Any business that conducts part of its operations online must pay careful attention to IT security issues. This is especially true for companies that deal with any form of personally identifiable information, which encompasses both medical records and financial details relating to a specific individual. As New York's Memorial Sloan-Kettering Cancer Center has recently learned, however, that data can appear in surprising places. When IT security is not robust enough, some of this ‘stealth data’ can end up being inadvertently released to the public.
In Sloan-Kettering's case, the data breaches occurred when personal information was accidentally embedded in presentation charts created with Microsoft's PowerPoint software. These presentations were then posted on two different websites, both of which belonged to professional organizations specializing in medicine. The inadvertent release of information was not immediately apparent, neither to IT support personnel nor to the public. This was because the patient information was hidden behind graphs embedded in the presentations. This meant that the data " was not visible during routine viewing of the presentation, but the graph itself could be manipulated in such a way as to potentially reveal the protected information."
Memorial Sloan-Kettering issued a privacy alert on June 15th. In all, the personal information of hundreds of patients was potentially at risk. The information embedded in the PowerPoint files contained not only patient names and information about their medical histories but also Social Security numbers in some cases. The privacy alert explained the cancer center's response: "Memorial Sloan-Kettering has taken significant measures to strengthen our information and data security systems, has taken corrective action with those involved and has educated staff so that this situation does not occur again."
One important corrective action businesses can take is to install data-loss prevention software. This kind of software is most often associated with the need to inventory data so that full backups can be made for disaster recovery purposes, but this very inventory process can be useful in other contexts. In particular, data loss prevention programs can scan a networked environment to identify data sources that need to be secured; they are sophisticated enough to find even information embedded in Microsoft Office files.
Companies in the Boston, New York and Philadelphia areas should consider working with an IT services company that can provide advice on the adoption of a managed services model for ongoing monitoring and support of DLP programs and other necessary elements of a robust backup and disaster recovery system.