When Employees Put Data At Risk: Medical IT Client Horror Tales That Will Convince You To Encrypt (Part 2)
By Delano Collins, Chief Information Officer, EDTS
Previously, we chilled you with a haunting tale of a medical practice that would not listen to warnings to encrypt, even after an ex-contractor stole a computer holding unprotected private medical information. It caused our IT and security services company to end that relationship rather than risk being arty to a damaging HIPAA violation.
Since any good horror movie needs a sequel (well, almost any), the fright continues.
Tale #2: A Salesperson, Scorned
Sometimes, even good clients unknowingly associate with bad people — and individuals in a desperate spot will find they’re capable of crimes you never would’ve guessed they’d commit. Luckily there’s IT security software that’s decidedly un-sentimental when it comes to being ready for anything a person might try.
Our client in this case is a nationwide reseller of medical appliances. Their sales team spans the United States, and sales team members each receive phones, tablets, laptops — all the devices they could ever need to do their jobs. For the business, the most important data on these devices is their list of clients, a lengthy and highly confidential trade secret. They audit who touches the client list and who copies it — and individual sales people only receive a subset of the massive list. A former employee once managed to steal some of this client data and started a competing business, and the client didn’t want anything like that happening again.
Now, sales can often be feast or famine without reward for anything but results, and occasionally this company had to let people go. Unfortunately, some individuals who know they’re about to be in such a spot starts to ponder more nefarious ways to make a living. One such salesperson in California received a fateful call from the company saying that she was being let go, and was instructed to send her laptop back. She replied with an angry “No.”
The company called us right away — fearing the worst — and we fired up our remote monitoring and management (RMM) program and mobile device security management tools to take a look. The first thing we were able to see was that the woman had started to copy client list files to a USB drive! We issued commands to stop that file transfer and delete the critical files, but she immediately disconnected the laptop from the Internet. At that point, there’s not much to be done but call the authorities and hope.
That client learned that loyalty doesn’t last long when an employee gets mad (or laid off). We advised the company that next time, before you tell them, tell us. In situations like this you can’t protect hardware, but there are mechanisms for protecting data if you’ve prepared, and data can be vastly more valuable. For example, Beachhead’s SimplySecure allows a service provider to sever access, delete all data, and enforce encryption and authentication on data that is transferred from a PC to a USB drive, as in this case. Further, we can revoke authentication (prohibiting access) and remotely kill data on either device. We could have also severed access or killed the PC at a specific pre-determined time, such as the moment prior to delivery of their termination notice.
With the proper authentication policy in place, it wouldn’t have mattered what the salesperson was able to put on the USB drive, because those files would have automatically been encrypted and required an authentication call to the company’s server to be accessed, and her credentials would have been revoked. Companies that need to dish out corporate secrets like this in order to do business must have a way to protect proprietary data when the hardware it’s on is at large. Think of all the people out there employed in the medical billing industry, for example, who work from home and are paid a percentage on missing items they find on patient invoices. It’s frightening to think that these records are out there, unmonitored and unsecured. It’s even more frightening if you’re the company involved — as these are HIPAA violations waiting to happen.
Maybe the scariest thing about these tales is how some businesses don’t understand that security solutions like this can be simple to implement, and they don’t have to be cumbersome to end users. In most cases, employees aren’t even aware their devices are encrypted or that you ultimately control user access to the data.
I, for one, can say that we’re fearless about our own data security — these protections are active on all of our devices, in or out of the office.
Delano Collins is Chief Information Officer at EDTS, a full service technology consulting firm specializing in networking, security and managed IT services for business. The firm helps customers increase productivity and reduce cost associated with information technology.