Hospital Immunizes Against Data Breaches While Improving Patient Care

The sensitive information stored by medical service providers can be even more valuable to hackers than financial data and, if leaked, cause more harm than just an empty bank account. With information like patient personal data, physician credentials, and Drug Enforcement Agency license numbers, hackers can create fake identities, pose as a medical professional online, or even file fraudulent insurance claims.

For breached organizations, the impact is much greater than an already critical loss of patient and community trust. In addition to regulatory fines, add the costs of customer notification, identity protection, customer help lines, and in-depth incident forensics—and the total financial impact can slam the brakes on operations and growth.

The best of intentions can endanger sensitive information

At Magnolia Regional Health Center (MRHC), a 200-bed acute care facility, IT Security Manager Bill Chelmowski says that his colleagues are dedicated to serving their patients and the surrounding community. “People in healthcare are generally in the business to help people, and they want to be as accommodating as they can to patients and visitors,” he said. But that helpfulness can be exploited by hackers and other bad actors seeking financial gain.

Some of the most dangerous vulnerability points in any environment exist at the interaction points between humans and data. While advanced technologies can predict system behavior, humans remain, to a certain degree, the wild card. “Every social engineering person I’ve talked with says that they may not get past the technology, but they can get past the people. And to me, that’s alarming,” said Chelmowski.

Maintaining data health with a holistic, human-centric solution

With web browsing and email communications such integral parts of users’ daily work, MRHC knew it needed a cybersecurity solution that could address human vulnerability without impacting the ability to provide care for its patients. That’s why Forcepoint’s robust, flexible approach to security would turn out to be just the right fit.

To meet the need for a customizable solution to safeguard its users, data, and environments, Forcepoint and MRHC developed a solution that unified web and email protection with data loss prevention to block malware, risky content, spam, and phishing attempts, while increasing data visibility as it moves on and off the network. This suite of products is highly customizable; policies can be fine-tuned to work most effectively for the organization—protecting users without getting in the way of patient care and legitimate business, and finding opportunities to educate them on proper security practices.

Blocking spam to boost productivity

One of MRHC’s most powerful results with Forcepoint Email Security is the sheer amount of spam blocked before it ever reaches its intended destination. 87% of all email, Chelmowski says, is blocked as spam before it can enter users’ mailboxes, saving staff valuable time—even just the time it takes to delete irrelevant emails has made a difference in productivity. And labeling emails from outside the organizations with “External” helps to combat spoofing and phishing attacks. Attempts to spoof a high-level executive in an organization can be thwarted when it’s obvious that an email has come from off the network.

The MRHC security team further customized the Email Security solution to block mail from all foreign servers. Because external email originating outside the U.S. is extremely rare for the rural Mississippi hospital, this was an easy way to eliminate potential problems even earlier. “A few months back, there was a lot of talk about a particular strain of malware that was being propagated with emails originating from Russian servers. Because we block email from foreign domains, they never made it into our organization,” he said.

Customized and seamlessly integrated for comprehensive protection that keeps business moving

Customization is a big advantage of Forcepoint Web Security. The MRHC team uses categorization to block sites with high instances of malware (e.g., shopping sites). But if a specific shopping site is needed as a legitimate part of the organization’s work, the team can reclassify it to make it accessible without unlocking the whole category. Chelmowski sees this as a good learning opportunity as well—when users attempt to visit blocked sites, they are alerted as to the category of site to help them self-regulate their browsing activities for the future.

Forcepoint DLP ties into both the email and web products to provide an extra layer of data protection. The security team receives an alert if protected information is identified as being entered into an unsecured website. “We’ve found some pretty amazing things, like some big-name companies that were having sensitive patient information entered into an unencrypted website. So, we were able to work with other organizations and alert them that this was going on, and they were able to get it resolved,” said Chelmowski.

For email, DLP ensures that any sensitive information sent via email is encrypted. Though MRHC has a third-party encryption tool, there have been several instances in which Forcepoint DLP identified unencrypted sensitive information slipping through the cracks. This information was then used to further fine-tune the separate encryption tool to make it more effective.

Building a team of security-aware professionals and maintaining peace of mind

Informing users of why a website was blocked, correcting processes around confidential information, and providing additional information about an email’s origin all serve as opportunities for employee education, which Chelmowski and his team know is critically important. And the results of annual security tests are showing progress. “We bring an assessor on site and one of the things they do is try to gain access to sensitive areas. Year after year, as we educate our users, it gets harder [for assessors to compromise users].” Not only is the solution working— it is facilitating and empowering better education of users along the way

But, Chelmowski says, the real measure of value is the solution’s quiet efficacy. “I think this is largely one of those products that sort of sits behind the scenes, and people don’t really appreciate all that it’s doing. We don’t hear a lot about it, which tells us that it’s doing a good job.”