The loss of a CD (or its larger-capacity counterpart, the DVD) need not turn into a data breach if the correct security measures are in place. What are those security measures? There are several of them (don’t lose the CD to begin with, is one), but the use of CD encryption software is of importance if one’s dealing with sensitive information (and can’t avoid losing the disk to begin with).
A case from a couple of months ago shows how to do it correctly. The Dr Foster Unit (DFU) is, according to computerweekly.com, “an academic unit within the Division of Epidemiology Public Health and Primary Care at Imperial College, London.” There is some controversy regarding DFU because it’s involved in receiving patient-identifiable records from pretty much all UK medical patients.
I’m not going to debate this controversy. What I will point out is that the Dr Foster Unit has the correct practices in place when it comes to dealing with sensitive information on CDs and DVDs.
Disks Are Sent Encrypted
DFU holds 10 years’ worth of inpatient records, and more added each month. The medical records are used to improve the quality of patient care. This information is considered private and sensitive, naturally, since it’s medical information.
In order to guarantee that a data breach does not transpire, the information is sent by medical services on a monthly basis to DFU on DVDs by secure courier. (The use of a secure connection has its ups and downs when it comes to security–think Trojan horses and keystroke loggers, to begin with–so I’m guessing DFU intentionally receives the data on DVDs, but your guess is as good as mine on why they actually do it this way).
The use of a secure courier, of course, does not guarantee that the disks will arrive safely at their final destination. The NHS had a number of breaches in the past couple of years due to couriers losing packages. Which is why the DVDs are encrypted using 256 bit AES encryption. This way, if CDs or DVDs are indeed lost in transit, the chances of a data breach occurring are virtually nil.
The use of disk encryption is not the end of it, though. Only select, named individuals are able to sign for the package, further ensuring that CDs and DVDs don’t go missing once the courier drops off the package. Just because data is protected via encryption doesn’t mean one should be cavalier on where it ends up.
Passwords to Decrypt the Protected Contents are Given to the Unit Separately
DFU further ensures security of the data by having it stored in a secure server room. Anyone who needs to access the data does it from dumb terminals that can access the server. The dumb terminals are also in a secure room. The dumb terminals are not linked to the internet, no doubt to prevent those idiotic breaches that occurs because P2P software was downloaded and installed, or records are e-mailed or uploaded about–by mistake.
There are other things that DFU could be doing to secure data, but they’ve got the basics right:
Ensure only trusted people can access the data
Ensure those trusted people are able to access the data from restricted venues only. (No matter how much you trust people, they will at some point take the easy way out, and say, connect to a secure database from home)
Ensure that data is encrypted if being released from those restricted venues (the courier transports the data, so the DVD encryption was put in place)
Never, ever put an encrypted disk like a CD or DVD and their passwords in the same place