Data is a highly valuable commodity nowadays, as a breach in security can be immensely profitable for data thieves. So when you neglect to secure customer, subject, employee and partner data, you’re putting your entire business or organization at risk. All the personally identifiable information (PII), intellectual property, and unique data you capture to fuel your business or organization is your treasure hold—and should be treated as such. HIPAA lists 18 characteristics that qualify as personal identifiers. (Read the list here.) But you don’t need to be in the healthcare field to know these types of personal information need to be protected. ANY information containing details about an individual must be protected, and EVERY system that maintains and connects this information has the responsibility to keep it secure. When your company, project, or organization houses PII, it means people are putting their trust in you. Therefore, you have not only a potential legal responsibility, but also a moral obligation to make efforts to protect that data.
Difficult Lessons Learned
I recently attended a seminar at the Medical College of Wisconsin presented by Daniel Nelson (Director, Office of Human Research Ethics at UNC-Chapel Hill) titled Protecting Research Subjects in the Digital Age: Lessons Learned the Hard Way. He discussed a particularly nasty incident his research institution experienced when sensitive personal data from a healthcare study was compromised. In this case, the security hole existed for over a year, and they weren’t even aware of the vulnerability.
Seeing as there were hundreds of study participants and thousands of records in jeopardy, the backlash was particularly painful. Proper research study protocol involved sending notification of the breach to every test subject, along with a requirement to alert a media outlet—a PR disaster and an immensely time consuming process.
The State of Wisconsin Department of Corrections has twice had information compromised, mailing out social security numbers on letters in one case. Another highly publicized occurrence is the theft of FBI laptops containing classified information. So if you’re a government office or an organization that receives funding from the federal government, be aware there’s a higher risk of exposure over this kind of mistake. And if that collected, then stolen, personal information is related to any sort of research or social work, or if the data contains any type of medical information—under-protected data means you’re risking a potential lawsuit.
Unfortunately, identity theft is now commonplace. Millions of Americans are victims of identity theft every year, and the numbers continue to grow.
Protecting the Treasure
Pretend you’re protecting a more tangible treasure. Your protection system would work much like a bank vault. Valuables are locked away in a safe with little external access. To protect data, you need a safe—but a much higher caliber model. To truly protect that data, you need a safe so strong that it’s impossible to open. A safe so secure that even if someone stole the safe itself, it would still be impossible to open, or it might take that person a lifetime to open it, or the data thief would have to destroy the entire safe to open it, which, in doing so, would render the treasure useless.
How is this possible? With data encryption. Data encryption ensures that even when your network is compromised and those hackers gain access to your systems, they’re still unable to break through the data encryption code in order to access that valuable data treasure store.
You can read all about data encryption and additional security measures in this SmartWave blog post—Data Encryption: Critical to the Security of Your Organization.
The Personnel Component of Personal Data
So if your physical treasure is kept under lock and key at the bank, WHO is your first line of defense? The bank teller, of course. Without the proper security measures in place, that teller might provide unauthorized access to your riches. In this way, data security also comes down to the implementation of proper and comprehensive policies and procedures.
When each individual within your organization is aware of the role they play in that promise to your clientele of proper data security, you ensure data security success. Having a vendor or an IT person suggest your systems are compliant simply isn’t enough anymore. Each cog in your wheel must understand the importance of the rules in place that keep your business in business and keep that personal data secure at each step in every process.
So data security isn’t just about systems—it’s about people, too.
That’s why, at SmartWave, we approach data security challenges from a comprehensive view. It’s important to understand both the digital component and the human component of your organization’s data security. That means all your policy and procedural documentation needs to be complete and up-to-date, AND each of your team members must understand their well-defined role within both your organization as a whole, and within each process.
So each person knows where to find the necessary information to answer specific questions about their job, while the first and foremost question on each of their minds is always, Are we respecting the privacy of our customer/client/patient? Each person understands they will be held accountable for mistakes that result from not following a specific procedure. Each person knows exactly how to use the systems. And the systems themselves are completely secure.
It’s true: often people are ultimately the drivers of data security issues. SmartWave can help your business or organization build the policies, the procedures, and the systems you need to ensure all that personally identifiable information you collect and store remains secure.