Firewalls, intrusion detection systems, filtering solutions, etc. were put into place. In the meantime, users with access to all of that information could easily walk out the door with paper reports full of critical information and I never would have known it unless a problem occurred. But I had the toys to protect my technology!
Security must be looked at holistically. Information is in all forms, not just on the systems. Information Security must assess the risks to information in all forms and in how it is transmitted from one party to another. Ignoring that principal results in many breaches that occur.
3. Ineffective Awareness Programs - Another lesson that I learned is that users care about security, but only if it does not interfere with what they have to get done. The key in that statement is that they DO care about security. The users’ main concern, whether it is the person entering information in the waiting room, nurses, lab workers, or physicians and administrators, is that information and systems are available to do their jobs.
Very few people want to disclose private information to the wrong parties, or intentionally enter inaccurate information about patients into a system. They recognize that security is important. However, ineffective awareness programs do not create the culture needed to protect information at the human level.
Information security awareness is about teaching people to be part of a team to protect information. There are ineffective and effective ways to accomplish this. Effective programs will result in users being alert to parties trying to get information or access they are not entitled to. These programs are not viewed as a nuisance, but as a persistent tool that can help users effectively perform their job.
Without an effective program, accidental security breaches are likely to occur.
4. Failure to Control Access to Information – One of the trickiest parts of managing security is one of its most basic principals. Users should have access to sensitive information on a “need to know” basis.
The two main inhibitors of applying this principal is (1) failure to define what sensitive information is; and (2) failure to remove or modify access when employees leave their job and either take another position or no longer work for the organization.
Without defining what information and systems are sensitive, we tend to over-protect or under-protect information. This either results in wasted money or breaches. Neither is a desired result. The first step in protecting information is to classify what should be protected.
We also fall to the demands of “give me the access I need to do my job NOW!” We react to the demand, and don’t remove the access the user had that they no longer need.