I’m not sure what happened when a doctor from Sick Kids left his hard drive in the middle of Pearson International Airport, but I’m willing to bet he didn’t go running to the hospital’s IT manager.
The report on Friday of a second privacy breach at the Hospital for Sick Children in less than a year raises a number of questions, including what kind of policies and guidelines staff are given when they are transporting sensitive material, and why it took months before the breach was revealed. It also highlights the fact that privacy, at least in terms of personal information lost or exposed through user error – is not really an IT department responsibility. It’s a line of business issue, and many departmental executives may be ill-prepared for their responsibilities.
Taking the latest Sick Kids incident as an example, there’s little the IT department could do to protect the drive that went missing, which reportedly contained information on those who had gone through eye exams of some kind. It’s possible the data could been better encrypted, and there are a couple of technologies (like CompuTrace), that could probably have assisted those trying to track the device down, but this was a human screwup. Someone was probably just careless, absent-minded or simply distracted while moving through the busiest airport in the country. Better IT would not have kept that data any more private, or less prone to exposure.
Line of business managers could easily fall prey to the same kind of accident. What makes it even more challenging is that in many cases, the devices storing the data are not IT department-issued at all but personal equipment that managers have brought into the enterprise. Some companies are already prohibiting users from downloading certain information to mobile computers they don’t own or control, but it’s an area of vulnerability that is only going to get worse.
We’re probably fortunate, in fact, that medical records are still relatively difficult to download and read on anything other than a laptop. Once mobile phone makers create better user interfaces, expect the privacy snafus to escalate considerably, because if it’s easy to misplace a laptop in an airport, imagine how much simpler it would be to do the same thing with a smart phone, or perhaps a memory stick.
Departmental executives need to do a couple of things. First, they need to perform an inventory on the devices they personally own but which may be used for work. What level of security is already in place and what might need to be upgraded? Are there technologies that could be added to help easily recover a device if it goes missing for some reason? Are there organization-wide guidelines or procedures with which personal devices need to comply before they can be used for work purposes? This is where a dialogue with IT should probably begin, and it may lead some IT managers to reject requests that such devices be able to access a corporate network.
A potentially bigger challenge will be for line of business executives to think in “big picture” terms of what kind of data they are managing, and what kind of responsibilities they have towards protecting the privacy of that information. We usually tackle these cases by looking at what kind of safeguards IT departments or senior management could have put in place from the beginning. As time goes on, the focus will be much more on what individual employees are doing to bolster those safeguards. No one is merely a VP of marketing, finance or HR anymore. If you touch customer or employee data in any way, shape or form, you’re a chief privacy officer, too.