Electronic theft of data is on the rise. Robert Israel, MIS, MHCH, vice president and CIO of John C. Lincoln Health Network in Phoenix addressed the issues of physical and electronic theft and how to keep equipment and patient data protected in a session Monday – “Keeping Data Safe and Secure” – at HIMSS 2007.
The challenge begins with understanding users and devices, Israel said, urging IT professionals to determine which users need which rights and be consistent in communicating security policies. Scan for all devices and applications to determine their necessity – “when we did this, we were shocked at the number of modems on [older] PCs that were hooked up to live phone lines that we didn’t know about and put us at risk,” Israel said. Of great concern were CD burners, USB devices and even iPods that allow unauthorized copying of healthcare data.
Israel stressed the need to identify all potential devices that will be approved for use – such as specifying only one model of encrypted thumb drives. He called for the need to establish policies that are more than read-only permission, automate encryption and authentication and set size transfer limits. For example, nothing over 2 MB should be put on a thumb drive without approval. All hard drives on the network should be encrypted to guard against PC or data theft. Password protection must be always maintained.
Securing management buy-in to new policies is key, as is the widespread communication of those policies in regular (weekly or monthly) “did you know” email updates to users. “Communicate policies and reasoning to end-users early,” he said. “An unenforceable policy is worse than no policy at all because of the legal risk.”
Security should not be a hurdle to someone’s job, so IT needs to find out about work processes and make sure users are not negatively impacted.
Data being downloaded or transferred needs to be tracked as it is read from or written to devices – modify policies to ensure maximum productivity. And when there is suspicious behavior, drill down to find the cause and parties involved.
Beware of USB devices – of which Israel showed examples that resembled pieces of sushi, a watch and a hamster on a wheel. In 2006, there were 110 million thumb drives shipped – that now range in sizes up to 64 GB. Each one represents a potential risk to improper data transfer and with cheaper devices comes expansion of use.
Israel’s overall recommendations include:
- Keep data where it belongs – on the server;
- Prevent unauthorized data transfers;
- Reduce hardware and software conflicts;
- Talk to end-users, communicate policies and procedures regularly and explain the need for them;
- Document exceptions and communicate the reasons for them;
- Limit peripheral capabilities such as CD-roms, floppy drives, extra hard drives, modems, thumb drives, memory sticks;
- If transporting removable data, make sure the data are secure via encryption;
- Encrypt all data on the network, and coming off the network – including desktops, wireless, PDAs and peripherals;
- Track data – and who is uploading and downloading what;
- Implement proactive alerts for unauthorized access – send emails to supervisors, the CIO and others;
- “Lo-Jack” your laptops;
- Beware of endpoints – that is where enterprises are most vulnerable; and
- Bring real examples of security breaches to your board of directors to prove the continued need for vigilance, policies and procedures and continued investment in security.