Data Breach Prevention: 13 Best Practices You Should Implement

According to the Privacy Rights Clearinghouse, between Jan. 3 and June 11, there were 71 reported data breaches at our nation's healthcare and education campuses, and the frequency of these types of incidents only seems to be on the rise. Here are 13 ways your campus can stem the tide.
Published: June 30, 2008

It seems like every week there is another report of a data breach at a healthcare or education institution. Whether the culprit is a student downloading sensitive classmate information from a school’s network or a random burglar who steals back-up tapes containing the information of millions of patients, it’s safe to say the potential for significant financial and personal difficulties is very real.

School and university networks, and to a somewhat lesser extent those at hospitals, are particularly vulnerable to breaches compared to other types of businesses. Campus networks are at greater risk because they must be open, carry a lot of data, have many access points and support many portable devices, such as laptops, cell phones and PDAs.

In light of the disturbing increase in these types of incidents then, it would behoove all campuses to be vigilant yet realistic regarding their data breach prevention policies, personnel and solutions. The following best practices may help.

1. Conduct a Risk Assessment
Before any solution is implemented, it is important to know your network’s vulnerabilities. According to Southwest Washington Medical Center’s Security Compliance Officer Christopher Paidhrin, officials must understand what type of information might get exposed, who might expose it, how and where it could be exposed, and what applications use it. Once the vulnerability assessment is completed, its results should be communicated to management and executives so they understand the risks involved and are more likely to support proposed solutions.

——Article Continues Below——

Get the latest industry news and research delivered directly to your inbox.

2. Categorize the Data
Campuses must then identify and categorize what types of facilities have what level of security. Paidhrin suggests campuses “Establish a classification standard: Confidential, restricted and public. Sensitive, private or other mid-levels can be added if needed.” Software solutions are available to scan for specific types of data that are risky, such as Social Security numbers and credit card numbers. These tools help campuses prevent the transfer of sensitive data to unauthorized devices. Unfortunately, these solutions have a harder time isolating intellectual property.

3. Determine Who Has Access
Campus administrators and IT professionals must also determine who has access to various types of data, and access should be granted on a need-to-know basis. Access control can be established based on an individual’s role in the organization (role based access control or RBAC). In Paidhrin’s case, staff members at his hospital must have access to on average six-12 applications (out of more than 200 total for his facility).

4. Manage Your Personnel
One common error institutions make when developing their data breach prevention strategies is assuming employees do not constitute a threat. “They harden the perimeter where they have a firewall,” says Ken Pappas, Corero vice president of marketing. “The trouble is the bad guys are already in the building.” It is important to conduct background checks on staff. Additionally, there must be enough IT and compliance personnel so the campus can satisfy the expectations stemming from laws like the Health Insurance Portability and Accountability Act (HIPAA).

5. Control the Admin Rights
Controlling the administrator rights of a computer reduces the chances of an insider intentionally or unintentionally downloading malware or malicious code. “If you limit admin privileges or you have two users on a device, one of which is Robert Admin versus just Robert, then when you are operating as Robert and you accidentally click on a Web site that is trying to download something bad to your computer, you are protected,” says Penn State’s Chief Privacy Officer David Lindstrom. “If you need to download software, then you go in as Robert Admin because you are doing it on purpose.”

According to Lindstrom, however, this practice is often misunderstood. “They think it will make them somehow less of a user when it is really a piece of self protection and institution protection.”

6. Take a Multi-Layer Approach
A single technology cannot provide complete protection. “They need to be secure at the host [e.g. PCs, cell phones, PDAs] and the network,” says Pappas. He recommends campuses have firewalls, anti-virus software, anti-spam, intrusion prevention (IPS), network access control (NAC) and possibly IP white lists. IPS monitors all network traffic for malicious or unwanted behavior, and blocks or prevents those activities. NAC provides an end point inspection of devices being connected to the network, while white lists provide a list of known bad IP addresses.

Of course, all of these solutions have weaknesses. NAC, for example, won’t protect a network from Trojans and viruses introduced to the network via a thumb drive by an authorized user. To make up for NAC’s weaknesses, IPS and firewalls are good overlays.

7. Encrypt Information
Encryption is the process by which information is rendered unreadable to anyone who doesn’t have appropriate authorization, and it is highly recommended by network security experts. According to Pappas, “Information should be encrypted at the point of [card] swipe so hackers who are inside the networks can’t listen in.”

