Two semi-recent articles about medical data being stolen caught my attention because they seemed out of place next to the headlines that decried PowerPoint and Kylin. The articles outline the massive amounts of medical data and patient records that were stolen from UC Berkeley and the Virginia Department of Health Professions last month.

Though both events involved hacking, the 160,000 medical records stolen from UC Berkeley and the health care data of 8.3 million patients stolen from Virginia’s Department of Health Professions indicate a deeper issue—one that is often bypassed as we hurry toward bigger and better security through technological means. I’m referring to the importance of personal verses corporate information.

While the thieves hoped to benefit from their antics monetarily (the Virginia records are actually being held for ransom), that doesn’t answer the deeper question of why the thieves chose to steal medical records instead of stealing corporate information that was equally valuable but wouldn’t have harmed people in a personal way.

While we could chalk it up to these thieves being particularly evil or conniving, it could also be that the thieves knew that stealing such personal information would illicit more of a response from the media, the organizations they stole from, and the individuals who had their information stolen than if they had stolen corporate information that was considered valuable, but didn’t involve information that was damaging on a personal level.

Many of us currently base the importance of information on how much money it would cost to retrieve or fix if compromised, or how much time, money, and resources should be put into protecting it in the first place. However, attacks like the ones that recently occurred at UC Berkeley and the Virginia Department of Health Professionals should make us step back for a moment and ask ourselves if we’re prioritizing information in the right way.

While information gained from a corporate source can sometimes be damaging to individuals, it is often better protected and further removed than something as personal as medical records. To put it succinctly, which would you rather have stolen: Your credit card numbers, or your medical information? (Remember that medical information includes your SSN, birth date, etc.)

There’s no denying that it’s important to think about how our actions or potential attacks from less-than-stellar individuals would affect ourselves and the corporations we work for. But instead of always seeing things through the lens of the bottom line or the bottom dollar, maybe we should start putting the focus back where it belongs: On how it’s going to affect people, and how damaging that affect would be on them.

o     o     o     o     o

Be our guest—guest blogger, that is. Contact us to learn how you can get your ideas on NovaInfosecportal.

There was a time, not so very long ago, that outsourcing security services to third-party companies was seen as risky business. But in today’s economy, outsourcing security services has become more norm than exception, with companies asking themselves, “why didn’t we do this before?”

Compliance—that’s why.

In the past, many companies were so concerned about being compliant or working with compliant companies that cost was a secondary concern. Compliance was an especially big issue for companies that wanted to work with government agencies because if they didn’t meet compliance standards, they would oftentimes lose a potential contract.

But is compliance really all it’s cracked up to be?

While there needs to be a standard for security, the problem with compliance is that after awhile, you have people thinking, “what’s the minimum amount I need to do to be compliant?” When that happens, you don’t have people trying to make themselves secure, you have them trying to meet a set of requirements.

Think of it like a test: If you have a study guide of everything that’s going to be on a test, you can study that material for days and be fairly confident about acing the test. But did you really learn the material? You may have learned parts of it, but it’s unlikely that you have a good understanding of it or you can use it in an applicable way. What use are facts if you can’t use them?

Unfortunately, compliance practices have become very similar—people are eager to meet the requirements and “ace the test,” but they have no clue what the requirements or the “answers” mean. Keeping that in mind, is it really a good idea to be outsourcing security practices, even if compliance is now taking the back seat compared to cost?

Maybe, but it depends on a company’s willingness to assess the potential risks associated with outsourcing sensitive security information.

When outsourcing, there’s a lot of risks because you’re taking your company’s data and entrusting it to outside vendors. But the information doesn’t just stop at the vendors: Oftentimes, vendors will also outsource or contract out to other companies to complete large projects. While that doesn’t need to serve as a deterrent, it should serve as a warning. 

While outsourcing definitely provides savings in these hard economic times, companies and security professionals need to take it upon themselves to learn about the third-party companies they plan on working with. Be careful about who you choose, and get an understanding of how the data sharing is handled and who the third-party company will be sharing your data with.

Read the fine print, and don’t be afraid to dig a little deeper; if something doesn’t feel right, be sure to scope it out. Because while the monetary savings might seem great, you’re not really saving anything in the end if you have to do damage control later on because the third-party company you chose to work with was untrained or untrustworthy. You can read more about outsourcing debate on DarkReading.com.

How do you feel about outsourcing? Do you think it’s worth the money you save, or is it nothing but a headache?

###

While outsourcing might save money, it’s important to keep the local security community going strong—why not become a subscriber of our site today?
You can also spread the word about NovaInfosecPortal by passing this post along to a friend.