With the recently updated HIPAA rules being approved and HITECH data breach notification laws starting to be enforced, information security is going to be in the news more than ever. And not in a good way. I'd put good money down that in the next few years, as these new laws really come into effect, we'll see an explosion of data breach disclosures. But more than that, they're going to be of this variety:
That's because, with all the talk over "policy" and "best practices", we still don't have a culture of security that lends itself to keeping data where it belongs and out of the hands of those that shouldn't have it. Just take a look at these recent data breaches. What do I mean by a culture of security? It's twofold, and invloves:
- Having a clear understanding of what it means to have secure data. Not just knowing that encryption is "good" but how it actually helps secure data and in what ways it differs from other techniques like passwords, limited access, etc.
- Making data security a habit and a default mode of thinking, rather than reactive or secondary. The question of data security should never be along the lines of "should I do more to secure this?" but rather "is it ok to do less?" Presume a level of highest defense, and then learn where you can relax standards.
It should go without saying that you need #1 before you can really get to #2, but unfortunately I think it's a common practice for businesses to try and skip right to #2, providing little or no training for the individuals they are entrusting and expecting to follow through with the procedures in place. You can build the most impenetrable castle in all the land, but if you don't properly tell your soldiers when and why to open the drawbridge, sooner or later you're going to have a trojan horse on your hands.
Do I expect everyone in an organization to know the difference between TLS and AES, what asymmetric key cryptography is, or how to forge email headers? No, of course not. For any organization dealing with sensitive data, creating a culture of security isn't about technical knowledge as much as it is an attitude. You don't have to know how encrypted email works, but you should know how, when, and why to send and receive it, and never miss an opportunity where it's called for.
Part of the problem for many organizations is that they will need to create this culture from scratch. Dealing with the security of digital information is not something that the health industry (or finance, or government, or really anyone for that matter) has had to deal with in the past. It's a different beast, and requires education and commitment. Fortunately, we finally have some good tools for the job. For example, Greenview Data's hosted email encryption service makes it incredibly easy to send encrypted email. Besides the smart content filters that automatically catch and encrypt emails containing sensitive data, a user can send an encrypted email by simply including a key word in the subject line such as "SecureIt". But without a culture of security, these tools will go to waste. Again, it will probably take a few years and a lot more missteps before we get there, but everyone's got to start somewhere.
Interested in developing a culture of security? Please share your thoughts and experiences in the comments below! Or give us a call at 800-458-3348 to talk to a Greenview Data encryption expert about how you can improve the culture of security at your organization.