Neil Chesanow just published a very informative article for Medscape titled “Why Your Patients’ Data May Not Be Safe: 5 Steps to Protect It”
I had the pleasure of talking with Neil as he was writing the article and I must say that I’m impressed with the 5-step approach he outlines to prevent privacy breaches.
Although written from a medical/healthcare point-of-view, the steps can be applied to help any business or organization think through some of the issues surrounding the protection of sensitive and confidential files and data.
One of the more critical points that I believe Neil highlighted is how important it is to control access to confidential information. Access to sensitive files and data should only be granted to people that are required to use it as part of their job. Not every employee or external partner should have access to all company information…. And it’s easy enough to control and enforce access by applying simple rules and policies.
Monitoring, reporting and auditing file and data activity is another critical point raised by Neil. The ability to see who accessed sensitive information, when and how many times they access it, whether they moved or sent it to another location or person, and if/how the transmission and file itself was secured and encrypted are important pieces of information from both an internal security policy as well as compliance perspective. Believe me, you don’t ever want to turn down an eDiscovery judge’s request to provide an audit trail for a particular file or communication and not be able to provide it.