As a systems administrator, it is important to remember that you don’t just need to protect sensitive data stored on production servers from being accessed by unauthorized third parties. You need to also have a plan for the security of backed up data. Just because the data isn’t hosted in the production environment doesn’t make it any less sensitive.
This is a lesson that the IT staff at Santa Rosa Memorial Hospital in California are reminding themselves of after a break in a couple of weeks ago. On June 2, an employee at Santa Rosa Memorial Hospital backed up the data for 34,000 patients onto a USB storage device with the intention of importing the data into a new electronic medical records system.
Unfortunately for the employee, the USB storage device these backed up records were stored on was stolen during an overnight break in. It’s unlikely that the thief was actually interested in the data that was stolen, and probably more interested in fencing the storage device itself, but as the data was sensitive personal medical information, it is subject to HIPAA and the hospital has to notify all patients whose records may have been compromised.
It goes without saying that you should be careful when managing any data that is sensitive. The employee at Santa Rosa Memorial Hospital placed the USB device in an unlocked locker. That I’m writing about it here shows that a simple oversight such as placing backed up data in an unlocked locker can have ramifications that mean that people all around the world learn of that mistake. An unacknowledged truth of data breaches is that the majority of them occur through “unforced errors”, than they do through deliberate targeted attack.
In this scenario, the worker should have:
- Placed the storage device in a truly secure location. In this case, the data most likely wouldn’t have been lost if the locker was properly locked. However if you are dealing with data that, if misplaced, requires public disclosure of the loss, a proper safe would be a better choice.
- Encrypted the data on the storage device. Tools exist to allow you to encrypt data stored on removable storage devices. If the data had been properly encrypted, the sanctions under HIPPA are less serious. It’s also unlikely that properly encrypted data could be recovered.
When you are thinking about your organization’s backed up data, remember that backed up data stored on tape, on the SAN, or on removable disk also needs to be secured. That means not just leaving tapes in a cupboard in the server room, but ensuring that they are physically secured in a manner appropriate to the sensitivity of the information they store.