In a normal business day, you will be required to think about the organizational needs for data protection versus privacy protection. Understanding the data (whole records and pieces of records) and the categorization of data is important when evaluating these needs.
Consider your case study from the previous week. This week, the story takes a twist: “Headline! Data Breach at Strand Memorial Hospital!” Information on the breach has been published in an article detailing that the stolen USB drive contained sensitive patient data, including social security numbers and insurance information in plain text.
For your initial post, answer the following question:
As a practitioner, would you approach this issue from a security perspective (protect the data through encryption) or a privacy perspective (protect the data by not moving it outside of the network in the first place)? Justify your response.
POST 1
Approaching this issue should be done from a security standpoint. This is a clear breach of security in the hospital, where information got outside of the facility that was not supposed to. Handling an issue like this needs to be addressed at the most basic levels first. According to the book, there are three main ways to safeguard the organization’s information (1):
- Deciding which users can get into a system—HR employees may be the only employees who are allowed to reach sensitive information stored on an HR server.
- Monitoring what the user does on that system—Certain HR employees might be allowed to view documents, but other HR employees might be able to actually edit those documents.
- Restraining or influencing the user’s behavior on that system—An HR staffer who repeatedly tries to view restricted information might be denied access to the entire system.
The use of USBs in the hospital setting should not be allowed. The sensitive nature of the information, mixed with the HIPAA laws, make USBs a recipe for disaster. “Attackers may also use their USB drives to steal information directly from a computer. If an attacker can physically access a computer, he or she can download sensitive information directly onto a USB drive” (2). This sums up the exact scenario described above, and the mitigation recommendations are as follows (2):
- Do not plug an unknown USB drive into your computer. If you find a USB drive, give it to the appropriate authorities (a location’s security personnel, your organization’s information technology [IT] department, etc.). Do not plug it into your computer to view the contents or to try to identify the owner.
- Take advantage of security features. Use passwords and encryption on your USB drive to protect your data, and make sure that you have the information backed up in case your drive is lost.
- Keep personal and business USB drives separate. Do not use personal USB drives on computers owned by your organization, and do not plug USB drives containing corporate information into your personal computer.
- Disable Autorun. The Autorun feature causes removable media such as CDs, DVDs, and USB drives to open automatically when they are inserted into a drive. By disabling Autorun, you can prevent malicious code on an infected USB drive from opening automatically.
- Use and maintain security software, and keep all software up to date. Use a firewall, antivirus software, and anti-spyware software to make your computer less vulnerable to attacks, and keep the virus definitions current (see Understanding Firewalls for Home and Small Office Use and Recognizing and Avoiding Spyware for more information). Also, keep the software on your computer up to date by applying any necessary patches (see Understanding Patches and Software Updates for more information).
Note that encryption and password protection are recommendation in the second bullet point.
POST 2
In the above scenario I would approach this from a security perspective. Privacy is a major concern especially dealing with HIPPA requirements, but my belief is that if the data is encrypted as soon as it is created, the issue of where the data resides is a less of a concern. In this case, if the data on the lost or stolen thumb drive was encrypted, then the data would have been protected, and thus privacy concerns addressed. Privacy breaches can me mitigated through robust security practices.
Cheers,
Ryan
0 comments