People, as much as anything else, are a critical aspect of information risk management, and businesses and government agencies must monitor employees - and educate them, as well - to thwart a potential threat from within.
The Department of Veterans Affairs' effort to expand use of smart phones and tablets won't pick up speed until after it implements an enterprisewide mobile device management system to monitor the devices, says CIO Roger Baker.
"It's a crime like no other crime," says James Ratley, president of the ACFE, describing fraud. "There was not a gun involved, there was not a knife; there was in many cases a ballpoint pen or a computer."
The Privacy and Security Tiger Team, which advises federal healthcare regulators, likely will not meet again until after a batch of new regulations is released in the first quarter, says co-chair Deven McGraw.
"Accountability for security and privacy in public cloud deployments cannot be delegated to a cloud provider and remains an obligation for the organization to fulfill," NIST Computer Scientist Tim Grance says.
One reason why encryption is not more broadly used in healthcare is that so many organizations lack an updated risk assessment that identifies the role the technology can play in improving security, says attorney Amy Leopard.
Bringing Your Own Device raises jitters among employers, who worry about exposing or losing sensitive data, and employees, who fret about their bosses spying on them. Despite these anxieties, the trend will continue because that's what people want.
With the tardy addition of the Sutter Health breach, the federal "wall of shame" tally of major healthcare information breaches now includes 385 incidents affecting more than 19 million individuals since September 2009.