Bank of China New York (http://www.bocusa.com), the US branch of the world's fifth largest bank, uses Proofpoint to block incoming spam and viruses, prevent exposure of private information and encrypt sensitive outbound emails to achieve compliance with data privacy regulations including the Gramm-Leach-Bliley Act (GLBA).
Last week, I was at Proofpoint's East Coast "Inner Circle" customer event and I had a chance to sit down with Kostas Georgakopoulos, Director of Information Security at Bank of China's US branch and talk with him about how the bank is using Proofpoint. You can view the resulting video embedded in this post.
Writer Penny Crosman at Bank Systems & Technology also spoke with Kostas last week and her article, Bank of China Steps Up Email Securityis also out today. In the article, Kostas says:
"Like other financial institutions, we're targeted by spammers and people who send us spearing attacks... Our concern is to protect the integrity of our data, our customers' confidential information, and the availability of our systems... We needed something that would scale, that would provide additional capabilities, for example to help us meet regulatory concerns such as Gramm Leach Bliley."
If your organization faces similar data protection and regulatory compliance challenges, you'll probably be interested in the Proofpoint whitepaper, Protecting Enterprise Data with Proofpoint Encryption, which you can register to download here:
I shot quite a few more Proofpoint customer videos at last week's event (and hope to this week at our West Coast "Inner Circle" meeting), so stay tuned for more.
As you might already know, Proofpoint exhibited last week at the RSA Conference 2010 in San Francisco. As part of our exhibit (see photo at left), we conducted an electronic survey about email trends that more than 120 booth visitors kindly took the time to fill out.
48% of respondents said their organizations had been the target a "spear phishing" attack. That is, they were targeted by a phishing email designed specifically to compromise their own email users.
59% of respondents said that their organizations have deployed an email encryption solution. An additional 19% intend to deploy such a solution in the future (most in the next 12 months).
43% of respondents said that effectiveness and accuracy is the most important factor when selecting an email security solution, while 20% said that "ease of administration" was the most important factor. 16% cited cost, 11% cited available deployment method (e.g., SaaS vs. appliance) and 6% cited vendor brand/reputation as the most important decision factor when selecting an email security solution.
Survey respondents were also asked about their top email annoyances. It's probably no surprise that spam and phishing emails that get through the organization's spam filter were the top two annoyances (39% and 27%, respectively). But certain types of legitimate email were most annoying for some of our survey respondents:
15% find legitimate email newsletters/marketing emails that are sent too frequently their top email annoyance.
10% find legitimate emails from coworkers or business contacts "that I just don't have time to answer" as most annoying. (Personally, I would fall into this camp!)
7% find social media notifications and other types of legitimate, but non-essential, emails as most annoying.
RSA 2010 was a great show for us with a lot of customers and more than 1000 interested attendees who dropped by the booth. Thanks to everyone who took the time to stop by our booth! As promised, I do have a few video interviews coming soon to the blog. Stay tuned...
Today, in an announcement issued from our booth at RSA (#1132), Proofpoint introduced the latest update to our SaaS email security and data loss prevention platform, Proofpoint 6.1.
New features in Proofpoint 6.1 include support for mutli-protocol (HTTP, HTTPS) data loss prevention, a new data loss prevention dashboard (pictured at left - click for a larger image), encryption enhancements including an Outlook plug-in for the Proofpoint Encryption solution and a variety of other security and performance enhancements.
You can check out the full press release, which has a lot more detail, here:
Our live web seminar series continues on March 24th, 2010 with an important topic that we haven't covered in a while, compliance with PCI (Payment Card Industry) data security standards. If your company handles credit cards and cardholder data, you should be aware of these requirements.
We'll discuss the critical role that email security plays in PCI-DSS compliance. You'll also hear real-world examples of how Proofpoint customers use integrated email encryption and data loss prevention technologies to tackle a wide variety of compliance challenges, securely transmit sensitive data via email and improve the levels of service and convenience they deliver to their customers.
