Monday, October 15, 2007

Clooneygate and the need to secure and manage data

So, it’s come to this: a fellow can’t even go to the hospital any more without his private medical records being considered fair game for journalists. And with the headlines about George Clooney, we should all be appalled at how this happened, and reconsidering what we need to do to ensure that the information that we consider most important doesn’t make it out to where it shouldn’t be.

Here’s what happened: Clooney was injured in a motorcycle accident in New Jersey last month. He was taken to a hospital for treatment. Apparently, more than two dozen hospital workers were able to access his medical records, and at least one of them leaked some of that information to the media. The fact that such a disclosure is in direct violation of HIPAA regulations seems not to have bothered them at all.

Each of the workers has been suspended by the hospital for a month for the breach. And while Clooney himself has taken the high road (saying in a statement, “While I very much believe in a patient’s right to privacy, I would hope that this could be settled without suspending medical workers.”), it points up a very real problem which businesses of all sizes face: the need to control data, especially sensitive data, using technology (such as encryption), policies (such as access control, background checks), education and obviously a big stick..

A significant portion of unauthorized accesses to private or corporate-critical information will not come from the outside. No, many of these incidents will come from behind your firewall...from the workers within your company whom you trust every day – most of it due to negligence, rather than obvious malfeasance as evidenced in this case. And if they succeed, not only do they access information they really should not have, but they leave you vulnerable to being punished under any one of the myriad of regulations that are out there, both from Federal and state governments (SOX, GLBA, Minnesota HF 1758) and those from the private sector (PCI DSS).

Which, of course, reinforces the absolute need for companies to control their data from the moment it is created, and to ensure that only those people with an absolute need to know have access to it. Taking it further, companies need to remember that data does not exist solely on the network; it’s entirely possible that any one of the hospital workers may have copied Clooney’s medical information onto a USB drive and left the hospital with it.

While technology cannot prevent authorized users from accessing sensitive information for the wrong reasons, it can make it harder for them to move it outside of the organization. Furthermore, technology can absolutely stop people not authorized to see private information from gaining access to it. Encryption and access policies that persistently reside with the data, not simply on the network, can render that data unreadable to anyone not authorized to see it, regardless of where the data ends up (e.g., a USB drive, laptop, etc.).

Again, this isn’t about George Clooney. It is about every company that must protect its information. Your data is constantly at risk, from within your organization and beyond. If you choose not to address the challenge from a holistic perspective, you run the risk of ending up in a true wreck…one that has nothing to do with a motorcycle.

1 comment:

Verna said...

Keep up the good work.