Home » Time Capsule » Currently Reading:

Time Capsule: Your Co-Workers Are Your Biggest IT Security Problem

July 22, 2011 Time Capsule No Comments

I wrote weekly editorials for a boutique industry newsletter for several years, anxious for both audience and income. I learned a lot about coming up with ideas for the weekly grind, trying to be simultaneously opinionated and entertaining in a few hundred words, and not sleeping much because I was working all the time. They’re fun to read as a look back at what was important then (and often still important now).

I wrote this piece in June 2006.

Your Co-Workers Are Your Biggest IT Security Problem
By Mr. HIStalk

I’ll bet that every hospital in the country has had sensitive information fall into unauthorized hands at least once. The VA, big banks, and universities have skilled security teams to prevent employees from exposing data, accidentally or otherwise. If those large organizations can’t control breaches, the average hospital doesn’t have a chance.

Health care organizations have spent years and hard-won dollars trying to catch up to the IT standards of other industries, where nearly all employees have enjoyed easy access to PCs, e-mail, and both wired and wireless networks. However, once the green-screen terminals went away, so did the last chance to keep confidential data secure. Data convenience is both a blessing and a curse.

CIOs and network engineers spend hours trying to out-think shadowy foreign Internet hackers when the real problem involves the co-workers they pass in the halls each day.

Employee security policies provide a false sense of security. The headlines scream that information on 26 million veterans has been breached, not that the VA had a great policy broken by a rogue employee who took data home without authorization, only to have it stolen.

Employees may drag laptops or USB drives home because their employer doesn’t have a good remote access solution to let them work from home. Perhaps backups are unreliable, leading cautious staff to create their own. Maybe software policies or budgets are so limited that common productivity tools aren’t available, making it tempting to load data onto the family PC. Whatever the reason, employees are breaking the rules.

Accidental data loss is bad enough, but one study found that 70 percent of employees have stolen electronic data from their employer, most often in the form of e-mail lists, databases, and documents. The most common reason: to help them get a new job. Three-fourths of those surveyed didn’t see anything wrong with that, especially if the employee helped create the information in the first place.

Security technology can help, but it requires tough decisions. Most hospitals don’t have the budget or organizational willpower to disable USB ports, remove CD-RW drives and floppies, buy encryption software, and install physical locks on laptops. Even if they did, web controls are inadequate to prevent using Hotmail accounts or online file storage that provides a non-hardware method of moving data to unauthorized locations. For that matter, there’s that old security hole called a “printer.”

Maybe the best security policy is to avoid storing anything that would be useful to someone else. People get paranoid about their medical information, but it has little monetary value (unless you’re a celebrity or political candidate). A hospital’s internal documents and policies probably aren’t all that interesting to competitors, but you might reconsider storing Social Security and credit card numbers.

The good news is that the recent health care-related breaches have been accidental, where well-meaning employees screwed up. For that reason, I’d put my IT security money into employee education, awareness, auditing, and protection tools for laptop users instead of obsessing over Boris and his hacking team. That’s the best hope of staying out of the headlines.

Even then, I’d develop a damage control plan for a breach. There’s a good chance it will get used.

View/Print Text Only View/Print Text Only


HIStalk Featured Sponsors

     







Subscribe to Updates

Search


Loading

Text Ads


Report News and Rumors

No title

Anonymous online form
E-mail
Rumor line: 801.HIT.NEWS

Tweets

Archives

Founding Sponsors


 

Platinum Sponsors


 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Gold Sponsors


 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Reader Comments

  • Brian Too: While I'm usually pretty forgiving about individual stylistic variations, I will say that I found Ed's final paragraph e...
  • From the Inside: It's great to see that Ed was so impactful on the NYC H+H IT "broken division" in his continuing quest to save the worl...
  • AynRandWasDumb: This article is so vague it amounts to platitude. What is my takeaway as a reader? That Ed did such a great job and he h...
  • Brian Too: I've always loved AC/DC. One tidbit others might enjoy. The movie "School of Rock" performed an awesome cover of "It...
  • Steve Natz: I have been a reader of HIStalk for several years and have always enjoyed these articles along with the industry news to...

Sponsor Quick Links