That means physical and IT security staff need to know who exactly is handling the sensitive data once it arrives at the storage facility. "The notion that [third-party] employees are above suspicion is kind of silly," says Gary Swindon, chief information security officer at Orlando Regional Healthcare, which has 10,000-plus employees. Companies should perform due diligence on their storage facility to ensure it's doing background checks on its own people, he says.
On the physical security side, companies should also require third-party storage providers to sign a business associate agreement to ensure that they maintain the same level of security over data as the customer, who, in this case, is the business hiring the company to store data. In certain cases, HIPAA regulations require this type of agreement between health-care institutions and third-party data handlers.
When it comes to internal departments, Swindon carries out what are called routine "courtesy audits," a nice way of checking up on employees to make sure they are not violating security policies and know proper data-safety procedures. To cover those employees whose jobs require access to sensitive information, Swindon has deputized about 30 privacy and security liaisons at all levels of the company— from unit nurses to food services employees— who monitor how private information is handled on a daily basis. "We give them a checklist of 10 questions" to ask the employees, Swindon says. Do they know who the security officer is and how to reach him? Are PC passwords posted on sticky notes on workers' monitors? Are papers with sensitive data in the trash? They shouldn't be.
With these controls, Swindon doesn't get overly concerned when he hears about high-profile breaches. "We've done some things to minimize the damage that something like that can cause." ##
This article was published in CSO Magazine under the title "Precious Cargo".