Time Capsule: Your Co-Workers Are Your Biggest IT Security Problem

I wrote weekly editorials for a boutique industry newsletter for several years, anxious for both audience and income. I learned a lot about coming up with ideas for the weekly grind, trying to be simultaneously opinionated and entertaining in a few hundred words, and not sleeping much because I was working all the time. They’re fun to read as a look back at what was important then (and often still important now).

I wrote this piece in June 2006.

Your Co-Workers Are Your Biggest IT Security Problem
By Mr. HIStalk

I’ll bet that every hospital in the country has had sensitive information fall into unauthorized hands at least once. The VA, big banks, and universities have skilled security teams to prevent employees from exposing data, accidentally or otherwise. If those large organizations can’t control breaches, the average hospital doesn’t have a chance.

Health care organizations have spent years and hard-won dollars trying to catch up to the IT standards of other industries, where nearly all employees have enjoyed easy access to PCs, e-mail, and both wired and wireless networks. However, once the green-screen terminals went away, so did the last chance to keep confidential data secure. Data convenience is both a blessing and a curse.

CIOs and network engineers spend hours trying to out-think shadowy foreign Internet hackers when the real problem involves the co-workers they pass in the halls each day.

Employee security policies provide a false sense of security. The headlines scream that information on 26 million veterans has been breached, not that the VA had a great policy broken by a rogue employee who took data home without authorization, only to have it stolen.

Employees may drag laptops or USB drives home because their employer doesn’t have a good remote access solution to let them work from home. Perhaps backups are unreliable, leading cautious staff to create their own. Maybe software policies or budgets are so limited that common productivity tools aren’t available, making it tempting to load data onto the family PC. Whatever the reason, employees are breaking the rules.

Accidental data loss is bad enough, but one study found that 70 percent of employees have stolen electronic data from their employer, most often in the form of e-mail lists, databases, and documents. The most common reason: to help them get a new job. Three-fourths of those surveyed didn’t see anything wrong with that, especially if the employee helped create the information in the first place.

Security technology can help, but it requires tough decisions. Most hospitals don’t have the budget or organizational willpower to disable USB ports, remove CD-RW drives and floppies, buy encryption software, and install physical locks on laptops. Even if they did, web controls are inadequate to prevent using Hotmail accounts or online file storage that provides a non-hardware method of moving data to unauthorized locations. For that matter, there’s that old security hole called a “printer.”

Maybe the best security policy is to avoid storing anything that would be useful to someone else. People get paranoid about their medical information, but it has little monetary value (unless you’re a celebrity or political candidate). A hospital’s internal documents and policies probably aren’t all that interesting to competitors, but you might reconsider storing Social Security and credit card numbers.

The good news is that the recent health care-related breaches have been accidental, where well-meaning employees screwed up. For that reason, I’d put my IT security money into employee education, awareness, auditing, and protection tools for laptop users instead of obsessing over Boris and his hacking team. That’s the best hope of staying out of the headlines.

Even then, I’d develop a damage control plan for a breach. There’s a good chance it will get used.