Only a few short weeks ago the World Health Organisation declared COVID-19 a pandemic. It has had an enormous impact on people’s lives, families and communities. The healthcare sector is right on the front line battling to overcome the virus and protect patients’ lives. At such times things are anything but “business as usual”. It can be difficult to focus beyond the immediate requirements of supporting patient-facing workers and research teams looking into developing tests, treatments and vaccines. However, data protection still matters: there is a critical necessity to focus on data protection to keep patient information, essential research and systems safe and operational.
The DDMCS report, “Cyber Security Breaches Survey 2019”, highlighted that 67% of UK healthcare organisations had experienced some kind of cybersecurity incident. The introduction of the EU GDPR back in May 2018 means that these organisations are taking measures to secure their data or face being fined up to €20 million, or 4% of their global turnover.
As with anything, the monetary loss of a data breach is only the tip of the iceberg. A fine for a breach of regulatory compliance is often followed by a hugely damaged reputation – as patients ask if their identities have been stolen. There is also the potentially crippling loss of revenue-making IP and trade secrets.
Unlocking the Value of Data
The threat of data loss from outside the organisation is significant. However, many data breaches come not from cybercriminals or state-sponsored actors, but the inadvertent actions of employees themselves. Data protection is not the primary focus of the majority of healthcare sector employees, and nor should it be when they are trying to focus on life-saving care or research. What they need is support to keep data safe.
Data classification offers an increasingly elegant way to mitigate unintended data leakage. It can also aid compliance with regulations such as GDPR, HIPAA, CCPA and more.
Not only this, but data classification also extends the value and efficacy of your wider data security and governance ecosystem. It adds new levels of intelligence to data loss prevention and data archiving solutions. All of this drives greater levels of return across data protection investments.
Data classification allows data security controls, rules and policies to be more easily and consistently enforced. It’s the process of applying clear, consistent electronic markings to any type of file or document (for example’ commercial in confidence’, ‘internal only’ and ‘public’), then allowing it to be saved or sent only in accordance with that marking. It takes the burden away from employees, so they can focus on their core role, and gives greater control and assurance to the organisation.
It’s simple, unobtrusive and builds a culture of security awareness that doesn’t just protect your people; it enhances productivity and improves business performance.
There are five steps we look at when implementing effective data protection:
Step 1: Identify Your Crown Jewels
Using data classification to secure data assets is sometimes referred to as “locking up the crown jewels”. But data security neither starts nor ends with the act of controlling access to information. A security policy should not be limited to protecting only the most valuable data. Any information can damage the business if it’s lost or leaked.
First, you need to build a strong foundation of knowledge around your data, to understand precisely what you hold and the potential risks to its security. This process begins with identifying the types of data that are of the most significant importance to the business. It enables you to pinpoint where you need to focus protection and controls.
To determine the value of a piece of information – and the risks to be managed – think about the impact if it was leaked or lost. Would it harm the organisation, for example, by damaging the brand, incurring a fine from the regulators (for breaching the EU GDPR, for example) or eroding competitive advantage? If it got into the public domain, would it expose patients, partners or suppliers? Would it put an employee’s security or privacy at risk? Would you be breaching a contract?
Once you’ve defined the data that is most at risk, you can start to find out where your sensitive data is located.
Step 2: Discover Before You Defend
Classifying data, according to its value or sensitivity, allows organisations to reduce the risk of security breaches. It enables the appropriate protections to be implemented and consistently enforced. Having identified your ‘crown jewels’, and other data that needs safeguarding, carry out a discovery exercise. It will show exactly what you’ve got, where it is and who might have access to it.
Unknown data makes you vulnerable to attack. The best thought-out security policy is ineffective if you’re not sure what you hold and, therefore, what controls you need to put on it. Data governance, compliance with regulations such as the GDPR and HIPAA and, just as importantly, demonstrating said compliance are also impossible when you don’t know where key documents reside and who has access to them. A discovery exercise will give you visibility of your data and how it’s being accessed and used. It enables the protection strategy and solutions to be built around the types of data you have.
Data discovery tools and software provide an efficient and accurate way to find assets you can then classify. They examine file stores and databases, scanning for certain types of information, keywords, criteria and metadata. It enables you to see what your data is, its location, and who has access. Once you’ve defined the data within your organisation, you’ll be able to home in on the most valuable and confidential information and make accurate decisions about how it should be handled, and who is allowed to access which files.
Step 3: Classify Your Data
A corporate data security policy that sets out how valuable information should be handled will be ineffective unless it’s consistently and accurately enforced. Organisations often have a written policy that’s available on their company intranet and handed to new starters. In practice, however, employees are rarely sure how to apply it to their daily activities.
