Protecting Customer—and Company—Data
By Robert Mann
Westminster Canterbury Richmond (WCR) is a high-end continuing-care retirement community in Richmond, Va., designed for older adults who are able-bodied, active and involved. It is home to about 900 residents, and 750 employees work there.
The community has been growing, and as it expanded, WCR’s commitment to securing its customer information became paramount. For IT, that meant taking a number of steps to protect not only the information of its residents—which includes financial data and health care records—but also the company’s proprietary information, for competitive reasons.
For an organization such as WCR, whose residents put high value on privacy, a leak of internal data, or worse, of resident information, could cause irreparable harm to its brand and image. Beyond that, the federal Health Information Portability and Accountability Act (HIPAA) mandates the protection of individuals’ identifiable health information. No one at WCR wanted to take the risk that any of our information would end up in the public domain.
The IT department took a
number of steps to protect WCR’s data. These included encrypting all office laptops with
PGP Whole Disk Encryption (now Symantec); using our
Fortinet FortiGate Firewall to
prevent data leaks; protecting Social Security, credit
and patient numbers; and encrypting email with
Fortinet FortiMail Appliance.
We started at the desktops and extended from there, making data protection an organizationwide initiative. As part of that effort, we also banned the use of flash drives, which we believe pose too great a security risk.
However, our staff needed to use portable drives, whether to share financial information with investors or for a marketing presentation. So we looked for alternatives.
We evaluated a number of encrypted flash drive options. Each had something that made us steer clear of it. Some were susceptible to key logger software; others required IT to update their software at regular intervals. That’s when we turned to the LOK-IT Secure Flash Drive. The encrypted flash drive has a FIPS 140-2 Level 3 validation, or government-level security, which means that it meets one of the highest standards set by the federal government for encrypting and securing data.
Some drives use encryption that must access software on a computer, but encryption on LOK-IT is performed on an internal USB controller. To gain access to the drive and the data within it, users punch a pin code into a 10-key PIN-Pad, much like an ATM.
After we addressed the main security issues, other considerations came into play.
LOK-IT doesn’t require software to use its security features, and it’s independent of any operating system, which made it easy for us to implement since we didn’t have to worry about drivers or regular software updates. Because no software is required for authentication, there’s more usable memory space compared with other flash drives, and that’s a plus for our users who need to transport large data files.
The drive works on any machine that has USB connectivity and with any operating system, so our managers can scan documents directly onto the drive, keeping them secure. The health care staff can take readouts from a medical device and securely transport it to our electronic medical records.
We also can use LOK-IT on laptops, tablets and smartphones equipped with host USB or USB On-The-Go capability. This enables them to communicate with other devices via a USB port without having to worry about different devices.
Another reason for our decision to use this drive is its fail-safe mechanism. After 10 failed attempts to access the drive, LOK-IT wipes the encryption key, making PIN guessing almost impossible. That means even if one of our managers loses a drive, WCR’s data is protected.
In the end, the simplicity of implementing LOK-IT solidified our decision. It’s basically a plug-and-play device. We didn’t want to add complexity to the mix for the staff or IT, and implementing the device didn’t require much training or staff time. The response from the users has been positive.
For Westminster Canterbury Richmond, taking these risk-mitigation steps to protect our customer and company data wasn’t about getting an immediate return on our relatively modest investment. It was about protecting the long-term value of the company against the associated legal and other costs of a data breach.
The 2009 Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, calls for fines of up to $1.5 million for a breach of health care data. Add to that the potential for lawsuits and payments to mitigate possible harmful effects for customers if their data were lost, and the cost of a data breach could quickly rise to astronomical levels.
Beyond the financial strain and damage to WCR’s reputation a data breach could pose, it’s our duty to protect our customers’ data. LOK-IT helps us fulfill that duty.
Robert Mann is the manager of IT for Westminster Canterbury Richmond.