By Dick Stark
In the past week, RightStar has been asked by two separate customers to certify our internal IT security policy. Both customers are health care organizations concerned about patient personally identifiable information (PII). As an IT consultancy it is our job to safeguard our customer’s PII by maintaining the appropriate security controls and best practices. RightStar has an IT Security Policy and provides employee training using the below security scenarios.
Scenario #1: Traveling with a RightStar laptop. You take your RightStar laptop with you when you travel, to use at the customer site and at your hotel at night. Although you normally keep your laptop with you at all times, the one time you leave your laptop in your car, you discover in the morning that it has been stolen. Fortunately, you have a current backup of your important data, and all your email is stored on RightStar’s email managed service provider. You’ve also password protected your laptop to make it more difficult for the thief to access any data. Most importantly, you’ve kept no customer or PII data on your laptop. After calling the police and the RightStar IT Security Officer, you return to the customer site.
Scenario #2: Virus infection. While surfing the internet, you pick up a virus that has severely impacted performance essentially making your laptop unusable. Your only recourse now is a phone call and Webex session with the RightStar Service Desk Team to rebuilt your laptop and restore your data. This is a terrific time waster for all parties and could have been prevented by only surfing trusted sites and avoiding unsafe attachments and hyper-links. Also make sure you keep your antivirus software and operating system up to date with the latest patches.
Scenario # 3: Personally Identifiable Information. While working with a customer, you’ve asked for their database so you can work with the BMC application at your home over the weekend. When you arrive home and start the upgrade, you notice that there is PII data, customer names and social security numbers in some of the database records. You are surprised, because you asked for cleansed data. You decide to complete the upgrade anyway because it is a fixed price job and you don’t want to go over-budget. Good call? No, immediately notify the customer that you have PII data and permanently delete the data, to ensure that it cannot be recovered. Call the RightStar IT Security Officer and explain what happened and the steps you took to delete the data. It is better to go over-budget, than risk a security breach.
Just like service management best practices, good IT security processes and safeguards are essential. Release of customer PII data, even unintentionally, could have severe consequences for the organization that we were contracted to support. It’s up to us to recognize what is PII data, how to protect that data, and the steps to take to prevent a security breach from occurring in the first place.