About The Customer
Despite spending more than $1M per year on HIPAA compliance training, an internal audit at one of the largest managed healthcare providers in North America identified a significant risk of noncompliance. The company’s auditors recommended stricter controls, both on and off the corporate network.
The Business Challenge
The organization had strong network defenses, but also many mobile users. A Virtual Private Network (VPN) was in place, but users were not diligent in using it. Enforcing controls on users that were not connected to the network was impossible. The training program failed because it was a specific, one-time event rather than an ongoing process. When people used data, their focus was on the task, not on the training from months ago.
The managed healthcare provider’s business also required many users to travel with data. Medical personnel moved between facilities, claims agents traveled to visit clients, and many workers brought their laptops home each night. These users required the ability to connect to other networks.
The company needed to reinforce existing policies as data was used, and create a culture that educated users about the potential risks. They needed to change user behavior when interacting with sensitive, regulated data.
Critical Success Factors
- Ensure traffic flows through their network to take advantage of their investment in infrastructure security
- Block data egress for users disconnected from the corporate network
- Prevent the use of multiple network adapters used to bypass corporate controls
- Educate users on corporate policies in real time to influence behavior and reinforce training
The Solution
Fortra™’s Digital Guardian® was the only solution that provided real time policy application based on network awareness, enforced connections through the company’s VPN and prompted users in real time.
Digital Guardian structured policies supporting its requirements in the Digital Guardian Management Console. Digital Guardian endpoint agents, operating at the kernel level, enforced these policies on and off the network.
Network awareness allowed Digital Guardian to distinguish the corporate network from others and enforce appropriate policies. If a mobile user required internet access, Digital Guardian could allow access to a login page, then block further traffic until connected to the company’s VPN. Once on the VPN, the user benefitted from the company’s extensive network controls and could perform their job functions.
Enterprise security policies can be difficult to remember while conducting daily business on tight timelines. To augment training, Digital Guardian’s prompt mode was used extensively. In prompt mode, when a user attempts an action that could increase risk or violate a policy, Digital Guardian presents a screen requiring the user to acknowledge the company policy and provide justification to continue. The response and action are recorded and stored in evidentiary-quality log files.
The Results
After deploying Digital Guardian, the customer could monitor all data movement, enforce the use of the company’s VPN for remote users, block multiple network adaptors and communicate company requirements. In the first six months of use, they reported an 85% decrease in prompts to users, indicating a significant increase in policy awareness and secure employee behavior.