INFOLOCK

The American College of Radiology (ACR) is a professional medical society representing some 40,000 medical professionals, including radiologists, radiation oncologists, nuclear medicine physicians, and medical physicists. With core values of leadership, integrity, quality, and innovation, ACR is dedicated to serving patients and society by empowering its members to advance the practice, science and professions of radiological care.

As with other organizations driving change in the healthcare industry, ACR’s lifeblood is data. With greater scrutiny being placed on data privacy and security by regulators and individuals, protecting information assets is an essential component of ACR’s ability to deliver value to its stakeholders.

The Challenge

Data Loss Prevention (DLP) is vital in our age of digital communication and cyber-crime. According to an IBM-Ponemon study, DLP is among the key factors in mitigating the cost of data breaches (along with encryption, threat intelligence, and DevSecOps.)

The impact is significant – the average cost per data breach in the healthcare industry is $7.13 million. And healthcare has the highest data breach costs of any industry. Breaches involving PII cost an average of $150 per data record and HIPAA violations often result in heavy fines and other penalties.

Like many organizations, ACR manages a significant number of systems containing sensitive information. When the organization explored improving its risk posture with a DLP program, it became clear that it needed to find a partner with particular expertise in this domain that could help provide guidance as well as experienced personnel that could help implement the program.

Decision to Outsource

ACR evaluated whether or not to expand the internal team’s headcount or outsource the function to an experienced partner. Outsourcing proved to be a timely and costly solution and provided additional benefits such as guaranteeing the involvement of an objective third-party in sensitive incidents.

“We wanted to ensure that sensitive data would only be shared with authorized individuals,” said Matt Jordan, ACR’s Senior Director of Security and Infrastructure. “And external DLP management addresses certain internal concerns. For example, if an incident investigation revealed an employee’s delicate PII, a third party could be trusted to treat it impartially. As the saying goes, once you see something, you can’t un-see it.”

Ultimately, they decided a third-party DLP solution was the best fit for ACR.

Why Infolock

After comparing numerous DLP solution providers, ACR chose Infolock for several reasons:

1. Infolock has extensive experience implementing and managing successful DLP programs and other data protection solutions. With a focus on strategic governance, not just tactical techniques, Infolock’s framework for data risk management was also valued by ACR. Infolock believes a successful DLP program must start with top-down policymaking and enforcement, something that resonated with ACR that believes in the importance of leadership setting high
   quality standards.
2. Infolock’s grasp of the practical nuances of DLP was attractive to ACR: improper deployment, configuration, and integration of a DLP program can generate false positives that interrupt key processes. And that can lead to business units demanding that DLP be turned off, defeating its purpose.
3. Infolock’s approach to project management was a strong positive. For DLP programs, Infolock provides a dedicated analyst who becomes the client’s trusted partner. The analyst is both a technical expert and a relationship builder.

Infolock backs its primary analyst with a talented bench of DLP support professionals and an established, proven process.

The Solution

Infolock’s approach to ACR’s DLP program included the following key services:

• Program development: Infolock created administrative and incident-response runbooks to document all DLP processes and procedures, plus customized reports for ACR management.
• Technical administration: Infolock’s basic blocking and tackling of ACR’s DLP program included comprehensive implementation, detailed configuration, and software installation and maintenance.
• Incident triage: Infolock set up and fine-tuned workflows to reduce false positives and hold low-priority true positives outside the event escalation process. The goal was to avoid
  “chasing ghosts” and make the most efficient, cost-effective use of data security resources.
• Comprehensive reporting: Infolock provided daily system reports, weekly operational reports, and ad hoc reports. For example, a “Breakdown of 2nd-Level Responses” status report helped ACR understand anomalous activities, process glitches, and optimal staff allocations.
• Collaborative consulting: Infolock led weekly team meetings to assess incidents and recommend tuning, held quarterly reviews to identify key milestones for the next period, and presented an annual program plan to measure risk maturity.
• Real-time responsiveness: Infolock’s dedicated analyst for ACR provided instant feedback and nimble solutions whenever challenges arose. ACR did not have to call a support center, log into a portal to open a ticket, or wait for a callback from tech support.

The Results

Outsourcing DLP to Infolock has delivered many benefits to ACR, including:

• Faster initial assessment of risk conditions: Infolock’s pre-tuned policies and custom workflows enabled ACR to start detecting the risk of data loss quickly.
• More accurate, efficient incident response: Infolock’s first-tier triage has eliminated many false positives and created a workflow to set aside low-priority incidents for later review. As a result, only high priority incidents are escalated, optimizing the efforts of second-tier
  support.
• Improved incident visibility and mitigation: Another outcome of Infolock’s DLP program has been an increase in the number of incidents identified, reported, and resolved. One of the most effective mitigation techniques is automatic data encryption.
• Better quality control: Infolock’s DLP system exposed policy violations and outdated processes, enabling ACR to improve procedures, secure sensitive data, and reduce risk.
• More mature risk posture: Infolock’s managed services freed ACR to focus on high-level analysis and decision-making — a hallmark of risk maturity.
• Cost savings: Compared to managing all of the end-to-end DLP activities in house and hiring dedicated staff accordingly, outsourcing DLP to Infolock has represented a substantial cost savings.

To download the fancy PDF version of this case study, click here.