Monday, June 15, 2015

Security is also about Accessibility

This morning's supposedly quick stop at my bank safety deposit box reminded me of this point which sometimes needs clarification.  I left the house early to go to my bank to get my motorcycle title from my safe deposit box (I'm upgrading from a 650 to an 1100 later this week).  After getting into the safe, we couldn't get the safety deposit box keys to work.  There were two challenges:  First, the bank manager didn't know which of his keys he needed to use because there's a separate one for each of the sets of boxes, and they aren't labeled.

Secondly, no matter which of his keys we tried, with his and my key we still couldn't open the box. He called a locksmith, and after they showed up, we were able to get in.  Unfortunately, I didn't get to see the locksmith drill the box, because he was able to find the right key just by looking at them, and then jiggle the key and the door just right to open it.  The problem was that the box just next to mine had recently been reinstalled incorrectly, making it just slightly ever so inaccessible.  That delay cost me several hours of my time.

Security is about protecting assets, but an asset is useless if you cannot use it.  So a key which locks everyone out, including the people who need to use the asset is almost as bad as leaving the asset unsecured.  In fact, given the risk profile I'm dealing with (what I store and what it needs to protect against), a good fireproof safe in my house would probably be a better investment than a safety deposit box.

The same is true about patient records.  The HIPAA Privacy and Security regulation today is very much like my safety deposit box was today.  It does just as much (or more in fact) to keep me away from my health records as it does to secure me against others accessing them inappropriately.  A delay accessing those records could cost a lot more than time.

   Keith

P.S. As a reminder, today is the last day to comment on MU Stage 2.  See Regina Holliday's blog for her comments on NoMUwoME.

0 comments:

Post a Comment