Find more details and register by visiting the link below:
The publishers of the always-informative online publication Bank Info Security are now tackling the healthcare industry with a new site called Healthcare Info Security. This site should be a great resource for HIPAA and HITECH compliance information and other technology issues that face the healthcare industry.
In one of the first articles posted to the site, Proofpoint customer Crystal Run Healthcare discusses how they solved their secure email issues and protect private health information (PHI) in email.
In "Secure E-mail Cures Headaches," IT director Miguel Hernandez discusses how email encryption is used to secure communication between doctors and patients, share private information with business partners including accountants and lawyers and help with ensuring HIPAA compliance.
"Considering the cost of secure email, as opposed to the cost of litigation over a HIPAA violation," says Hernandez, "It's certainly worth it."
The article is a good view into the real world issues that all types of healthcare organizations are facing vis-a-vis securing email. Several other Proofpoint resources related to email encryption, HIPAA compliance and the healthcare industry include the following whitepapers:
Dan Raywood at SC Magazine (UK) reports today that the UK's Information Commissioner's Office has been given the authority to levy fines for serious violations of the UK's Data Protection Act. As noted in the article:
As revealed by SC Magazine last year, there are plans to increase the punishing powers of the ICO and an announcement revealed that it will be able to order organisations to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act.
The ICO has produced statutory guidance about how it proposes to use this new power, which has been approved by the Secretary of State for Justice, and was laid before Parliament yesterday.
Information Commissioner Christopher Graham said: “Getting data protection right has never been more important than it is today. As citizens, we are increasingly asked to complete transactions online, with the state, banks and other organisations using huge databases to store our personal details."
You can read full coverage over at SC Magazine UK here:
This new authority is part of a general trend these days for stepped up enforcement of data protection regulations worldwide (as just one example, see the enhancements enacted in the US to improve enforcement of HIPAA's healthcare privacy provisions).
I expect this legislation will increase interest in data loss prevention and encryption solutions among large enterprises in the UK. At Proofpoint, we've been responding to these trends by introducing solutions such as Proofpoint Encryption and by bundling that email encryption technology with our Proofpoint ENTERPRISE Privacy solution, making it more affordable for large organizations to protect sensitive content in email across the entire organization.
We held a web seminar yesterday titled "HIPAA and Beyond: Meeting New Healthcare Security Requirements for Email" (you can view the replay of this HIPAA email webinar by following this link) where Rami Habal presented some great information on the new requirements enterprises face when protecting private healthcare information (PHI) in email. This was our most highly attended web seminar ever with more than 1200 registered attendees.
During the question and answer session at the end of presentation, I mentioned briefly that HIPAA may require some types of emails to be retained and that this argued for adopting email archiving solutions as well as email encryption/data loss prevention.
At the end of all our webinars, we conduct a survey that allows attendees to provide feedback. One of the webinar attendees chastised me gently in their survey response saying that my assertion was wrong and that HIPAA does not require organizations to retain email.
Was I wrong? Well, it's true that HIPAA does not specifically mandate that covered entities archive email. (Certainly not in the same way that it requires encryption of PHI in electronic messages.) However, HIPAA does require that covered entities retain certain types of documentation related to their compliance with the HIPAA regulations. It's my contention that, in some cases, this requires that certain emails be retained.
While this paper has focused primarily on the requirements for protecting private healthcare information during email transmission, HIPAA covered entities are also required to retain a wide range of documentation regarding their compliance with the regulation. In general, documentation must be retained for six years from the date of its creation, or the date of last effect, whichever is later (though some states mandate longer retention periods).
Documentation that must be retained includes:
Policy or procedural documentation: Including notices of privacy practices, consents, authorizations and other standard forms
Patient requests: Such as requests for access, amendment or accountings of PHI disclosures
Complaints: Documentation related to the handling of patient and/or HCO employee complaints
Training: Including processes for and content of workforce training.
An increasing number of email messages sent or received by HCOs could fall into these categories, and in some cases, may only exist in email (for example, patient requests sent via email). In a recent Proofpoint survey of large healthcare organizations, 68% of respondents cited “ensuring the confidentiality and protection of private healthcare information” as a top concern driving the need to archive email in their organizations. HCOs should look for email security solutions that also include an email archiving component.
