By Salvatore Salamone
April 23, 2008 | OPINION | Last month, I wrote about an NIH laptop theft that exposed the personal information of 2,500 clinical trial patients. The article triggered a flood of email from readers – some offering suggestions, but most looking for help to prevent such an incident of their own.
What was clear in these messages is that the combination of today’s greater mobility and the increased interest in data theft by criminals requires a new approach to protecting data. Specifically, while technology is required, the user must also be taken into account.
On the technology front, most life sciences companies are already protecting intellectual property and clinical trial patient information in transit between mobile devices and corporate servers by encrypting email, file transfers, and database transactions. But now they must also protect data at rest.
Data stored on the hard disk drives and memory cards of mobile devices (including laptops, smart phones, Web-phones, etc.) must be encrypted. An alternative would be to not store any data on the mobile devices themselves. For instance, a company might use a thin client or virtual desktop approach where data resides on secure servers and is accessed via remote terminal protocols.
Fortunately, the technology to protect data is available today. What’s often missing is a way to ensure the technology is used. Essentially, the end-user must be taken out of the equation. That means security mechanisms must be automated and made so they cannot be bypassed. This is the only way to avoid a data loss incident and to ensure data will not be compromised.