05/22/08 01:22 PM
Posted in data-protection by Nick Staples
After writing my previous post referencing the security of hospitals and other health care institutions, I decided to do some more digging on what security breaches they might currently be dealing with. I came across the 2008 HIMSS Analytic Report: Security of Patient Data ; it’s basically a report that summarizes patient privacy survey results given by senior executives from health care organizations across the United States.
One interesting excerpt from the report:
Respondents reported that their organizations take educating their employees about the importance of security patient data very seriously. The data also suggests that most of the breaches reported surround inadvertent access…
Clearly most of these institutions believe that employee breaches are among the larger threats to patient data. The report shows that a large amount of attention is paid to educating employees and instituting policies and disciplinary actions to protect against internal privacy breaches.
On the other hand, the report seems to indicate that there is less of a focus on malicious (and external) privacy breaches.
Noticeably absent were concerns around breach sources associated with malicious intent, such as stolen laptops, stolen computers, deliberate acts by unscrupulous employees, cyber attacks through the Internet, etc., supporting the lack of industry focus on fraudulent data breaches.
It seems to me that the security of hospitals is a bit lopsided. Although I agree that focusing on managing accidental privacy breaches by employees is important, I also think that its time they tightened up protection against malicious security breaches as well. As I posted before, these health care institutions might be the next big target for identity thieves to get their data. It would be nice if hospitals were a bit more prepared.
“The report shows that a large amount of attention is paid to educating employees and instituting policies and disciplinary actions to protect against internal privacy breaches.”
Ugh. If systems were designed with security in mind, this kind of approach would (and should) be redundant. I’ll quote what I’ve been calling Turnes’ Law (although if someone else said it first, I’ll stop doing that): “Technical problems can’t be solved with policies.”
If someone is intent on creating a breach of privacy, then they’re probably going to do it regardless of whatever penalties are in place. Similarly, if someone does it accidentally, then policies and disciplinary action are irrelevant.
Education and policies are fine and good, but they can’t be considered a solution for privacy and security concerns. They’re just a piece of the puzzle. Private data should be protected by more than a reliance on the user base to be voluntarily compliant. Policy should be used to plug up the holes that are technologically impossible (or overwhelmingly impractical) to fill, not as a panacea.
I agree that more attention needs to be paid to malicious intrusion as well. The fact that this lopsided approach exists is somewhat strange, although if an overwhelming majority of breaches are internal, then I guess it makes a slight amount of sense. Hopefully a more balanced approach can be taken to security in this sector…and not in the form of more policies.
— Walt 05/22/08 03:02 PM #
I believe the converse of Turnes’ Law, “Policy problems can’t be solved with technical controls alone” is also true. There are some situations that no amount of technical work will solve a problem. Training and education really is an important and necessary piece of the security puzzle.
— Peter Hesse 05/23/08 09:08 AM #
Turnes’ law and the Hesse Corollary are good complements. I think the tech side has one advantage over the policy side, however; tech has the advantage of coming up with new ideas to combat old problems, while the compliance side has to deal with the same tired human factors it always has. With this great power comes great responsibility; the tech side has to always try harder and be smarter. Science is fast; evolution isn’t.
— Walt 05/24/08 02:56 AM #
The Bare Minimum Laptop Encryption - Some Good News (for once)!