You’re out of your mind if you think blocking access to file sharing services is filling a security gap. You’re out of your mind if you think making people jump through hoops like Citrix and VPNs to get at content is secure. You’re out of your mind if you think putting stuff in the cloud is dangerous.
When I mentioned to a client of mine that some of their users were using consumer file sharing services there were noddings of heads, murmurs of assent, and an “OMG how does he know?” Less than five hours after I mentioned it in a meeting, an exec from one of the stakeholder groups got a call from security stating that her team was violating policy by using Dropbox. This client had deployed an Enterprise Content Management platform. One of the key drivers for the platform is sharing of content among collaborators. One of the key inhibitors is Citrix. So, what do the users do? They email documents to each other. They store stuff on local drives. They get laptops with intellectual property and personal information stolen, and can’t wipe the laptops or recover the content. They use cloud services to store sensitive information. And security struts around proudly thinking they’ve done something. They have; they’ve created a security hole bigger than the one they tried to plug. Hell, even the frickin’ President was storing company confidential documents in his personal Dropbox account.
So I mention to the client that they may want to use an Enterprise File Syncing and Sharing (EFSS – I really don’t like this term) service like, I dunno, BOX! (Yeah, I like Box. So what?) Their Director of IT Infrastructure tells me that the execs are scared of any service that stores data in the U.S. because of the PATRIOT act. Really? Do they not know that Canada has an equally odious piece of legislation? Do they not realize that if the U.S. government wants to get at stuff in Canadian data centres they will? And dig this … Box is working on something that would let the customer (that’s you, btw) maintain control of, and access to, encryption keys. No more sneak attacks by those pesky gubbmint people. Hey, they can still come to you and ask, but at least you’ll know, no? Can you imagine!?!
Every time I have these types of conversations with people I usually end up wanting to lay a choke hold on someone. Whether it’s for spreading FUD (Fear, Uncertainty, Doubt) or for believing it … I’m not sure which irritates me more.
Blocking access to file sharing services doesn’t work. People will find other ways to connect (e.g.: phones make great wi-fi access points) or email documents around. Instead of blocking access to consumer services, IT and security ought to: 1) find out why staff is using the services in the first place; 2) identify and provision SECURE enterprise grade services; 3) develop appropriate policies for using EFSS services, including remedial action for violating the policies. If staff are using consumer services to share business content it’s a pretty safe bet something is wrong with the corporately provided tools. Fix them.
Part of the fix may actually be to provision EFSS to staff. Think about it before you have a freakin’ hissy fit. EFSS providers make money by providing a secure way for people to share content and collaborate. How do you make money? What’s your core strength? Hell, you can’t even stop your staff from sharing content unsecurely (is that even a word?).
Last week a story was reported in the news about a stolen laptop. The laptop contained patient information for more than 620,000 Albertans. This is my response to the situation. It’s far less ranty than what was in my head before I started typing.
Last night I wrote a letter to the Alberta Privacy Commissioner (Jill Clayton), the Alberta Minister for Health (Fred Horne), and Medicentres (hope it gets to Dr. Arif Bhimji). I would have included the consultant, but he/she was simply identified as “IT Consultant”. I did copy the letter to CTV News (where I first read the story) and the Edmonton Journal.
The following links are to the stories on the CTV News site.
I’ll update this post if I hear anything from anyone involved.
Note to Medicentres – Please direct this to Dr. Arif Bhimji
I’m writing to you in regard to the theft of a laptop containing health information of approximately 620,000 Albertans.
My name is Chris Walker. I’m an Albertan whose health information may have been compromised by the above mentioned theft (I visited the St. Albert Medicentre in 2011 or 2012). I am also a consultant who specializes in Information Management and Governance.
First of all, I don’t understand why a consultant would be allowed to store personal information on his/her laptop and then leave the building with it. I’ve been a consultant for more than 25 years and have never had the need to store personal or sensitive information on a non-client controlled device, and I have never removed such information from client premises. During my career I’ve dealt with information from banks, pharmaceutical companies, provincial ministries, federal governments, municipal governments, etc. During many of those engagements I’ve had occasion to deal with extremely sensitive information. In all cases the information was stored and secured on client servers, or it was masked / redacted / sanitized before I even saw it. In the rare cases where I needed to access real information, it was always by using client hardware.
To the Consultant – I’d love to know what you were working on that you thought you needed to store live patient data on your laptop. I’d also love to know whether you were at Medicentre as an independent contractor or you were working on behalf of one of the System Integration firms. In either case, I’d love to know who you are so that, in case our paths cross, I can either educate you on how to properly handle sensitive information or make sure you’re never involved on any project that I am associated with.
To Dr. Bhimji – You need to go through those records and inform every one of the affected Albertans. Don’t put the onus on us to find out if we’ve been compromised. Be responsible and do the right thing. The fact is, as soon as you were aware of the theft you should have started identifying affected individuals and begun informing them of the situation. As it is, enough time has passed that damage may already have been done.
The complete lack of mention about the breach on your (Medicentres) website does not provide me with the sense that Medicentres is giving this matter the due it requires. That’s just my opinion as an Albertan, one of your patients, and as someone that makes a living by advising organizations about the proper management and handling of information.
That you’ve made some policy adjustments is great, however, how is that going to help any of us if our information’s been compromised? You really ought to have done something ages ago. For what it’s worth, you may also want to consider not giving access to live data to anyone that doesn’t absolutely need it to do their job. If you need some help sorting this out let me know; I’d be happy to help.
