The handling of information about patients and their health care is regulated by the health insurance portability and accountability act (HIPAA). HIPAA sets stringent limits on what may and may not be done with health care information. Similarly, the Gramm-Leach Bliley Act (GLBA) regulates privacy among providers of financial services. A variety of other state and federal rules and laws regulate information handling and privacy.
To ensure compliance with such regulations, some organizations and enterprises monitor the content of e-mails and file transfers. One or more points within data networks or computer systems are designated as barrier points, and data transferred across a barrier point is monitored. For regulatory compliance, an important barrier point is content transferred from internal data networks to the public Internet. Other important barrier points are wherever data may be written onto removable media, such as compact disks (CDs) or digital versatile disks (DVDs).
Content monitoring may also be configured to detect leaks of confidential information. Trade secrets of an enterprise, or information confidential to a customer, should be transferred out of the company only under controlled or authorized conditions.
Some enterprises set limits on how employees may use the company's computer and network equipment. For example, web sites with offensive or illegal content should not be accessed using company equipment. Data transferred into an enterprise can be monitored for content that violates acceptable use policies.
Known approaches to content monitoring allow the administrators of computer and network systems to establish specific policies that are automatically monitored by a content monitoring system. Each policy contains a rule that is applied to content transferred across a boundary point. Transferred content is suspicious or violating when it matches the pattern specified by the rule of any particular policy. When violating content is detected, then the content monitoring system performs the actions specified within that policy.
For example, many credit card numbers contain 16 digits, the last of which are computed by a formula. Such credit card numbers can be represented as a pattern or rule. A policy can include this rule and actions, for example: to archive the content of the data transfer along with when it occurred and the source and destination of the transfer; and to notify the system administrator via a page or an e-mail. A content monitoring system can apply this policy to data transfers that cross a boundary point in one or both directions.
A problem arises with such a policy in that proper transfers of credit card information often occur. For example, credit cards are routinely used to purchase airline tickets for employees who travel on company business.
An alternative rule would be violated only when 20 or more, for example, credit card numbers are included in a single data transfer. This alternative rule is more practical, because the system administrators supervising the content monitoring process are unlikely to be effective if the system falsely flags as suspicious a substantial amount of innocent content.
Nevertheless, this alternative is substantially less secure. Fraudulent use of 19 credit card numbers can create major problems. Further, a series of data transfers, each including, say, only three credit card numbers, does not violate the alternative rule. Nevertheless, a series of such transfers are just as damaging as a single large transfer.
The reduced security of the alternative rule is more acceptable if content monitoring is adaptive. For example, a content monitoring system could typically operate using rules that are violated by 20 or more credit card numbers in a single transfer, but adapt to use a more restrictive rule in response to any violation that involves credit card numbers. Thus, there is a need for a content monitoring system that adapts content monitoring policies.
Another approach to compensating for the reduced security of the alternative rule is to archive all outbound content for later forensic analysis. For example, when the example credit card incident above occurs, forensic analysis could examine one or more of: 1) all outbound transfers that contain even a single credit card number; 2) all outbound transfers that originate from the device that is the source of the violating content; or 3) all outbound transfers from the user who sent the violating content.
However, archiving of all outbound content is practical only for relatively small enterprises that transfer out only a very limited amount of data; otherwise, an excessive amount of storage capacity is required.
Thus, there is a further benefit to adapting content monitoring policies. An adaptation triggered by an incident can selectively archive data based on the particulars of the violating content. As a specific example, in response to the example credit card incident above, a new policy can be added that archives any data transfers that match rule (1), rule (2), or rule (3) above.