Email archiving technology can ensure both the preservation and easy discovery of email messages that could be considered medical records or HIPAA-regulated documentation. Such systems should store email in an encrypted form, to ensure the security of any PHI contained in archived email messages and their attachments.
The point is, some email communications clearly do qualify as documentation that must be retained under the HIPAA regulations. Modern email archiving solutions can enforce retention of such messages and make them more easily discoverable. The full whitepaper has a bit more detail and, as always, I appreciate your comments as to whether I'm off base on this topic!
There's an interesting new article over at Law.com today that reports on findings from our Outbound Email and Data Loss Prevention in Today's Enterprise, 2009 report. In addition to some of the key findings (for example, that 38% of large US employers use staff to monitor outbound email to prevent data leaks) there's some good commentary from legal professionals.
In the article, New Hires to Monitor Outbound E-mail, employment attorney Anthony Oncidi of Proskauer Rose says, "It's almost impossible to keep up with what might be walking out of the door." He goes on to say that employers are smart to have an ongoing monitoring program that might include reading or analyzing the contents of outbound email.
Other employment attorneys gave a different opinion. Christopher Mills, partner at Fisher & Phillips notes that monitoring employee email can hurt morale and could give employers a bad public image, should an employee sue for invasion of privacy.
Of course, all of these issues are why Proofpoint advocates that organizations use technology to monitor outbound email and automatically block, encrypt or otherwise properly dispose of email that contains sensitive content (such as private financial, healthcare and identity information, trade secrets or other confidential info)... without having to resort to having employees read through other employees' outbound email!
Those of us in the United States are well aware of the ongoing debate over healthcare reform in our country, but that's not the only healthcare-related controversy going on in the world. The recent report on unprofessional postings to online services and social media sites by medical students (see my previous blog post here), while focused on US medical schools, drew quite a bit of attention in the UK, where outlets such as the BBC reported the story.
In the BBC story, a spokesperson for the British Medical Association is quoted as saying:
"Patient confidentiality is paramount and medical students and doctors obviously need to be very careful about any information they post online."
Now, SC Magazine UK has picked up on the story, noting in an interview with David Stanley, Proofpoint's managing director in EMEA that "there is a need for formal policies to be introduced that are similar to the Health Insurance Portability and Accountability Act (HIPAA) in the US."
David says that while there is no healthcare-specific privacy law in the UK, "formal policies need to be introduced and those involved need to be educated, with serious repercussions to all who fall foul of the rules."
In a press release from the Department of Health and Human Services this week (issued August 19, 2009), the final HIPAA rules around notification of private health information were announced. In short, healthcare providers, health plans and other covered entities (including business associates of HIPAA-covered entities) must promptly notify individuals when their health information is breached.
In addition, the Secretary of the HHS and a media outlet must be notified when a breach affects more than 500 individuals. Breaches that affect fewer than 500 individuals must be reported to the HHS secretary annually.
In the HHS statement, Robinsue Frohboese (acting director and principal deputy director of the HHS Office of Civil Rights) said, "This new federal law ensures that covered entities and business associates are accountable to the Department and to individuals for proper safeguarding of the private information entrusted to their care. These protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of electronic health records and electronic exchange of health information."
"Covered entities and business associates that implement the specified technologies and methodologies with respect to protected health information are not required to provide notifications in the event of a breach of such information – that is, the information is not considered “unsecured” in such cases. As required by the Act, the Secretary initially issued this guidance on April 17, 2009 (it was subsequently published in the Federal Register at 74 FR 19006 on April 27, 2009). The guidance listed and described encryption and destruction as the two technologies and methodologies for rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals."
Proofpoint's own research has shown that email remains the #1 source of data breaches in large enterprises and that 34% of large US companies investigated an email-based violation of privacy or data protection regulations in the past 12 months. As the new notification rules take effect, it's likely we'll be hearing about many more healthcare privacy breaches than have been reported in the past.
