Case Study: Protecting Intellectual Property on the Go
Kettering Medical Center finds a solution to who sees the data, for how long, and how much data a user can view.
Martin Satter, the chief positron emission topography (PET) physicist at the Kettering Medical Center in Ohio, asked that question after his department created a sensitive medical presentation. He wanted his audience to view the browser-based presentation but not the underlying files—the hospital’s intellectual property.
Kettering offers PET, an imaging technology. Unlike x-rays or magnetic resonance imaging, which see anatomical changes, PET sees biochemical changes which can “occur before there are anatomical changes,” notes Satter. Long a research technology, PET recently became an accepted clinical tool. “It was only in 1998 that Medicare started paying for PET scans,” he says, and today Medicare covers 15 indications, all related to oncology.
Many referring physicians, however, aren’t yet familiar with clinical PET uses, so Satter wants to educate them. “We started putting together a CD-ROM with Flash and so on. We had 15 grand rounds that we took [viewers] through.” (Grand rounds are virtual versions of what happens in real life: doctors get together weekly to discuss cases, how patients presented, and to get feedback from peers.)
“At the end of the day, we realized—as we got close to completing the CD—that we’d sunk a lot of money into it but had no way to protect it. It could easily end up somewhere else, explaining PET for a competitor,” he says. “We wanted this to be universally accessible—but only for a select audience.”
Intellectual property theft is a too-real threat for many organizations. In 2001, U.S. businesses lost $50 billion to intellectual property theft, according to a study by the U.S. Chamber of Commerce, PricewaterhouseCoopers, and the ASIS Foundation.
Satter investigated products for encrypting the material. He wanted time-limited access, both to safeguard the information and because it changes every few months. Satter also didn’t want someone to be able to copy the Flash files and other information off the CD.
He found programs for encrypting CDs, but they wouldn’t work because after a user gained access, they gained complete access. “Most … were tied to a select executable where they put a special GUI or wrapper around the front, but … we didn’t have that. We had a browser-based experience that we wanted to encrypt.” Eventually he found SecurDataStor from EncryptX, which met his needs, and he adopted it.
“In our permission wrapper, you can have hundreds or thousands of users all accessing that content, all securely,” but without needing a server to verify identity, says David Duncan, president and chief operating officer of encryptX. He says the wrapper idea initially came after a graphics customer wanted users to see small images—previews—but not unlock large versions without paying.
At Kettering Hospital, PET marketing specialists take the CDs on the road. “This allows us to get the information in the hands of the people we want,” says Satter. Kettering has about 150 CDs ready at any one time, some with universal passwords that expire in a year, some with a unique password only good for three months. “It’s totally protected content, and we can basically decide how long somebody looks at it and who looks at it.” No extra software is required; users just log on with an ID and password.
The enterprise edition of SecurDataStor can maintain an audit trail of all access attempts. It can also lock information to a single computer, and it includes group-permission management tools. SecurAdmin, an administrative utility, lets security administrators create resource files tied to employee identity and relevant access privileges. These can be saved to removable media—say, a CD-ROM with a sales presentation. So even if end users can’t access a server to verify their identity, the resource file maintains security policies.
Companies can create granular security permissions for permission wrappers, but Duncan says a typical customer just creates a few profiles, such as prospect, customer, and consultant. The first two get limited access; the employee gets full access. “IBM, who’s our largest customer, has literally tens of thousands of employees working from home and … there was still a concern over how do you protect data? Maybe a consultant shares it,” he says. “Sloane Kettering was a different kind of example,” he notes. “They were concerned that their intellectual property was going to have legs.”
Duncan worked at the U.S. National Security Agency, and later built trusted computing systems. One takeaway from those years, he says, was the realization “that the most trusted systems would protect data the way [users] need to work. Yet most are not designed for the users.”
In other words, people need the ability to share and collaborate, without security getting in the way when it shouldn’t. “We’re really trying to solve problems of users who are distributed and remote and don’t have common computing platforms.”
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.