Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
420 Views 2 Replies Latest reply: Jul 2, 2013 12:51 PM by curtandy RSS
curtandy Newcomer 19 posts since
May 12, 2009
Currently Being Moderated

Jun 24, 2013 1:22 PM

Any HealthCare Organizations running HDLP?

I work for a healthcare organization and we are in process of implementing HDLP. As this is my first McAfee HDLP experience I am looking for others who have implemented for any tips or willing to share what they are doing to protect PHI and PII going to USB (encrypted or unencrypted). Thanks!

  • Regis Champion 457 posts since
    Oct 6, 2010
    Currently Being Moderated
    1. Jul 2, 2013 9:24 AM (in response to curtandy)
    Re: Any HealthCare Organizations running HDLP?

    I'm not in that vertical, but my main client here we've successfully used HDLP to prohibit use of anything but hardware encrypted USB's (I strongly recommend IronKeys over anything currently for formerly McAFee branded, by the way).    The policy options available are quite rich, so you should be relatively confident that it'll do what you want.        One caveat I'd add from one client:  If you're among a surprising number of places out there that enjoy the management wins of Novell (which has evolved beyond Netware, by the way) for file shares, and you use the Novell client on workstations... HDLP comes with some serious caveats about that Novell file shares.       This can be worked around by eliminating the Novell client from your life and using native file access instead, which is probably a good idea anyway.   

     

    At any rate, the USB stuff works pretty well for what it is. 

     

    Note though that, like any software based scheme,  someone can pretty trivially undermine it unless you lock out boot to usb or boot to CD in the BIOS or you are doing full disk encryption.  

     

    The bypass works like so:  Save sensitive document to local hard disk somewhow,  boot to a USB drive or optical drive into some other operating system (system rescue cd, a linux live cd, Hiren's boot cd... there are many many options) ,  mount that local hard drive and copy local hard drive file off to any ole USB you want.     So to be serious about this, you'll want to make sure your workstations can't be booted from alternative media.    But if you already have full disk encryption, and the encryption can't be mounted under an alternative operating system, you're covered against this threat vector.

     

    Also, a lot of places ignore web mail and cloud services and pretend they don't exist.  If you want to be serious about preventing PII and PHI going encrypted out the door, you'll need serious network DLP associated with your outbound email and web uploads as well, and a strong egress policy on the firewall that forces things to go out through your control points of web gateway and email gateway. 

     

    Good luck!

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points