Have you ever lost a USB thumb drive? I have so many, I am not even sure I would notice if one was missing. I am positive that some have been misplaced over time. Thankfully, none of my USB thumb drives have any private or sensitive information I care about on them. Lost thumb drive? No sweat. The next tech conference or event I go to, I am bound to get three or four new ones.
For many companies, unfortunately, thumb drives also get lost–but contain sensitive data that is not properly protected. For example, an employee of the Henry Ford Health System in Michigan recently lost a USB flash drive containing unencrypted information on nearly 3,000 patients.
Apparently, Henry Ford Health System has a policy in place mandating that such data be encrypted. The article states, “The device is not encrypted as required to protect individual patient information.” It also says, “hospital officials said it’s still unclear how the flash drive was lost.”
I think this brings up two valuable points. First–it is only marginally relevant how the flash drive was lost. Maybe it was stolen. Maybe it got left in a pair of pants and washed with the laundry. Maybe it fell out of the employee’s pocket. The bottom line is that determining how the USB flash drive was lost is unlikely to yield any useful results to prevent a similar occurrence in the future.
Second, it demonstrates that an unenforced policy is about as effective as not having a policy in the first place. Whether the employee intentionally ignored the policy, or made an honest mistake, the fact is the policy wasn’t followed and now personal information on almost 3,000 patients is assumed exposed or compromised as a result.
Establishing a policy is an important step, but it is just a first step, not the end of the journey. IT admins need to have tools in place that can monitor systems and ensure the policy is followed and enforced as well.