Although the Durham Health Region was ordered by Ontario’s Privacy Commissioner to encrypt its data after an employee misplaced a USB key containing thousands of patient’s medical data, a security expert thinks that still won’t be enough.
In January, Durham Health authority said it lost the medical records belonging to 83,000 patients when a nurse misplaced a USB key at its Whitby, Ont., headquarters. The unencrypted data was amassed from the H1N1 flu vaccine clinics between Oct. 23 and Dec. 15 of 2009.
Fiaaz Walji, Canadian country manager for security vendor Websense Inc., said Ontario privacy commissioner Ann Cavoukian’s order that the Durham Health Region “strongly encrypt” its data when stored on a portable device like USB stick or laptop is one good step among many others.
“She’s absolutely right that it should be encrypted, but I think encryption is one piece of it,” said Walji.
The report from Cavoukian stated several requirements, including that “each of the 36 health units in Ontario conduct a review of its practices and procedures with regard to the encryption of mobile devices in order to ensure that any personal health information on those devices is strongly encrypted.”
There must be an overarching data loss prevention strategy that includes both technology as well as policy, said Walji. It may have very well been the case that the nurse was following policy that allowed the data to be saved onto a memory stick, but that turned out to the be wrong policy, he said.
Policy should work to secure who and what data goes where and how, said Walji. Policies should also differ by department and data type. For instance, customer information should only be accessible by sales, customers service reps and maybe marketing. “Having said that,” say Walji, “should the customer service reps be able to cut and paste onto their computer? Is that an acceptable use policy?”