Cam Roberson, director of the Reseller Channel at Beachhead Solutions, agrees that encryption provides some protection, but only some. "Encryption protects data if the power is off and the password is unknown or can't be learned or hacked," he said. "However, encryption cannot protect the data if a device is stolen with the power on and the computer is authenticated or if the password is somehow compromised."
While the update does not address it directly, there are also risks from BYOD (Bring Your Own Device) in a world increasingly dominated by smartphones and tablets. Bob Russo, general manager of PCI SSC (Payment Card Industry Security Standards Council), said recently that mobile devices for the consumer market do not meet PCI DSS (Data Security Standard) compliance requirements.
But most experts agree with Fisher, who said attempting to ban them in health care organizations would be "idiotic. Very few things will function as an enabler of improving patient experience and safety than well deployed mobile technologies. It is the way things are going. Fighting that is like fighting a rising tide," he said, adding that it is possible to comply with HIPAA standards through Mobile Device Management (MDM) technologies and applications.
Still, all agree that the human element, both from innocent mistakes and malicious intent, can trump policy and technology.
Lieberman agrees that encryption has some value, but said, "because it's so easy to attack endpoints — think people, default passwords, Windows vulnerabilities and USB — encryption is good for transporting data but as long as you have endpoints you will have data breaches."
And he doesn't believe "security awareness" training is an effective countermeasure. Those who do believe in it, he said, should let employees know they will be held accountable. "Make sure you fire people immediately if they break your data governance policy," he said. "If you don't have one, write one today and work top down from the CEO to line managers making sure everyone knows what data governance means -— the policy should be a half page and should finish with, 'You get fired if you break it.'"
Lieberman said the major risk of a data breach due to loss or theft is not employee carelessness. "It is a behavior issue but it's mostly a criminal issue," he said, "and that is not mitigated by training. When there is a financial incentive to steal data and you have an insider or partner with access, then you have motivation and means and all you need is opportunity to have a crime."
Fisher is also dubious that training employees in security consciousness will curb breaches. "We need to 'build security in,' and make the secure way of doing business the way the business people will use by default. I'm not saying effective awareness training has no value but putting too much reliance on it is not a winning strategy," he said.
Sign up for CIO Asia eNewsletters.