Tools help comply with privacy regulations

As the information systems security manager at Community Health Network in Indianapolis, a major part of David McLain’s job is to ensure that employees are adhering to the requirements of the Health Insurance Portability and Accountability Act (HIPAA). That means making sure that protected patient health information isn’t transmitted in a noncompliant manner within or outside of the hospital system’s networks.

To monitor, audit and enforce compliance, McLain uses an automated tool called VIEW for Privacy Protection, a content monitoring product from Vericept Corp. in Englewood, Colo. VIEW, which stands for Vericept Intelligent Early Warning, uses hardware devices to sniff out and document e-mail, instant messages, chat sessions and peer-to-peer or file-sharing sessions that violate privacy rules on Community Health’s networks.

VIEW is one of a growing number of products that are being offered up as automated tools for monitoring and auditing privacy compliance.

Vendors of such products hope to tap into concerns about liability issues, such as the need to comply with a growing number of privacy regulations, says Pete Lindstrom, an analyst at Spire Security LLC in Malvern, Pa.

“Privacy is no longer just about the right way of doing things; it is also the legal way of doing things,” says Michelle Boggess, electronic data security coordinator at Baptist Health Care’s compliance office in Pensacola, Fla.

Many vendors have responded with compliance monitoring and enforcement products. “Everyone in the security space wants to take some credit for addressing privacy issues,” Lindstrom says.

It’s important to remember, however, that most of the tools are still evolving and remain largely untested in enterprise environments, says Roger Brown, an IT auditor at Jefferson Health System, a US$2 billion health care organization in Radnor, Pa.

Organizations need to first have good processes and policies in place for such tools to be effective, he says. But implemented properly, such automated tools can deliver far better efficiencies than manual compliance checks, which are “destined for failure,” Lindstrom says.

Most tools fall into one of two categories: products developed specifically to address privacy compliance; and repurposed products, such as spam-filtering software, that now focus on privacy issues.

Several vendors offer tools with privacy compliance as the core function.

Privacy compliance tools

IBM Corp.’s Tivoli Privacy Manager for e-business technology is one example. The product, which works with AIX, Solaris and Windows 2000 systems, is designed to monitor and enforce compliance at the transaction and application levels, says product manager Steve Adler.

A company can use Tivoli Privacy Manager to convert a written privacy policy into digital form and use those policies to control the manner in which applications and users access sensitive data. It gives companies a way to centrally create, edit, manage and audit policies that dictate which sensitive information is accessed, by whom it is accessed, the purpose for which it is accessed, and how it is shared, stored and eventually destroyed, Adler says.

Other examples of privacy-specific products include WebXM software from Watchfire Corp., Vontu Protect from Vontu Inc. and Liquid Machines from Liquid Machines Inc.

Waltham, Mass.-based Watchfire is selling its privacy tool as a component of a wider Web site management and quality assurance tool. WebXM can be used to scan Web sites for information collection practices, links to privacy policies, user-tracking practices and Web page security practices that affect privacy.

San Francisco-based Vontu’s product, meanwhile, is targeted at insider threats and allows companies to monitor their networks for transmission of confidential customer or employee information, says Doug Camplejohn, a company vice-president.

Lexington, Mass.-based Liquid Machine’s product is aimed at helping companies protect sensitive documents and data by controlling who gets access as well as where, when and how access is granted, according to CEO Jim Schoonmaker.

Repurposed tools

Ottawa-based Coast Software Inc. is one vendor that has repurposed its product for privacy compliance. Coast’s Web Quality Central software, originally developed as a quality testing tool for Web sites, is now marketed as a tool for monitoring privacy compliance.

Go Jobs Inc., a Newport Beach, Calif.-based online job-posting site, uses Coast’s Web Quality Central to monitor Web site content and functions. The software periodically scans Go Jobs’ 50,000 Web pages, searching for privacy issues such as pages missing a P3P privacy policy, pages with links containing personal information and pages with potentially dangerous data leaks.

The reports generated give Go Jobs a detailed overview of the company’s privacy compliance, as well as Web site accessibility and operational security standards, says Jonathan Duarte, president of the online job board.

“Privacy is a primary concern for us,” Duarte says. With about 7,000 visitors to the site daily, any compromise of personal information “could put us in a world of financial hurt. Coast’s software is our insurance policy,” he says.

Likewise, Alpharetta, Ga.-based CipherTrust Inc. is repositioning its IronMail antispam and antivirus product as a tool for controlling the use of encrypted e-mail at companies in industries affected by HIPAA or Gramm-Leach-Bliley.

Vendors of content protection software such as Waltham, Mass.-based Authentica Inc., Boston-based SealedMedia Inc., and Palo Alto, Calif.-based PSS Systems Inc. are also rushing privacy compliance products to market, says Joshua Duhl, an analyst at Framingham, Mass.-based IDC.

Such products focus on post-delivery protection of documents and Web content via encryption and the enforcement of policies related to how the data is to be accessed, stored, copied or printed.

“Compliance is probably the best opportunity that these vendors have had to provide value with their products,” Duhl says. “All of the digital rights management vendors have some sort of story around compliance, whether it be the fact that they are doing encryption of the data or making sure there is no leakage of information.”