Encrypting laptop hard disks and other portable devices is also recommended, although many organizations do not take this step. “You need to have an encryption system on the machine so when the portable device is removed, it is encrypted with the same password,” says Lindstrom. “If you do this, when you take it home or to another machine, it is protected in between.”

Encryption, however, has its pitfalls. Rogue employees can easily work their way around this solution.

Terence Spies, who is chief technology officer for Voltage Security, recommends encryption at the application layer, which encrypts data in a self-defending way. “By encrypting documents and database entries so they can only be decrypted in a policy-controlled way at the application layer, that data is encrypted at all other layers — on the network, disk, USB token, etc.” he says. “The data defends itself, as opposed to having to travel over protected channels.” He also recommends channel and container encryption (Virtual Private Networks [VPN], Secure Socket Layer [SSL], whole-disk encryption) as a secondary mechanism.

8. Track Portable Devices
Because laptops, PDAs, cell phones and other portable devices are often the sources of data breaches, managing this equipment is critical. Some companies have removed the drivers and physically blocked USB ports to prevent usage. Cell phones in some organizations are not allowed in buildings. Although these kinds of extreme measures might not be appropriate in the campus environment, encryption and RBAC with two factor access control (when possible) are excellent solutions. SSL or VPNs can also be used to transmit sensitive information.

9. Monitor Inexpensive Assets
Although items like thumb drives are relatively inexpensive to purchase, they can contain a lot of valuable information that, if lost or stolen, can cost an organization dearly. It is very important to keep an accurate inventory “even if the assets do not rise to a level of expense that might fall under the capital asset category,” says Lindstrom. “It isn’t about the device, it’s about the information.” Additionally, identifying high value data and defending it with encryption can free IT staff of the burden of trying to track every PC and peripheral device.

10. Maintain Physical Access Control
Of the 71 reported incidents from Jan. 3-June 11, only 18 were the result of hackers. Many, if not most of the remaining incidents resulted from laptops, portable hard drives, thumb drives or some other piece of computer equipment being stolen or lost. This highlights the need for physical access control. “When people steal machines, we find they take the ones that are easy [to remove],” Lindstrom comments.

Simple solutions like locking office doors, installing card access control to a building or office, locking a device to a work station, locking filing cabinets, logging off a computer or having an auto log off functionality can help to greatly reduce the number of data breaches experienced by a campus. Anti-theft solutions that remotely track the location of a stolen laptop and destroy files is another option.

11. Dispose of Records Properly
Because many breaches are the result of dumpster diving, it is important to shred, burn or pulverize paper files. Additionally, disks, DVDs and old computers should be erased before being discarded.

12. Implement Policies
Employees must be educated on the security policies of a campus, why they are important and how to protect confidential information. The policies should cover telecommuting, and how staff should store and access data from their homes.

Audits can be conducted to determine compliance to these policies. It should be noted, however, that often non-compliance is unintentional because staff frequently don’t understand their institutions’ privacy and security policies, or the policies are cumbersome.

Paidhrin suggests that campuses conduct an annual audit of the full IT security function; a quarterly audit or assessment of information samples for integrity (back-up tapes, financial and HR database reviews, and random file testing); and weekly sample audits of the appropriate use of the Web, E-mail and shared drive resources. Third-party IT security experts can help with this process.

Other appropriate processes include using “strong” passwords that change regularly (although this is debated in some circles) and password-activated screen savers.

13. Manage Your Vendors
There are many instances when security breaches are not the fault of campuses, but of the outside contractors tasked with either storing, moving or destroying the records. To guard against this type of threat, campuses should interview vendors and review their security policies regarding employee background screening and data management. “If they don’t have a security policy, then give them one,” says Pappas. “The vendor should provide you with regular reports of the traffic coming into and going out of your network.” Regular audits of contractors and security validations are also recommended.

Spies says one of the best ways of protecting data is to mask or de-identify the information that goes to vendors. “There are solid solutions that will encrypt data so outside contractors get data that is internally consistent but doesn’t contain genuine Social Security Numbers or other identifying information.” Often, this type of data is all that a vendor needs. Spies adds, however, that “If they need more, that data needs to be handed out in a very careful way with clear commitments as to how it will be handled while in use and how it will be erased.”

Related Articles:

Robin Hattersley Gray is executive editor of Campus Safety. She can be reached at

To subscribe to the unabridged print version of Campus Safety magazine, click here.

Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series