Editor's note: Security consultancy Networks Unlimited allowed freelance reporter Sandra Gittlen to tag along as it conducted a data leak audit at a Boston pharmaceutical firm, then presented its findings to company execs. In exchange for this type of access, we agreed not to identify the pharma firm.
When the director of IT at a Boston-based, midsize pharmaceutical firm was first approached to participate in a data leakage audit, he was thrilled. He figured the audit would uncover a few weak spots in the company's data leak defenses and he would then be able to leverage the audit results into funding for additional security resources.
"Data leakage is an area that doesn't get a lot of focus until something bad happens. Your biggest hope is that when you raise concerns about data vulnerability, someone will see the value in allowing you to move forward to protect it," the IT director says.
But he got way more than he bargained for. The 15-day audit identified 11,000 potential leaks, and revealed gaping holes in the IT team's security practices. (Read a related story on the most common violations encountered.)
The audit, conducted by Networks Unlimited in Hudson, Mass., examined outbound e-mail, FTP and Web communications. The targets were leaks of general financial information, corporate plans and strategies, employee and other personal identifiable information, intellectual property and proprietary processes.
Networks Unlimited placed one tap between the corporate LAN and the firewall and a second tap between the external e-mail gateway and the firewall. Networks Unlimited used WebSense software on two servers to monitor unencrypted traffic. Then it analyzed the traffic with respect to company policy. Specifically, Networks Unlimited looked for violations of the pharmaceutical firm's internal confidentiality policy, corporate information security policy, Massachusetts Privacy Laws (which go into effect in 2010), Health Insurance Portability and Accountability Act (HIPAA), and Security and Exchange Commission and Sarbanes-Oxley regulations.
Auditor Jason Spinosa, senior engineer at Networks Unlimited, says that while he selected the criteria for this audit, he usually recommends that companies take time to determine their policy settings based on their risk profile.
That said, Spinosa was shocked at what he found -- more than 700 leaks of critical information, such as Social Security numbers, pricing, financial information and other sensitive data in violation of the Payment Card Industry's standards. He also found serious lapses – more than 4,000 – that ran counter to HIPAA and Defense Department Information Assurance Certification rules.
And although the firm technically does not fall under HIPAA because a third party handles all patient information, the IT director says they hope to eventually bring some of that functionality in-house and should be prepared. In addition, Spinosa says companies that don't fall under HIPAA should audit based on HIPAA guidelines because of the potential leakage of sensitive employee data.
Incredibly, the audit uncovered more than 1,000 cases of unencrypted password dissemination, such as to access personal, Web-based e-mail accounts. Spinosa calls this troublesome because oftentimes employees use the same password for multiple systems. "This can leave your internal applications very vulnerable," he says.
Here are some of the worst leaks uncovered in the audit:
Leak No. 1: Confidential zip file
An employee sent an unencrypted e-mail with a .zip attachment that contained documents clearly marked "Confidential." This despite the fact that the recipient of the e-mail had signed a confidential disclosure agreement, a red flag which meant that all correspondence should have been encrypted.
Worst case scenario: The e-mail could have been intercepted and viewed by a third party. This also constitutes a potential HIPAA violation because of the delicate nature of the attachment's contents.
Leak No. 2: Confidential attachment
An employee sent an e-mail to an outside vendor with an attachment marked "Confidential" that discusses the rights and compensation of a patient participating in a clinical trial.
Worst case scenario: The e-mail exposes details about an unfinished confidential document and the information could prove embarrassing for the company.
Leak No. 3: Clinical study
An employee attached an almost finished clinical study report to an unencrypted message sent to an outside vendor.
Worst case scenario: Could have exposed results of the clinical study earlier than the company intended.
Leak No. 4: Sensitive spreadsheet
An employee sent sensitive employee compensation data to an outside survey company. The attached spreadsheet included salary, bonuses, sales quota, stock options, granted share price and other information.
Worst case scenario: In direct violation of Massachusetts Privacy laws and an exposure of this information could lead to competitive and public relations nightmares.
So, it was quite an uncomfortable scene as the IT manager, his CIO and risk manager, as well as other members of the IT team, listened intently as the Networks Unlimited presented its findings.
"The biggest thing for us is safeguarding our intellectual property, including patents. Breaches in this industry can result in not just serious fines, but also bad public relations so we have to protect ourselves," the IT director said.
While the CIO found these examples unsettling, he says it was the fact that they all happened within a six-hour span inexcusable. "We thought we were in good shape. We had done internal and external audits in preparation for the Massachusetts Privacy Laws, we did extensive penetration testing, we have security tools such as intrusion detection and prevention and laptop encryption in place, and we do employee training. This just goes to show you can do all that and it's just not enough," he says.
How to respond
Spinosa recommends that the pharmaceutical team take a two-pronged approach and revisit their business processes and technology fortification. "Right now, the way they are handling confidential information is putting them at risk to incur legal, regulatory, and business partner repercussions," he says.
But he adds that all of the events he found are easily preventable. He advises companies not to rely on users or business partners to do the right thing. Instead, you should automate encryption. For instance, the company should extend its use of transport layer security, which is already used to secure its communications with the FDA, to transmit sensitive documents to other business partners.
In addition, the company should deploy a secure e-mail product that automatically detects and encrypts messages containing confidential information, such as patents and clinical trial results. Spinosa says these products also alert senders, including business partners, who try to send confidential information unencrypted.
Most importantly, organizations should perform regular audits on their networks to ensure that policies are being enforced.
Hand-in-hand with automation, Spinosa recommends user and business partner education. Companies should train users in frequent intervals about the impact of sensitive data leaks. They should also explain what types of information is considered confidential. The emergence of new regulations such as the upcoming Massachusetts Privacy Laws provides an opportunity to educate users about all relevant regulations.
Finally, companies should only do business with companies that understand how to exchange information securely.
The pharmaceutical company's CIO agrees that he needs to enact all of these suggestions and even says he has most of the encryption technology in place and ready to go. But without buy-in from senior executives, such as the COO, CFO and chief medical officer, he says none of it will work.
Therefore, his first task is to do a deeper audit with more fine-grained search terms to eliminate potential false positives and present those findings to the executive team. "If I can educate the executive team and show them the risk, that will make my job much easier," he says.
Gittlen is a freelance technology editor in the Boston area. She can be reached at firstname.lastname@example.org.