paulmudgett.com

Policies, procedures, guidelines, standards.  Most organizations have these in some form or another but how the organization manages these important “documents” is quite telling.

The Story Teller

These organizations rely on word of mouth.  People just “know” what the procedure is or what they are “supposed” to do.  Just like nomadic tribes passing down their history from generation to generation through the use of stories, these organizations pass down standards from new hire to new hire through the proverbial grapevine.  Policies, procedures, and standards are only as good and consistent as the story.

The Stone Tablet

These organizations go through the process of creating and documenting policy, procedure and standards but once written, these documents are never visited again.  They sit on the shelf gathering dust and if they are ever reviewed, they tend to be years or even decades out of date.  These documents lose their relevance and efforts to update them become a monumental task with little payback.

The File Clerk

The organizations keep their documents filed either physically or electronically on a file server.  They may even have a numbering system and a process to review and renew the documents.  These documents are sometimes difficult to find due to multiple storage locations and the review process is sometimes overlooked because there is relatively little control or ownership.

The Document Management System

These organizations are using a system that manages review cycles, has an approval work-flow, keeps version control, and supports multiple file types.  Policies, procedures, and standards are kept current as the process becomes part of the organizational culture.  Documents have owners and responsibility.  Standards for systems are documented and current as the single system provides a central repository and process for updating.

Where does your organization sit in the evolution of policy & procedure management?

A subsidiary of manged health care provider Health Net Inc, just reported the loss of personal information for 1.5 million customers that occurred six months ago according to a ComputerWorld article.  Without knowing all the details of the situation, I can only speculate as to some of the security controls and thoughts of the Health Net leadership during this incident so take that into account.  Hopefully there are some lessons learned for other organizations both in the management of sensitive information and the leadership response to an incident.

From the article:

The device containing the data was an external, portable hard drive. The data had not been encrypted.

So, let me get this straight.  You work in an environment where the protection of information is highly regulated yet you are putting seven year’s worth of personally identifiable information on a portable hard drive unencrypted.  They may need to reconsider their processes that allow this type of information to be stored in such a manner.  If this is for backup, certainly there are better options available.  The controls surrounding the physical handling of devices with personally identifiable information appear to be too loose and need to be examined.  Securing that device when not in use and logging the device in and out of its secure storage location would be a good start.

In Nevada come January, organizations will need to pay special attention to personal information being stored on removable media, especially if the portable devices leave the confines of the facility.  See my article Nevada’s New Data Security Law for more information on this new bit of legislation.

“Protecting the privacy of our members is extremely important to us,” Health Net said. “We apologize for any inconvenience or concern this may cause our members.”

A pretty standard response for a breach but the delayed timing of this sounds like there was no incident response plan in place in the best case scenario.  In the worst case, one has to ask if their leadership were dragging their feet hoping the problem would simply go away if they ignored it long enough.  I’m going to assume the former in that they simply did not have a plan for dealing with this type of disclosure which is really not acceptable.  If you’re business maintains sensitive information about customers then you need to be prepared for the possibility of a breach.

The six-month delay in reporting this is also a huge issue.  Data breach notification laws have been in place in most states for several years and they were put there to prevent this type of “keep it quiet” behavior that had been common place in business.  The AG is attacking Health Net on this very issue and rightfully so.

“We will demand identity theft insurance and reimbursement for credit freezes as well as credit monitoring for at least two years for all 446,000 consumers” in Connecticut whose data is at risk.

I blogged before about the cost of a breach.  This is a great example of the cost of poor security controls surrounding personally identifiable information.  Let’s just assume the monitoring service costs $20 per person (a discount for the volume here).  In addition to the cost of notification, the loss of this hard drive with unencrypted sensitive data could cost the company just under $9 million dollars to provide the fraud and monitoring service.  That’s some real money.

While we can’t be certain what really happened or what the exact cost of this breach will be to Health Net, I think it’s certainly easy to identify some potential mistakes that are duplicated in many other organizations.  Understanding all of your business processes surrounding the use, transmission, and storage of sensitive information is hugely important.  Adopting sensible controls and finding appropriate alternatives to risky processes is essential.  Last, detailing and practicing a response to a data breach incident may seem like a lot of wasted time…. that is, until you experience a breach.

A 38-year-old Avon Lake, Ohio man is set to plead guilty to federal charges after spyware he allegedly meant to install on the computer of a woman he’d had a relationship with ended up infecting computers at Akron Children’s Hospital.   (Misdirected spyware infects Ohio hospital.  McMillan, Robert. 17 September 2009. ComputerWorld.)

Graham certainly gets what is coming to him.  Sending spyware to your ex is more than a little creepy.  However, it seems to me the hospital is culpable in the release of protected health information (PHI) due to poor security practices.   The hospital has an obligation to protect this information yet they allow an employee to not only access personal e-mail but also download and install an application.  In this case it turns out to be spyware.

Unfortunately, this is a common occurance.  Employees use business assets as their personal playground, downloading and installing all types of applications that have no business being on the PC.  I’m not talking about pictures of Grandma Edith and the new puppy, rather peer-to-peer file sharing and communication applications, games, and other programs of amusement.  This places companies at risk for the accidental release of personal information or compromise of systems.

With more regulatory pressure being placed on organizations to protect personally identifiable information, companies are going to need to make a decision if they are running a business or a playpen.  It may be safer (and less expensive) to put in a foosball table and pinball machine than suffer the consequences of a breach.