January 28, 2010
Privacy Concerns Plague Corporate America
Thousands of personal records were exposed last week after a break in at a Government of Ontario Ministry. Hundreds of thousands of personal records dating back to the Clinton years went missing after the loss of three hard drives two years ago by the White House IT staff. An unknown amount of data was illegally accessed in December when a number of US corporations and defense contractors, including Google, were hacked by a group believed to be based in China. Each week, it seems a new story emerges about data loss and personal privacy. As more and more of our personal information and critical business data is stored online or on accessible servers, protection of that information becomes more and more important. I am sitting in a two day conference in Toronto addressing Health Information Privacy, Safety and Security. Aside from myself, the three dozen attendees are either lawyers or public health administrators. Many of the major health care centers and hospitals in the city are represented and each has an enormous responsibility over an enormous amount of extremely sensitive information. From a technicians' perspective these folks have their work cut out for them. The need to communicate between health care providers is obvious. Specialists need to know what a person's general physician knows. Similarly, general practitioners need to know if various specialists have prescribed medicines or other forms of care. At the same time, the need to take extraordinary safeguards to guarantee that patient information is secure is obvious. There are no easy answers. For every system, there's a malicious person who thinks it should be broken. For every malicious person who thinks a system should be broken, there are two or three who think the information found within is there to be exploited. Speakers have addressed types of attempted attacks they have faced, the most successful having been ones resembling uber-hacker Kevin Melnick's social engineering exploits. So what is a beleaguered network administrator to do? According to many of the speakers who've addressed the conference, there's not a lot an admin can do with the exception of pushing for proactive processes designed to protect sensitive data. One large Canadian government ministry, for instance, has a 28 page list of rules regarding how workers behave and how data is stored. No outside data storage devices, computers that time-out after being left alone for over five minutes, stringent sign-in and sign-out procedures when logging onto a server. Another large organization present at the conference assigns unique IDs to each piece of information and to each employee. It comes down to discipline on the part of the company, organization and workers. Protecting sensitive information isn't just good business, in most jurisdictions, it is the law. From what I'm hearing at this conference, data security is one of the most pressing problems in both the public and private sectors. It's 11 o'click.... Do you know where your data is? More on privacy tomorrow.