with our vendors. So we have to ensure that transmis-
sion is secure. Then, of course, we also communicate
directly with the end users of the information.”
To address these concerns and meet privacy and
HIPAA compliance standards, Amalgamated moved
to a more automated, rules-based solution based on
Proofpoint Enterprise Privacy, a data loss and pre-
vention suite.
Balancing Act
Amalgamated’s approach is to automate a great deal of
this information, but still keep employees engaged in
the process. The challenge, Timbol explains, is that if
you do everything in the background, you take the re-
sponsibility away from the employees who don’t know
what’s going on. “We believe very firmly that every
employee should be a guardian of that information.
We didn’t want to totally take away the responsibility
from them. We wanted them to be aware of what they
need to be secure.”
At the same time, Timbol continues, “we didn’t
want to put too much of the onus on the individual,”
he continues. ‘Everyone has bad days, right? Someone
may forget to encrypt a message, especially if they’re
in a hurry, or get sidetracked. These things happen.”
The key, Timbol continues, was to be able to pro-
vide a data security “safety net.” If the individual “mis-
takenly did not do what they needed to do to protect
the information, then we had a process in place that
would ensure that the data is still secured.”
This challenge particularly related to e-mail, Tim-
bol says. “E-mail is probably one of the biggest ways
of communicating data either between the users or
between companies. We have queries come out, con-
tacts, requests to verify claims. We wanted to make
sure that we had security awareness among our em-
ployees, but at the same time, if they failed to secure
it properly, we would still be able to catch that, and
ensure that data’s protected.”
Initially, the encryption process was to be entirely
automated, but the company decided that taking re-
sponsibility away from users could lower organization-
al sensitivity to the importance of security and HIPAA
compliance. It was decided that the Proofpoint system
should function as a backup, automatically encrypting
messages if users failed to do so, and also sending a
message to the offending user.
The end result was establishment of a security
environment that provided for this balanced requirement. “One, it’s about maintaining security awareness
on individuals. And two, it’s about catching whatever
gets missed in the background,” Timbol explains. “Say
I’m sending you an e-mail with a Social Security number. A keyword is typed into the subject line, which
automatically triggers the encryption. The encrypted
e-mail goes out, and the end user receives an e-mail
that says they have a secure e-mail waiting, and directs them to click on a link.” First-time recipients will
“Whether we’re the covered entity
or the business associate, we have to
trade information with our vendors.
So we have to ensure that transmission
is secure.”
—Richard Timbol, Amalgamated
be prompted to set up a security code, he adds. This
level of security also meets the FIPS 140-2 guideline,
the standard that will be used by federal organizations
when these organizations specify that cryptographic-based security systems are to be used to provide protection for sensitive or valuable data.
Amalgamated’s system has a network appliance designed to analyze the content of outgoing e-mails. For
e-mails sent without security keyword triggers in the
subject line, the appliance scans the content against a
terminology dictionary.
If sensitive data is identified in the body of the e-mail, the message will automatically be encrypted.
“It also sends an e-mail back to the person who sent
the message, explaining that the e-mail had sensitive
data, with basic compliance requirements. And it will
tell them it encrypted the mail, is still forwarding the
mail, but tells them to ‘please be aware that you need
to encrypt it.’” For employees who repeat the mistake, “we can see where we’re having an education
problem,” he adds.
With this approach, the Proofpoint solution not
only ensured appropriate encryption and compliance,
but also served an educational function for employees. The bottom line is that the system “allows us to
maintain a security awareness posture, and keeps the
employee involved in that responsibility,” Timbol says.
“It also allows the corporation to know that our data is
secure, and our clients have their data secure.”
Outside and Inside Risks
Today, Amalgamated is in full compliance with HIPAA
requirements and has dramatically reduced major risks
associated with security breaches related to e-mail.
The company has also increased the effectiveness of its
spam and malware blocking efforts while gaining access
to customized reports that eliminate the possibility of
“lost” e-mail that was inadvertently blocked. It is difficult to quantify the ROI of risk reduction, although it
is common knowledge that security breaches can have
catastrophic effects both on customers and the credibility of the company that was breached.
In addition, e-mail is just one aspect of the data
security challenge. “We also have secure FTP, in
which data at rest is encrypted,” Timbol points out.
“If data is encrypted, it’s a lot harder. Even if people
break through your defenses and actually access
files, now that file is in an unusable form.”
Internal data security is just as important as exter-
nal security. “From the inside, if someone manages
to get in your building and attach to a computer, the
wireless network or a desktop, they just can log in and
take the data that way,” Timbol points out. “Aside from
the typical network login and application authentica-
tion that everybody has, we also take an approach
toward locking down our USBs for example, so that
people can’t attach portable storage, unless they are
FIPS 140-2 encrypted.”
Plus, the rise of bring-your-own-devices in the
workplace adds a new dimension to the data secu-
rity challenge, and again puts the spotlight on per-
sonal responsibility, Timbol continues. “Blackberries
were easy, because they were corporate-supplied
devices, and you were able to enterprise-manage the
policy. Now you have a lot of people coming in with
smartphones or iPads. “We’re taking a similar strat-
egy where we’re able to put the enterprise policy on
any device connecting to our network. Of course you
have to cover that under your electronic policy agree-
ment that you have with your employees, that they
understand the responsibilities they have, as well as
to help them along the way by being able to push out
password policies. Every device, regardless of where
it comes from, if it touches our network, it has to
have a complex password.”
Ultimately, companies and employees alike need
to be vigilant and think outside the box, Timbol says.
“Firewalls and antivirus protection are very 1980s con-
cepts if you stop there. The value of information is a
lot higher than it ever was before. If you have person-
ally identifiable information—date of birth, mother’s
maiden name, or even a medical diagnosis, they can
tailor identity theft around that. So, it’s crucial for us,
in this business environment, to ensure that a best-of-
breed approach is taken.”
The best defense is to “raise the cost on the attacker
so high, making them spend more and more effort to
get in, that they just move on to an easier target,” says
Timbol. “That’s really the approach right now—your
neighbor’s six-foot fence versus your 40-foot high
stone wall.”
