How the Health and Human Services Department Addressed Data Loss Prevention
The Health and Human Services Department works with a wide variety of sensitive data, such as medical research, healthcare information and data on drug testing. Because of this, the department faces security threats from several sources, including foreign government–sponsored hackers, cybercriminals and hacktivists. But until a few years ago, agencies within HHS had varying levels of security to address those threats.
“Our focus is on public health, so we have a great deal of concern about protecting public-health information and personally identifiable information,” says Kevin Charest, director of the department’s Computer Security Incident Response Center. But while some operating divisions within HHS had robust security, others did not.
HHS established the CSIRC in 2008 to improve the security posture throughout the department. Charest has spent the last several years building the center and getting it to work with each of the operating divisions within HHS.
One of the key steps the CSIRC has used to improve the security posture throughout HHS is to provide a toolset of security products that each agency can use to protect its systems.
“We’ve standardized on the tools but not on how an individual operating unit uses them,” Charest says.
The toolset includes the Websense gateway proxy, RSA’s NetWitness full-packet-capture tool and an incident response tracking solution. Charest says some agencies that already had robust security programs in place when the CSIRC was established weren’t thrilled to have to come under the center’s leadership, but having every operating division use standardized technology has greatly improved security throughout HHS.
“Now, four years later, I can say fairly confidently that no one would want to remove these things,” he says.
Another benefit to centralized security leadership at HHS has been improved situational awareness. By overseeing security throughout the department, the CSIRC can help each operating unit defend itself. When a malware attack hit the department soon after the center’s creation, one agency had some success in mitigating the attacks. The center shared information on the successful tactics, helping other units avoid trial-and-error as they responded.
The information sharing extends beyond the boundaries of HHS as well. The department’s centralized approach helps it share information better with other agencies, such as the U.S. Computer Emergency Readiness Team, as well as with industry partners.
That’s good, Charest says, because security threats are always evolving. “It’s a never-ending battle,” he says.
Voices
Photo: Tamara Reynolds
“Whether it is preventing data exfiltration to malicious threats or blocking unauthorized internal usage of consumer services, DLP solutions are a critical tool in any cyber defender’s toolbox.”
— Travis Howerton, Chief Technology Officer of the National Nuclear Security Administration
“DLP technology provides a significant control to prevent and protect against personally identifiable information or sensitive payment information from being accidentally or maliciously sent outside of GPO. It’s an essential element of our security program.”
— Chuck Riddle, CIO of the Government Printing Office
“The U.S. Department of Commerce prioritizes data loss prevention as part of our comprehensive efforts to secure the public’s information, and we continually examine the DLP program to reduce risk.”
— Rod Turk, Director of the Office of Cyber Security and Chief Information Security Officer with the Commerce Department