As the following story shows, physical security has its limits when it comes to data security. If one is securing data on paper (like medical forms), there is very little that can be done other than physical security. But when it comes to digital data, it always pays to secure it in some other way, in addition to physical security. If the HIPAA Breach Notification Rule is of concern, you couldn’t do better than use medical data encryption tools like AlertBoot FDE.
Popped Off Lanyard, 2000 Affected
According to journalstar.com, a doctor in Lincoln, Nebraska notified more than 2,000 patients that their PHI (protected health information) had gone missing when a USB thumbdrive disappeared. The last time it was seen, it was hanging from the doctor’s neck.
Patients” names, dates of birth, addresses, and phone numbers were lost. In addition, some patients had their family members’ names breached (listed as next of kin, no doubt). Social Security numbers and financial information was not listed.
A news release by the doctor’s office had this to say:
“Although we believe that it is highly unlikely that this computer chip has or will be found by someone who can extract the information from it, we cannot be 100 percent sure, thus we need to timely notify our patients of this event”
Without mentioning what kind of security was used to protect the data (assuming some form of it was used), it’s quite misleading to say that it’s unlikely the thing will be found by someone “who can extract the information from it.” After all, if there was not protection on it – and their being forced to notify patients implies there wasn’t – means popping the thing into a computer’s USB port is all it takes, really.
Encrypt, Encrypt, Encrypt
Data security is like oral hygiene: you can’t just rely on one prevention method and call it quits. If you want to ensure that your visit to the dentist won’t involve drills or a pointy, metallic tool, brushing and flossing daily are required. Brushing only won’t do. It goes without saying that flossing alone won’t do, either.
Likewise, with data security, it’s not enough that you’re cognizant of always keeping data on your body (like the doctor did. You can’t really get much closer to a lanyard around your neck. That’s skin-to-USB device contact). There’s always the danger of it being stolen (literally snatched off your body, e.g.)