Although the Durham Health Region was ordered by Ontario’s Privacy Commissioner to encrypt its data after an employee misplaced a USB key containing thousands of patient’s medical data, a security expert thinks that still won’t be enough.
In January, Durham Health authority said it lost the medical records belonging to 83,000 patients when a nurse misplaced a USB key at its Whitby, Ont., headquarters. The unencrypted data was amassed from the H1N1 flu vaccine clinics between Oct. 23 and Dec. 15 of 2009.
Fiaaz Walji, Canadian country manager for security vendor Websense Inc., said Ontario privacy commissioner Ann Cavoukian’s order that the Durham Health Region “strongly encrypt” its data when stored on a portable device like USB stick or laptop is one good step among many others.
“She’s absolutely right that it should be encrypted, but I think encryption is one piece of it,” said Walji.
The report from Cavoukian stated several requirements, including that “each of the 36 health units in Ontario conduct a review of its practices and procedures with regard to the encryption of mobile devices in order to ensure that any personal health information on those devices is strongly encrypted.”
There must be an overarching data loss prevention strategy that includes both technology as well as policy, said Walji. It may have very well been the case that the nurse was following policy that allowed the data to be saved onto a memory stick, but that turned out to the be wrong policy, he said.
Policy should work to secure who and what data goes where and how, said Walji. Policies should also differ by department and data type. For instance, customer information should only be accessible by sales, customers service reps and maybe marketing. “Having said that,” say Walji, “should the customer service reps be able to cut and paste onto their computer? Is that an acceptable use policy?”
But while many enterprises focus their concern on restricting certain types of endpoints, Walji said Websense suggests the opposite approach which is to restrict access to content regardless of device. “It doesn’t matter whether you’re plugging in a Lexar (memory stick) or an iPod or a CD, as long as that information, like social insurance information, can’t leave the organization, you’re set,” said Walji.
On the technology side, Walji said encryption is one item among others that include proxy, secured information management, digital rights management and access controls.
Walji advises that organizations take advantage of the out-of-the-box functionality in security tools like PCI compliance.
Misplaced USB keys aside, organizations ought to safeguard against sensitive data potentially going missing at the hands of disgruntled employees or the many contract developers who work with software companies, said Walji.
Cavoukian’s order to encrypt data in motion applies to all health authorities in Ontario. Walji said although public and private sector organizations must improve data safe keeping strategies, so must the government provide stronger incentive for them to do so.
“It has been an honour system for a long time, the legislation has no bite,” said Walji, referring to the fact that retailers that lose customer data are not obliged to publicly reveal the loss.