|
August 23, 2008 -- There's a story in the Times today about the loss of private information about 84,000 prisoners serving time in Great Britain, including names, addresses, and expected release dates (http://www.nytimes.com/2008/08/23/world/europe/23britain.html?_r=1&ref=europe&oref=slogin). This follows an incident less than a year ago in which private information containing child benefits for about a third of Britain's population was lost when two disks disappeared. For a social service or healthcare-related agency, such a loss can be worse than just embarrassing.
The use of flash drives -- otherwise known as thumb drives, pen drives, or jumpdrives -- has become ubiquitous and we can easily take them for granted. This can become a real problem for any organization where confidential information is stored on the drives. This problem can be very serious for social service and health agencies when staff keep client notes, chart information, and other personnel information on flash drives. The staff attitude may be that they are just doing this for convenience and that it's no big deal. However, the loss of a flash drive can actually result in a breach that causes the agency to violate its obligations under HIPAA regulations and exposes the agency to penalties.
Most commonly, the use of flash drives often results from faulty computer systems that do not provide adequate access for users. For example, staff may work at different locations that have isolated systems so that the staff cannot always open or save data to a single data store. When that happens, staff will resort to flash drives so that they can access the data they need. Or staff members may share computers, but not have their own login identity, so to keep data they are working on separate from other staff data, they resort to flash drives.
Moreover, senior management may not be aware of the practice or of its potential threats to their organizations reputation or compliance with regulatory requirements. As a result, no articulated policy exists and staff are left to their own devices (literally).
This is a case where technology has once again stolen a march on our policies and oversight. Technology always makes obsolete old organizational, management, and legal policies -- look what the Internet is doing to copyright in music and film distribution -- and my sympathy goes out to managers who have to deal with these issues. A lost flash drive by a staff member because there is no policy or because the policy is unknown to, or ignored by, a staff member can not only embarrass the organization but can open it up to regulatory sanctions. So, tough as it is, managers have to track how technology may affect their policies.
Trackback(0)
 |
Keep up. Follow us on Twitter 
Gary's Blog 
TrackBack URI for this entry
Subscribe to this comment's feed