How One Healthcare Company Implements DLP to Protect PII and PHI

In 2016, Prime Therapeutics, an American pharmacy benefits management company, hired Jacob Walls to bolster data loss prevention across the enterprise. The company serves 22 Blue Cross Blue Shield health care plans and more than 27 million members nationwide, including one out of every six people covered through US public healthcare exchanges. Since Prime Therapeutics’ employees and systems handle both PII and PHI daily as they interact with Blue Cross Blue Shield, pharmacists, Medicare and Medicaid, and employers, a robust DLP defense is essential.

Defining and Implementing DLP Use Cases Throughout the Enterprise

In his role as a senior information security engineer and Prime Therapeutics’ main DLP expert, Walls and his team spend a lot of time engaging with other departments outside of security. First, they work to understand the stakeholders’ DLP-related concerns and define specific use cases to meet their various privacy, compliance, legal, or incident response-related requirements. Then they create rules for the company’s McAfee Network DLP appliance[s] and McAfee DLP Endpoint agents to test and implement.

“Different departments come to us and request the services for a specific use case,” explains Walls. “We’ll usually provide them with metrics around how well a rule set can address their use case… go over false positive rates and things like that to give them a baseline of how effective [DLP] would be.” Then, after implementing the policy, Walls or another engineer will meet regularly with the requestor of the policy to provide feedback on its effectiveness and, as necessary, tweak for improvements.

For instance, the company’s Privacy and Data Distribution department was concerned that users could print sensitive information on unauthorized printers. Using the built-in local printing rules in the McAfee Network DLP appliance, Walls easily addressed the issue, enforcing the printing of sensitive information only to authorized printers. In addition, discussions on effectiveness led to reporting that filters printing by user and content to pinpoint any employees who need additional education or monitoring.

Preventing Sensitive Data Leakage Via Email

Since email is the primary form of communication with entities outside the network, for many specific departments and the enterprise in general, preventing exfiltration of sensitive information via email message or attachment is one of Prime Therapeutics’ most important DLP use cases. This use case was also the main reason for purchasing McAfee Network DLP.

“Using McAfee Data Loss Prevention, we have implemented corporate policies that restrict sensitive information from exiting the network via email unless authorized and encrypted,” notes Walls. “Moving this functionality from the MTA [Mail Transport Agent] to DLP has allowed for true security ownership and has greatly enhanced our capabilities in this area. Additionally, reporting and metrics around the use of email for communicating sensitive information has helped us internally to gauge the level of risk associated with this communication method…The visibility we now have into outbound email communication has been extremely beneficial on multiple fronts.”

Effectiveness and speed are driving indicators of success… The visibility McAfee DLP has given us into both our data at rest and our data in motion has had both an immediate and ongoing positive impact on our business.”

—Jacob Walls, Senior Security Engineer, Prime Therapeutics

How Successful are These DLP Implementations?

“Effectiveness and speed are driving indicators of success,” says Walls, pointing to lack of data leakage incidents and ease of compliance as components of those two indicators. “The visibility McAfee DLP has given us into both our data at rest and our data in motion has had both an immediate and ongoing positive impact on our business.”

A side-benefit of implementing McAfee DLP Endpoint and McAfee Network DLP for Prime Therapeutic has been an increase in awareness across its employee base regarding sensitive data. “Awareness around data-at-rest and the need to place controls around approved locations appears to be growing,” states Walls. “[It] is not limited to specific departments, but rather arises from projects and conversations between all the teams involved. It’s a positive maturing of controls due to greater business awareness of DLP.”

Advice to Those Looking to Implement DLP Solutions

Based on his experience, Walls says he would advise anyone looking at DLP solutions to begin by identifying and prioritizing use cases. “Much of the work around DLP happens outside of the tool and is process-driven,” he elaborates. “Therefore, it’s important to engage with the stakeholders and affected parties even prior to any rule configuration. That said, make sure you know what the DLP solution is capable of, and what it offers for integration and workflow. Doing so up front will save a lot of time and help avoid miscommunication and misaligned expectations.”

Walls also offers words of encouragement. He really enjoys his job, and especially interacting with other areas of the business. “I get great satisfaction in solving a problem and sharing that with the people I’ve solved the problem for,” he claims.

Working with DLP has also shifted Wall’s priorities and expanded his viewpoint. “DLP definitely branches out to other departments and gets you engaged with privacy, with legal—really with your core business,” he says. “I’ve been able to sympathize a little more [and understand better] the desired end results of other departments outside of security. So that’s been helpful.”

“Security is not a one-person job; it can’t be accomplished with one person [or] one company,” concludes Wall. “So we need partners, and we need friends in the industry to work together. The McAfee support team has consistently available, receptive, and responsive to our questions and needs. ‘Together is Power’ is definitely something that McAfee represents for us.”

To watch a video of Jacob Walls talking about his experience with McAfee and information security, watch below. Get your questions answered by tweeting @McAfee_Business.

Leave a Comment

seventeen + seventeen =