proofpoint CEO Gary Steele talks about why consumer privacy is such a hot-button issue, some of the implications for enterprises and gives several tips for how companies can better protect confidential and private information.

As Gary notes, "Today's consumer expects, when they give their information to you, that you'll properly control and manage that."

Viewers concerned about protecting private data may also find the following Proofpoint resources useful:

Gartner 2010 Content-Aware Data Loss Prevention FAQs: This complimentary Gartner report shares best practices for preventing data loss.

Outbound Email and Data Loss Prevention in Today's Enterprise: Proofpoint's 2010 statistics on enterprise data loss events, policies and much more.

Protecting Enterprise Data with Proofpoint Encryption: This whitepaper provides information on how enterprises can better protect confidential data using email encryption and how Proofpoint's SaaS-powered email encryption technology works. 

The Wall Street Journal reports that the US federal government is looking at creating new laws and new oversight mechanisms in an effort to better protect consumers' online privacy. In "Watchdog Planned for Online Privacy," Julia Angwin reports that reports and recommendations from both the US Commerce Department and Federal Trade Commission are due to be issued in the near future.

Similarly, the Obama administration has launched an online privacy task force that sources say will be asked to "transform the Commerce Department recommendations into policy." As the article states, currently there is no comprehensive US law that protects consumer privacy online (such issues are instead monitored by the Federal Trade Commission, which takes action in cases where policy violations are deemed deceptive or unfair).

This has lead many US states to take action on their own, passing legislation that governs the handling of private information of residents of those states (for a look at some of the regulations that affect how enterprises handle private and personally identifiable information, see the Osterman Research report, "The Critical Need for Encrypted Email and Secure File Transfer Solutions.")

According to the article:

A spokesman for the Commerce Department said the administration is "committed to promoting policies that will preserve consumer privacy online while ensuring the Web remains a platform for innovation, jobs, and economic growth. These are complementary goals, because consumer trust in the Internet is essential for businesses to succeed online."

These sorts of initiatives will cause more organizations to take a closer look at the way they handle private data both at rest and in motion. A recent Gartner research report that Proofpoint made available this week provides some helpful advice for enterprises that are taking a closer look at technologies for data loss prevention—read Gartner's, 2010 Content-Aware Data Loss Prevention FAQs.

Of course, it's not just regulations and growing consumer concern about privacy that are driving demand for data protection solutions. Every organization creates and needs to manage confidential information that they want to protect from unauthorized disclosure. 

As just one example that's been in the news this week, consider the reports that Google gave employees a raise in an effort to increase retention, but has fired the employee who leaked that information to the media.

And just one more privacy item worth mentioning: The Register reports (in their usual snarky style) that Facebook is testing some new account protection features that could be mistaken for a phishing attempt.