Reports from Canada about the theft of a hospital hard drive containing photos and videos of patients shows how easy it is for data drives to go missing in public areas.
And the drive theft incident at Misercordia Hospital in Edmonton, Alberta, shows that – no matter what security policies an organisation has in place surrounding data security – hard-pressed staff will often take the easy option and ignore procedure.
So what is the solution? Clearly security policies surrounding the security of patient data were in place at this hospital, but they just weren’t followed, so the answer has be to introduce multiple layers of security, which staff simply cannot circumvent, even if they want to.
A PIN-protected portable hard drive is a good example of a multi-layered security system. Users can still have the benefit of AES encryption on the drive for security, but as an added measure, users must also know the passphrase of the security unit, without which they cannot access the data.
Had the Edmonton hospital used such a device even if the thief walked off with the drive, the unit would have locked automatically, meaning that access to the data would have been prevented.
Using this approach to data security is an ideal way of bolstering the existing data security defences in an organisation, in situations where existing IT security policies cannot be fully applied.
Data needs protecting whether it is at rest or in transit and, whilst encryption offers an excellent form of protection, adding extra layers of security in portable or back-up situations makes a lot of sense.
Had this incident happened in the UK, the Information Commissioners Office would have been on to the health body concerned very quickly indeed, and at the very least, publicly secured a written guarantee from managers that a change of security procedures – to prevent a recurrence – would take place.
That means that management heads will roll if an infringement of the Data Protection Act occurred again. This sort of incident – and the consequential publicity plus investigations that result – has a curious habit of significantly grabbing managerial attention.
Using multi-layered technology can not only avoid a data loss for whatever reason, it can also avoid dragging your organisation’s reputation through the mud, as has clearly happened with this hospital.