How many times have you heard the story? Hard disk goes missing, USB thumb drive goes missing, laptop goes missing...
Not a week goes by that we don't hear about our data going missing... Healthcare data is a big one, but we hear about credit card data, pricing info, corporate intellectual property...
When I have spoken at Security and IT conferences part of my message is "Why do you give your users data to lose in the first place?" I don't suggest they can't have access to it...in fact I work for the company that provides the premiere data security and desktop solutions that DO provide access. Access isn't the issue. 'Keeping the data' is the issue.
We are all human - we all make mistakes... I fault no one for having their car stolen or that they dropped a USB thumb drive. (well, except the thieves - I can certainly find some fault there) Where I find fault is in policy (or lack thereof sometimes) that allows users to carry around private, and important, data with them. Mr. Director of IT - It is your fault, not theirs. Ms. CSO - Look in the mirror.
It isn't like one can't find a network to access the data from. You are on a network right now. How many Wireless ones (wifi, mifi, cellular...) are there around you, right now? Allowing employees to remove data from the confines of (wait for it... ) THE DATA CENTER is just plain indefensible when it isn't required. The argument that the laptop had a password and the hard disk was encrypted is ridiculous. An encrypted drive tells thieves that before they sell the stolen unit for $75, they should crack the encryption and ascertain what the REAL value of the laptop is... credit card info, Identity info, pricing lists, banking transactions... a veritable treasure trove of info people give away on an 'encrypted disk'.
What started this latest rant on lack of data control was an article in
Government Health IT that was forwarded to me by Denny Olson, an Oracle Principal Sales Consultant in Minnesota. The full article is
here, but the point was that a couple laptops went missing in a couple different cases, and.. well... no one knows where the data is, and yes - they were loaded with patient info. What were you thinking?
Obviously you can't steal data form a Sun Ray appliance... since it has no data, nor any storage to keep the data on, and Secure Global Desktop allows access from Macs, Linux and Windows client devices... but in all cases, there is no keeping the data unless you explicitly allow for it in your policy. Since you can get at the data securely from any network, why would you want to take personal responsibility for it? Both Sun Rays and Secure Global Desktop are widely used in Healthcare... but clearly not widely enough.
We need to do a better job of getting the message out - Healthcare (or insert your business type here) and distributed data don't mix. Then add Hot Desking and 'follow me printing' and you have something that
Clinicians (and CSOs) love.
Thanks for putting up my blood pressure, Denny.