DOCUMENT Magazine - Winter 2012 - (Page 12)

COlUMN LOOk AftER YOuR Own: InfORmAtIOn SEcuRItY IS YOuR JOB tOO by Bob Larrivee like to watch what is going on in relation to information management—who doesn’t, right? The healthcare industry is on the move to go digital with patient records supported by mandates and guidelines to enable this by 2014, or so goes the plan. In particular, one of the things I like to watch out for is the element of security, or lack thereof, for information resources. I recently read an article on about how the South Carolina taxpayer server had been hacked. An estimated 3.6 million social security numbers were accessed, along with 387,000 credit card numbers. To make the situation worse, all of the social security numbers and 16,000 of the credit card numbers were unencrypted. The US Department of Health and Human Services (HHS) tracks reported incidents of security breaches of patient information by healthcare facilities and those who manage patient information. You see, in the same way the finance industry must notify you if they feel a breach has occurred related to your financial information, HHS mandates the healthcare industry do the same, and HHS lists those breaches affecting more than 500 people. This is all done in accordance with section 13402(e)(4) of the HITECH Act. At the time of this writing, there were more than 400 incidents listed. The breaches range in nature from unauthorized access to theft, not only in paper form but in digital as well. Theft of paper, laptops and even network servers are cited as being the cause listed for the breach. There are even incidents citing improper disposal of paper documents and x-rays, unauthorized access by email and some that are unknown; though, I am not sure how they know something is missing from a computer, but they do not know the type of breach. Many of the thefts or losses cited are commonly a PC or other electronic devices that are not listed but could be assumed to be a thumb drive or perhaps a mobile device, such as a tablet or smartphone. The number of people impacted ranges from 500, the minimum required to be posted, to nearly one million in one of the instances cited. In my view, this is a prime example of how organizations must move more aggressively to protect and secure their information. Analysis is required from all angles, not just a single perspective. Questions need to be asked, like: Should information be stored on laptops, tablets, thumb drives and smartphones? If so, what method of security or encryption will be used to protect the device? Are there capabilities to destroy the information through remote access if stolen? Is this an opportunity to leverage thin client applications and the cloud? Do we have adequate audit capabilities to monitor our environment? What about the human factor? Have we considered that in the mix? While I do not have all of the answers, as each of these situations are unique in some way, I do have a lot of questions and so should you. Take time to step back and look at the whole picture. Locking down a server is one thing. Protecting your information is a whole other game. You should have a security strategy and identify the actual security requirements ranging from public to top secret. You should investigate options available like encryption, auditing and alert tools. You should build in a periodic assessment of your security practices and evaluate if what you are doing now will provide what you need for the future. You cannot start soon enough, and you should never end the quest to become better at information protection. Information security is everyone’s responsibility and is not dependent upon technology alone. O BOB LARRIVEE is an internationally recognized thought leader with over 30 years of experience in document imaging, content management, records management, the application of advanced technologies and process improvement. He is director of the AIIM Learning Center where he works to identify, develop and deliver specialized training in best practices, technology and methodologies. Mr. Larrivee can be reached at 12 winter.2012 Full column:

Table of Contents for the Digital Edition of DOCUMENT Magazine - Winter 2012

DOCUMENT Magazine - Winter 2012
What's New
Most Social
Editor's View
Look After Your Own: Information Security Is Your Job Too
In Multi-Channel Delivery, All Is Not Created Equal
Strike a Balance between Technical and Business Needs
Building Intelligence
Plug into the New World of Work
Chasing the Storm
Get in the Game
I’ve Got the Remedy
Lost in Space

DOCUMENT Magazine - Winter 2012