Home » Time Capsule » Currently Reading:

Time Capsule: Your Co-Workers Are Your Biggest IT Security Problem

July 22, 2011 Time Capsule No Comments

I wrote weekly editorials for a boutique industry newsletter for several years, anxious for both audience and income. I learned a lot about coming up with ideas for the weekly grind, trying to be simultaneously opinionated and entertaining in a few hundred words, and not sleeping much because I was working all the time. They’re fun to read as a look back at what was important then (and often still important now).

I wrote this piece in June 2006.

Your Co-Workers Are Your Biggest IT Security Problem
By Mr. HIStalk

I’ll bet that every hospital in the country has had sensitive information fall into unauthorized hands at least once. The VA, big banks, and universities have skilled security teams to prevent employees from exposing data, accidentally or otherwise. If those large organizations can’t control breaches, the average hospital doesn’t have a chance.

Health care organizations have spent years and hard-won dollars trying to catch up to the IT standards of other industries, where nearly all employees have enjoyed easy access to PCs, e-mail, and both wired and wireless networks. However, once the green-screen terminals went away, so did the last chance to keep confidential data secure. Data convenience is both a blessing and a curse.

CIOs and network engineers spend hours trying to out-think shadowy foreign Internet hackers when the real problem involves the co-workers they pass in the halls each day.

Employee security policies provide a false sense of security. The headlines scream that information on 26 million veterans has been breached, not that the VA had a great policy broken by a rogue employee who took data home without authorization, only to have it stolen.

Employees may drag laptops or USB drives home because their employer doesn’t have a good remote access solution to let them work from home. Perhaps backups are unreliable, leading cautious staff to create their own. Maybe software policies or budgets are so limited that common productivity tools aren’t available, making it tempting to load data onto the family PC. Whatever the reason, employees are breaking the rules.

Accidental data loss is bad enough, but one study found that 70 percent of employees have stolen electronic data from their employer, most often in the form of e-mail lists, databases, and documents. The most common reason: to help them get a new job. Three-fourths of those surveyed didn’t see anything wrong with that, especially if the employee helped create the information in the first place.

Security technology can help, but it requires tough decisions. Most hospitals don’t have the budget or organizational willpower to disable USB ports, remove CD-RW drives and floppies, buy encryption software, and install physical locks on laptops. Even if they did, web controls are inadequate to prevent using Hotmail accounts or online file storage that provides a non-hardware method of moving data to unauthorized locations. For that matter, there’s that old security hole called a “printer.”

Maybe the best security policy is to avoid storing anything that would be useful to someone else. People get paranoid about their medical information, but it has little monetary value (unless you’re a celebrity or political candidate). A hospital’s internal documents and policies probably aren’t all that interesting to competitors, but you might reconsider storing Social Security and credit card numbers.

The good news is that the recent health care-related breaches have been accidental, where well-meaning employees screwed up. For that reason, I’d put my IT security money into employee education, awareness, auditing, and protection tools for laptop users instead of obsessing over Boris and his hacking team. That’s the best hope of staying out of the headlines.

Even then, I’d develop a damage control plan for a breach. There’s a good chance it will get used.

View/Print Text Only View/Print Text Only

HIStalk Featured Sponsors


Subscribe to Updates



Text Ads

Report News and Rumors

No title

Anonymous online form
Rumor line: 801.HIT.NEWS



Founding Sponsors


Platinum Sponsors





























































Gold Sponsors
















Reader Comments

  • Sam Lawrence: Except in this case, coding = medical billing, not development. Though the same warning may be true...
  • BeenThere: Partners will find the savings from their cuts of coders as fools gold. There are a lot of hidden costs running an outs...
  • JC: If there is not there can be. VistA has a reference lab interface that can create the manifests/labeling and such as we...
  • Tom Cornwell: Great stuff from Dr. Jayne as usual. One small typo, last sentence of second-to-last paragraph: should be 'who's' not 'w...
  • HIT Observer: What I find most interesting here, is people defending their common practices rather than truly taking this as invaluabl...
  • Bob: There's no incentive for the provider to spend time doing a price comparison for the patient. Nor is it a good use of th...
  • Peppermint Patty: Veteran - can you clarify what was "fake "? Was something made up (definition of fake) or did you disagree with Vapo...
  • Pat Wolfram: Such a refreshing article. Thanks -- there really can be a simpler version of an acute HIT implementation. But I do ...
  • Woodstock Generation: Bravo to HIStalk's Weekender recaps and other news/opinions. I read it first thing on Monday mornings..................
  • Veteran: #fakenews...

Sponsor Quick Links