Keeping secrets

Vendors are rushing products to market that monitor and enforce compliance with privacy regulations

As the information systems security manager at Community Health Network in Indianapolis, a major part of David McLain's job is to ensure that employees are adhering to the requirements of the Health Insurance Portability and Accountability Act (HIPAA).

That means making sure that protected patient health information isn't transmitted in a noncompliant manner within or outside of the hospital system's networks.

To monitor, audit and enforce compliance, McLain uses an automated tool called VIEW for Privacy Protection, a content monitoring product from Vericept Corp. in Englewood, Colo. VIEW, which stands for Vericept Intelligent Early Warning, uses hardware devices to sniff out and document e-mail, instant messages, chat sessions and peer-to-peer or file-sharing sessions that violate privacy rules on Community Health's networks. For instance, all communication of unencrypted patient information, such as account numbers, medical information or payment history, is automatically flagged and stored for later review and action.

Such automated capabilities are crucial to Community Health's ability to stay on top of its HIPAA obligations. "Without a product like this, we wouldn't have been able to see what was going on in our networks," McLain says.

Regulatory Push

VIEW is one of a growing number of products that are being offered up as automated tools for monitoring and auditing privacy compliance.

Vendors of such products hope to tap into concerns about liability issues, such as the need to comply with a growing number of privacy regulations, says Pete Lindstrom, an analyst at Spire Security LLC in Malvern, Pa.

Some of the privacy regulations are industry-specific, such as HIPAA's mandates for health care organizations and the Gramm-Leach-Bliley Act's requirements for financial services companies. But others cut across industries, including Europe's data privacy regulations and California's Security Breach Notification Act, which requires companies to inform customers of security breaches that compromise some types of personal data.

"Privacy is no longer just about the right way of doing things; it is also the legal way of doing things," says Michelle Boggess, electronic data security coordinator at Baptist Health Care's compliance office in Pensacola, Fla.

Many vendors have responded with compliance monitoring and enforcement products. "Everyone in the security space wants to take some credit for addressing privacy issues," Lindstrom says.

It's important to remember, however, that most of the tools are still evolving and remain largely untested in enterprise environments, says Roger Brown, an IT auditor at Jefferson Health System, a $2 billion health care organization in Radnor, Pa. Organizations need to first have good processes and policies in place for such tools to be effective, he says.

But implemented properly, such automated tools can deliver far better efficiencies than manual compliance checks, which are "destined for failure," Lindstrom says.

The Pure Plays

Most tools fall into one of two categories: products developed specifically to address privacy compliance; and repurposed products, such as spam-filtering software, that now focus on privacy issues.

Several vendors offer tools with privacy compliance as the core function.

IBM's Tivoli Privacy Manager for e-business technology is one example. The product, which works with AIX, Solaris and Windows 2000 systems, is designed to monitor and enforce compliance at the transaction and application levels, says product manager Steve Adler.

A company can use Tivoli Privacy Manager to convert a written privacy policy into digital form and use those policies to control the manner in which applications and users access sensitive data. It gives companies a way to centrally create, edit, manage and audit policies that dictate which sensitive information is accessed, by whom it is accessed, the purpose for which it is accessed, and how it is shared, stored and eventually destroyed, Adler says.

Other examples of privacy-specific products include WebXM software from Watchfire Corp., Vontu Protect from Vontu Inc. and Liquid Machines from Liquid Machines Inc.

Waltham, Mass.-based Watchfire is selling its privacy tool as a component of a wider Web site management and quality assurance tool. WebXM can be used to scan Web sites for information collection practices, links to privacy policies, user-tracking practices and Web page security practices that affect privacy.

San Francisco-based Vontu's product, meanwhile, is targeted at insider threats and allows companies to monitor their networks for transmission of confidential customer or employee information, says Doug Camplejohn, a company vice president.

Lexington, Mass.-based Liquid Machine's product is aimed at helping companies protect sensitive documents and data by controlling who gets access as well as where, when and how access is granted, according to CEO Jim Schoonmaker.

The Converts

Ottawa-based Coast Software Inc. is one vendor that has repurposed its product for privacy compliance. Coast's Web Quality Central software, originally developed as a quality testing tool for Web sites, is now marketed as a tool for monitoring privacy compliance.

Go Jobs Inc., a Newport Beach, Calif.-based online job-posting site, uses Coast's Web Quality Central to monitor Web site content and functions. The software periodically scans Go Jobs' 50,000 Web pages, searching for privacy issues such as pages missing a P3P privacy policy, pages with links containing personal information and pages with potentially dangerous data leaks.

The reports generated give Go Jobs a detailed overview of the company's privacy compliance, as well as Web site accessibility and operational security standards, says Jonathan Duarte, president of the online job board.

"Privacy is a primary concern for us," Duarte says. With about 7,000 visitors to the site daily, any compromise of personal information "could put us in a world of financial hurt. Coast's software is our insurance policy," he says.

Likewise, Alpharetta, Ga.-based CipherTrust Inc. is repositioning its IronMail antispam and antivirus product as a tool for controlling the use of encrypted e-mail at companies in industries affected by HIPAA or Gramm-Leach-Bliley.

Baptist Health is using IronMail's policy manager to scan each incoming and outgoing message on the hospital system's networks for specific words, phrases or attachments. It can intercept and hold any e-mail containing protected patient information. Administrators can then let the message pass through to the recipient or block it.

"IronMail has helped us to identify users in the hospital who are relaying patient information to people outside of the corporation [without adequate safeguards]. Before, we didn't have a way to grab that information," says Boggess.

Vendors of content protection software such as Waltham, Mass.-based Authentica Inc., Boston-based SealedMedia Inc., and Palo Alto, Calif.-based PSS Systems Inc. are also rushing privacy compliance products to market, says Joshua Duhl, an analyst at Framingham, Mass.-based IDC.

Such products focus on postdelivery protection of documents and Web content via encryption and the enforcement of policies related to how the data is to be accessed, stored, copied or printed.

"Compliance is probably the best opportunity that these vendors have had to provide value with their products," Duhl says. "All of the digital rights management vendors have some sort of story around compliance, whether it be the fact that they are doing encryption of the data or making sure there is no leakage of information."

Copyright © 2003 IDG Communications, Inc.

Shop Tech Products at Amazon