TLC Vision Sees How to Protect Confidential Information
In 2005 TLC Vision, a leading provider of eye care tools and technologies in the U.S. and Canada, faced a dilemma: how to protect the confidential information of more than one million patients and physicians. For the director of technology services, Roger McIlmoyle, addressing the issue of protecting his organization’s essential information seemed daunting, until he discovered Websense® Data Security Suite.
The Problem
As a multi-national organization, TLC operates more than 80 refractive centers, 300 laser sites, and has a network of 1,500 independent optometrists. Additionally, the company has relationships with 70 managed care plans, covering 100 million people. TLC is listed on both the Canadian and New York Stock Exchanges, imposing a multitude of regulatory requirements on its operations, as well as the state and federal requirements of the two governments and 48 states in which it operates.
“Early on, we recognized the need to not only have a comprehensive data security solution, but one that required low overhead and administration,” said McIlmoyle. “Ultimately, we needed to secure our email communications, prevent data loss, and adhere to Health Insurance Portability and Accountability Act (HIPAA) and other regulatory requirements amidst the complexity of a very distributed network.”
TLC first realized its data loss problem when a senior executive erroneously transmitted confidential information to an unknown source, simply by mistyping an address in an email. Fortunately, the incident was without consequence; however, it raised questions within management about the frequency and severity of data loss, and thoughts about how they might implement controls to prevent it in the future.
The first and easiest step for TLC was to identify the risk to the organization. Management knew that the company received much of its revenue via credit card transactions and needed to address Payment Card Industry (PCI) requirements. Additionally, TLC maintained personally identifiable information for hundreds of thousands of patients and employees. And finally, as the popularity of Lasik eye surgery skyrocketed, so did the mass of personal health information that TLC stored and shared with patients and benefits providers. For McIlmoyle, addressing these issues meant focusing his attention on the communication tool most widely used by his centers, practitioners, and customer service representatives: email.
The Solution
Early on, McIlmoyle recognized that the problem of information leaks was not just an IT problem, it was a business problem, so he needed a tool that integrated with and secured existing business processes. To understand the full scope of the problem, McIlmoyle reached out to Websense to conduct a risk assessment. Using patented technology, Websense Data Security Suite discovered confidential information throughout TLC’s network, monitored its use, and protected it via integration with an encryption gateway.
Websense Data Security Suite is a comprehensive data loss prevention solution that discovers, monitors, and protects sensitive data. Its sophisticated finger printing technology identifies and creates a “digital fingerprint” for each piece of sensitive data located throughout the organization, enabling the Websense Data Security Suite to monitor that data no matter how it is manipulated or where it is sent. Backed by the intelligence of the Websense ThreatSeeker™ Network, which scans the Internet and more than one billion pieces of content daily in search of threats, Websense Data Security Suite understands both the data itself and the destination where it is being sent.
By understanding the business context around the data, Websense Data Security Suite accurately determines if an action is a legitimate business process and applies the appropriate protection policies. Sending email with confidential patient information to a partner, for example, may be necessary and should require encryption. Sending confidential information to a Web site infected with malicious code, however, should never be allowed.
“We had zero visibility into our data security until we received the initial report from the Websense solution. When I sent the report to my CEO his first response was to order me to shut down our email system,” said McIlmoyle. “Instead, two engineers put Websense Data Security Suite into production within four hours, providing immediate and automatic encryption for every piece of confidential data detected by Websense Data Security Suite.”
The Results
The transformation for TLC was tremendous. In the past, it was routine for customers to email TLC their credit card numbers to pay bills and schedule appointments. The receipt of a customer’s credit card number meant TLC was responsible for its security. When a customer service representative replied to the email, confirming the date, time, and payment, the representative violated regulatory requirements.
McIlmoyle turned on automatic notifications when he deployed Websense Data Security Suite. This meant that when a user sent confidential information, the email was automatically encrypted and the user was notified of the company’s security policy for future communications. For McIlmoyle and his staff, this functionality mitigated hours of enforcement decisions and manual notifications.
“Within the first few weeks we saw a good number of emails encrypted because they contained confidential information. It wasn’t because our users were malicious. They were just trying to do their jobs,” said McIlmoyle. “It didn’t take long before the number of encrypted communications decreased significantly, as users became more and more aware of our policies and began to ask themselves, do I really need to send this?”
TLC Vision’s search for a best-of-breed technology to address HIPAA and other compliance requirements was well served when it chose Websense Data Security Suite. As the leading data loss prevention solution, Websense Data Security Suite helped meet TLC Vision’s regulatory challenges, mitigated its risk, and provided an effective solution to protect its essential information with a reasonable cost of ownership.
© 2008 Websense, Inc. All rights reserved. Websense and Websense Enterprise are registered trademarks of Websense, Inc. in the United States and certain international markets. Websense has numerous other unregistered trademarks in the United States and internationally. All other trademarks are the property of their respective owners. 09.16.08