To Minister Horne – I agree that changes to legislation need to happen. I don’t think that you need to wait until the Privacy Commissioner releases her report to get started. To be frank, many changes to operating policies and procedures for managing information can be made without changing legislation at all; think of them as preventative measures.
Enacting new legislation for dealing with breaches is necessary since we’ll never have 100% security as far as sensitive information is concerned, but we also need to focus on preventing security breaches in the first place. Effective controls are far more cost effective than trying to clean up the potential messes that would occur once a breach happened.
To Commissioner Clayton – I don’t envy your position. I trust that you wanted to do the right thing, but were hampered by legislation. I hope that your investigation into this matter is fast-tracked. I encourage you to make the results of the investigation public; we have a right to know.
To All of You – I strongly suggest that you get involved with professional organizations such as AIIM (Global Community of Information Professionals) and ARMA (Association of Records Managers and Administrators). Both of these organizations are focused on managing, governing, and securing information. There are also organizations that deal specifically with information security and privacy. With the resources available to us today and with what we know about managing information, there’s just no excuse for what happened.
As someone whose information may have been compromised, I am angry. As someone who consults on Information Management and Governance, I’m incredulous that this happened considering how easy it is to prevent this type of thing. While the theft was a criminal, deliberate act, the presence of patient information on the stolen laptop was nothing more than negligence.
Update January 29, 2014 …
Much to my surprise, I did hear from Dr. Bhimji of Medicentres. Below is an excerpt from the email he sent last night. I’m happy to note that there is now mention of the privacy breach on Medicentres home page.
“I can advise that we reported the breach to the Privacy Commissioner and have worked closely with them. The Commissioner approved the form and wording of the notification.
The website is updated regularly and the information is found under the patient tab and has been present there since the announcement. I have asked the operations people to consider putting some information on the main landing page.
Patients have been advised about what measures they can take to determine if there have been any intrusions on their privacy. This information is available on our website and also by calling our call centre if you wish more detailed information.”
Update January 31, 2014
Heard from the Privacy Commissioner’s office that she will be making the results of the investigation and review public. – I’m very happy about this.
Heard from Medicentres’ folks that if you visited one of their clinics during the time period stated, you details are on the laptop that was stolen. We (the Medicentres person and I) both speculated that the theft was for the laptop, not the data, but we could be wrong.
After reading about Conservative MP Joy Smith’s pornography filter idea on the CTV News site, I decided to respond to her and David Cameron (he’s the British PM, you know). You can read about Smith’s plan here. You should also watch the video and read the comments; very entertaining.
Dear Joy and David
I think it’s great that you’re trying to protect the children, but back off, will you? It’s not your job; it’s my job as a parent.
I don’t have any problem with using legislation to keep illegal content off of the internet. I do, however, have a huge issue with government trying to keep objectionable content off the internet. You see, only I can determine for myself and my children what is objectionable. You can’t, my neighbours can’t, my community can’t, … only I can make that determination. You are heading into territory that smacks of censorship. You are advocating that government make moral decisions for citizens. You have no mandate nor right to do this.
Personally, I have no objection to pornography, as long as it depicts one or more consenting adults. I do object to any content that depicts or promotes racism, intolerance, Brussels sprouts, animal abuse, child abuse, elder abuse, Michael Jackson, Justin Bieber, spousal abuse, honour killings, violence against women, anti-gay sentiment, anti-pro-choice sentiment, … there’s a long list of things that I find objectionable. However, as long as it’s not illegal, leave it out there and let those of us with a couple of functioning brain cells decide for ourselves whether or not to check it out.
You mention that you’re proposing this to protect the children from pornography (among other things). Are you really certain that it will work? One of the issues is that parents aren’t actively filtering what their children can see when connected to the internet. What makes you think that applying a filter, which can be turned off, will change this? If Mummy or Daddy want to see naughty-naughty on the computer, they will turn the filter off and chances are that any kids using the computer will be able to view naughty-naughty because Mummy and Daddy haven’t set up the appropriate controls at the DEVICE and USER levels.
If Mummy and Daddy were smart or pro-active enough to set up the controls in the first place, the filter you propose would not be necessary. If they’re not smart or pro-active enough, the filter you propose won’t be effective because they’ll turn it off to view naughty-naughty and never control things at the user and device level.
Parents need to be more actively involved in what their children are doing online and offline. I have three children, two of whom are old enough to be computer users. I have taken the time to set up parental controls for each of them, and to monitor what they are doing online. This doesn’t mean that nothing gets by what I’ve put in place; it means that I am aware of anything getting by and I can adjust settings when I have to. It means that I actually talk to my children about their online activity. It means that I educate myself and my children about spending time online. It means that if my children come across something that disturbs or confuses them, whether or not it’s sexual, we discuss it as a family. It means that my wife and I take the time to have frank, age appropriate discussions about love and sexuality with our children. It also means that my children have more to their lives than just the internet.
Active, informed parental involvement, coupled with managing internet security settings (it’s not that hard and there are plenty of free resources and tools) will do far more to protect children from seeing porn on the internet than instituting a nanny state filter could ever hope to.
Joy and David, thanks for trying, but spend taxpayer money where it makes more sense. Education, healthcare, anti-poverty measures … these and many more initiatives can use all the money they can get. I’m fully supportive of doing whatever can be done to rid the internet of illegal content and bringing the purveyors to justice; but when it comes to censoring content that is legal, stay out of my house and off my internet.
Involved Parent & Internet User