The security policy needs to be made actionable, and the best way of doing this is with the classification of data. This is when the categorisation of data according to its level of sensitivity or value, using labels. These are attached as visual markings and also embedded into the metadata of the file. When the classification is applied in association with downstream security solutions, the metadata ensures that the data can only be accessed or used in accordance with the rules that correspond with its label.
Step 4: Secure Your Data
Data that is classified according to its sensitivity instantly has a layer of protection surrounding it. The next task is to put in place the higher-grade controls. These come in the form of enterprise security and information management solutions that will safeguard data when it’s accessed or used later. By classifying first, you have added the ‘magic ingredient’ that makes these solutions more effective: the metadata sitting in the properties of each document, message or file.
The embedding of the label as metadata supports the consistent enforcement of data security policies. They direct the actions of downstream solutions, triggering automatic rules that correspond to the label the data has been given. It means the technology makes more accurate ‘decisions’, reducing the false positives that slow business down and minimising the risk of data being exposed because it isn’t recognised as sensitive. It also supports governance, compliance and data management efficiencies.
What solutions are available?
Solutions that become more effective when combined with data classification include:
Data Loss Prevention (DLP): Shields the business against intentional and accidental data loss. For example, blocking employees from uploading a file marked ‘Confidential’ to Dropbox, or stopping a file containing credit card numbers from being emailed to a third party.
Email Gateways: These automatically encrypt any file marked ‘Confidential’.
Discovery Tools: Enabling employees to rapidly locate information and instantly understand how it can be used.
Security Incident and Event Monitoring (SIEM) Tools: These pick up on potentially risky user behaviour before a breach occurs. It flags up, for example, if someone keeps copying sensitive documents to a storage device. It allows concerns to be addressed through training or strengthening of policy.
Search and Retrieval Tools: Making it easier to keep an audit trail and quickly find documents needed to prove compliance with industry standards, or to meet information requests from regulators.
Access Control Tools: These use classification labels to dictate who can access a file in a shared area.
Data Governance Tools: The label enables these to audit who is accessing sensitive information, and who might be violating policy by keeping a detailed audit trail of any risky behaviour or activities. It also supports the demonstration of compliance.
Data Retention: When you’ve marked what’s valuable, you can more clearly see what isn’t important or needed, and therefore what can be archived or deleted. Retention rules can also be set for different importance. F instance, ‘keep this type of file for ten years’ or ‘expire after six months’, perhaps for files which should not be held for legal reasons.
Step 5: Measure and Evolve
If you have followed the first four steps, Identify, Discover, Classify and Secure, you’ll have successfully secured the organisation’s valuable and confidential information by using data classification and downstream toolsets to enforce the security policy. The job is not yet complete. There is more to do.
Legislation, threats (external and internal) and the business itself will continuously evolve. Demands from regulators and the board for better governance will also intensify. Ongoing measurement of the effectiveness of your security policy is the only way to check that the controls you’ve put in place remain fit for purpose.
Monitoring activities is a powerful way of doing this. Monitoring and reporting tools track how data is being accessed, used and classified. They provide visibility to the business via structured audit data and analytics, improving the chances that a breach will be quickly detected. It helps the business to comply with notification periods required by regulators, as well as to minimise damage.
The use of real-time monitoring of how people use classification tools will allow any behaviour that deviates from ‘normal activity’ to be identified and addressed before a breach occurs. It can include flagging up a user who repeatedly mislabels documents, and therefore might represent an insider threat. The clear audit trail of activity also enables compliance with legislation to be measured and demonstrated to government and industry regulators. Many of these have strict auditing and reporting requirements.
Ongoing monitoring builds an organisation-wide picture of how effective the security policy is. It is a picture which can be shared with the board, along with an understanding of how to improve it.
In a time of crisis, data protection is far from employees minds
Effective data classification and monitoring of an organisation’s data security posture comes into its own in times of crisis. This is when, for many employees, data protection is the last thing on their minds. It provides the assurance that organisations, such as those in the healthcare sector, need to operate under pressure and do the critical job they need to accomplish while keeping vital data secure.
Boldon James is an industry specialist in data classification and secure messaging, delivering globally-recognised innovation, service excellence and technology solutions that work. Part of the QinetiQ group, a major UK plc and FTSE 250 company, we integrate with powerful data security and governance ecosystems to enable customers to effectively manage data, streamline operations and proactively respond to regulatory change. We’re a safe pair of hands, with a 30 year heritage of delivering for the world’s leading commercial organisations, systems integrators, defence forces and governments.