RE “HOSPITAL reports a possible data loss: Doctor misplaced drive that had held patient records’’ (Metro, Aug. 6): Alas, we learn of another situation wherein a hospital has lost personal information that it was entrusted, and legally required, to protect. In response to this unfortunate incident, the organization states that it will be “reviewing and augmenting our policies and procedures, and enhancing our training.’’
Throughout the past several decades, data security has been addressed mainly through technology, at the expense of critical non-technical measures. While firewalls, virus protection, and encryption are necessary, they must be complemented by acceptable-use policies, employee training, and ongoing risk assessments. Security technologies are rendered meaningless by the irresponsible keystroke of an untrained, or unwitting, employee.
I have remediated dozens of data security incidents that were caused by either an employee, contractor, or vendor who worked within the victimized organization. By opening infected e-mail links, using compromised USB drives, and storing sensitive information on portable storage devices, employees of our most renowned institutions expose our data to unauthorized access daily.
Data breaches will continue to occur unless and until there is widespread recognition that technology alone is insufficient to protect personal information.
The writer is president of an information security consultancy.