Maintaining Information Security and Privacy

Regular evaluation of training programs and internal procedures related to information security must be undertaken to ensure each employee is completing the necessary steps to safeguard information.

Posted by Joe Gerard in Corporate Security, Ethics & Compliance, Human Resources on August 9th, 2010

Early last week, a USB key containing hundreds of Ontario patient health information files was stolen. According to the CBC, the USB wasn’t encrypted and was stolen from the purse of a University Hospital Network (UHN) employee. The theft of these files has resulted in a call for efforts to increase the security of sensitive information. This is the second instance in under a year where private patient information was compromised in Ontario due to theft. The lesson learned from this story can be applied to any business that maintains client or customer personal information records: make sure sensitive information is encrypted. Controlling access to information can further prevent information security breaches, as the number of people viewing sensitive information is decreased. Regular evaluation of training programs and internal procedures related to information security must be undertaken to ensure each employee is completing the necessary steps to safeguard information.

Preventing Information Security Breaches

Preventing information security breaches needs to become a main priority for any company when handling both customer and company information. In regards to the above-mentioned incident, a CBC article “Hundreds of Ont. Patient Health Files Stolen,” quotes Ontario’s Information and Privacy Commissioner, Ann Cavoukian, stating:

“The ease with which we transfer information now and we engage in online activities, somehow it’s factoring into this and not making people go through the steps they need to.”

FREE Investigation Report Template

Prepare thorough, consistent investigation reports with our free report template.

Download Template

The ease of accessing and sharing information has significantly increased due to the use of e-mail, Internet, intranets, mobile devices and other portable technologies. These developments make communication easier and faster, but can also compromise data security. Here’s a list of steps companies can take to ensure sensitive information remains protected and prevent future information breaches from occurring:

1. Encryption

Data encryption is one of the easiest ways to ensure sensitive information is kept private.  Data encryption helps keep information secure, prevents companies from losses incurred from security breaches and noncompliance fines. To secure information, there are a number of different data encryption software solutions on the market, as well, it might be wise to invest in encrypted USB keys to avoid situations such at the UHN incident above. There are various levels of encryption strength, therefore, choose the level of encryption appropriate for the type of information on the server. Develop a policy for password strength. Longer passwords that contain a variety of numerical, symbol, upper and lowercase letter characters are more difficult to crack.

2. Access Controls

Restrict access to information based on an individual’s role within a company. This helps reduce the spread of information and the risk of information landing in the wrong hands. If certain projects require access to information for a specific period of time, provide employees with access to the information but restrict immediately after the project is completed.

3. Evaluate Training and Procedures

As with every other program or workplace procedure, train and reinforce data security protocols within the workplace. Effective training includes information on the risks and effects of information security breaches, the importance of following internal procedures to protect the privacy of information, as well as the various ways information security can be compromised. Training programs and procedures must be evaluated and updated on a regular basis to reflect new information related to security threats and laws. As mentioned at the beginning of this post, it’s important to ensure that each employee follows the established procedures and completes all of the steps necessary to ensure private information remains secure. Tailor training programs to different roles within the organization in order to address the different information security challenges throughout the entire organization. Every employee is responsible for ensuring information is kept secure, however, depending on the individual’s role in the company, they may be responsible for a greater number of information security related tasks.

Should an information breach occur, contact the Privacy Commissioner or similar regulatory body depending on the country of operation. In the case of last week’s privacy breach, the  UHN failed to report the incident to the commissioner based on the low numbers of compromised files. In the CBC article “Hundreds of Ont. Patient Health Files Stolen,” UHN president and CEO Dr. Bob Bell stated:

“‘There was a decision made that this wasn’t a significant enough breach to warrant informing the commissioner, and I’ve apologized to the commissioner for that,’ he said. He added that it is the UHN’s policy that medical information on any mobile device needs to be encrypted. ‘The employee had not realized that there was personal health information on that USB key,’ said Bell. The network is looking to make some changes to prevent future breaches, including the automatic encryption of any device that gets used by the network, he said.”


Joe Gerard
Joe Gerard

CEO, i-Sight

Spend my days showing off the i-Sight investigative case management software and finding ways to help clients improve their investigations. Usually working with corporate security, HR & employee relations, compliance and legal teams.

Visit Website