Protecting Customer?and Company?Data

By Robert Mann

WestminsterCanterbury Richmond (WCR) is a high-endcontinuing-care retirement community in Richmond, Va., designed forolder adults who are able-bodied, active and involved. It ishome to about 900 residents, and 750employees work there.

 

Thecommunity has been growing, and as it expanded, WCR?scommitment to securing its customer information becameparamount. For IT, that meant taking a number of steps to protect not only theinformation of its residents?which includes financial data and health carerecords?but also the company?s proprietary information, for competitivereasons.

For an organization such as WCR,whose residents put high value on privacy, a leak of internal data, or worse,of resident information, could cause irreparable harm to its brand and image.Beyond that, the federal Health Information Portability and Accountability Act (HIPAA)mandates the protection of individuals? identifiable health information. No oneat WCR wanted to take the risk that any of ourinformation would end up in the public domain.

The IT department took anumber of steps to protect WCR?s data. These included encrypting all office laptops withPGP Whole Disk Encryption (now Symantec); using ourFortinet FortiGate Firewall toprevent data leaks; protecting Social Security, creditcardand patient numbers; and encrypting email withFortinet FortiMail Appliance.

We started at the desktopsand extended from there, making data protection an organizationwideinitiative. As part of that effort, we also banned the use of flash drives,which we believe pose too great a security risk.

However, our staff needed touse portable drives, whether to share financial information with investors orfor a marketing presentation. So we looked for alternatives. 

We evaluated a number ofencrypted flash drive options. Each had something that made us steerclearof it. Some were susceptibleto key logger software; others required ITto updatetheir software at regularintervals. That?s when we turned to the LOK-IT Secure Flash Drive. Theencrypted flash drive has a FIPS 140-2 Level 3 validation, orgovernment-level security, which means that it meets one of the higheststandards set by the federal government for encrypting and securing data.

Some drives use encryptionthat must access software on a computer, but encryption on LOK-IT is performedon an internal USB controller. To gain access to the drive and the data within it, userspunch a pin code into a 10-key PIN-Pad, much like an ATM.

After we addressed the mainsecurity issues, other considerations came into play.

LOK-IT doesn?t requiresoftware to use its security features, and it?s independent of any operatingsystem, which made it easy for us to implement since we didn?t have to worryabout drivers or regular software updates. Because no software is required forauthentication, there?s more usable memory space compared with otherflash drives, and that?s a plus for our users who need to transport largedata files.

The drive works on anymachine that has USB connectivity and with any operatingsystem, so our managers can scan documents directly onto thedrive, keeping them secure. The health care staff can take readoutsfrom a medical device and securely transport it to our electronic medical records.

We also can use LOK-IT onlaptops, tablets and smartphones equipped with host USB or USB On-The-Gocapability. This enables them to communicate with other devices via a USB portwithout having to worry about different devices.

Another reason for ourdecision to use this drive isits fail-safe mechanism. After 10 failed attempts to access the drive, LOK-ITwipes the encryption key, making PIN guessing almost impossible. That meanseven if one of our managers loses adrive, WCR?s data is protected.

In the end, the simplicity ofimplementing LOK-IT solidified our decision. It?s basically a plug-and-playdevice. We didn?t want to add complexity to the mix for the staff or IT, and implementing the device didn?trequire much training or staff time. The response from the users has been positive.

For Westminster CanterburyRichmond, taking these risk-mitigation steps toprotect our customer and company data wasn?t about getting an immediate returnon our relatively modest investment. It was about protecting the long-termvalue of the company against the associated legal and other costs of a databreach.

The 2009 Health Information Technology for Economic and Clinical Health Act, enacted as part of the AmericanRecovery and Reinvestment Act of 2009, calls for fines of up to $1.5 millionfor a breach of health care data. Add to that the potentialfor lawsuits and payments tomitigate possible harmful effects forcustomers if their data were lost, and the cost of a data breach could quicklyrise to astronomical levels.

Beyond the financial strainand damage to WCR?s reputation a data breach could pose, it?s our duty toprotect our customers? data. LOK-IT helps us fulfill that duty.

Robert Mann is the manager of ITfor Westminster Canterbury Richmond.