It seems that the details of the eighteen people in New Zealand with positive COVID-19 tests have been disclosed, and officials are speculating that it may have been due to human error:
“I have been advised by the Ministry of Health that at this stage it cannot be confirmed beyond doubt whether a deliberate leak was involved or if this was simply human error,” Chris Hipkins, who is also States Services Minister, said. (Stuff.co.nz)
(For foreign readers, Chris Hipkins is our freshly minted Minister of Health; he’s the elected official in charge of the New Zealand Health system. I’m also aware that we’re in an enviable position here in New Zealand, with a total of just 18 active COVID-19 cases.)
This isn’t the first privacy breach, and it likely will not be the last.
What strikes me, however, is the constant in all of these discussions: The error is attributed to human error, and the solution is always for humans to improve.
But here’s the thing.
Humans make mistakes.
This is so universal that it’s practically part of the definition of what it means to be human.
Instead of blaming one specific person, let’s take a step back and look at the whole system.
After all, our solution to injury rates in car crashes isn’t just to tell drivers to be more careful (though we do do that). Cars have seat-belts, airbags, crumple zones, anti-lock braking, blind-spot and lane departure warnings. Recent models have autonomous emergency braking.
We don’t rely on drivers avoiding mistakes, we improve the system around them so that fewer mistakes are made, and those mistakes have reduced consequences.
Reading between the lines on this case, and on many similar ones that have featured in the media over the last several years, I’ve noticed a common theme:
Sensitive information stored in a file.
I think this is a critical error that’s being made over and over again, every day.
As soon as you put sensitive information into a file, you’re just one action, one mistake, one human error away from a breach. It doesn’t matter whether the file is a spreadsheet, a word processor document, a PDF file, or something else.
Here’s an illustration. Some years ago, I worked on a system that managed a whole lot of data, including some that was extremely commercially sensitive. One of the key features of the system was an export to Excel feature that allowed for some pretty advanced data analysis. I added a feature to tag those Excel files as sensitive if any of the information exported had restricted disclosure rules. One of my colleagues protested that this wasn’t needed because the analysts wouldn’t make that kind of mistake … I did it anyway, and then (some months later) I got to see the logs showing how many disclosures had been blocked. Turns out they did make that kind of mistake after all.
Here are some ideas on ways to do better …
Provide an online way to view sensitive information instead of dumping it into a file in the first place, provide a way for the right people to see the information online. There are secure ways to do this that can often be set up in a day or less, depending on the nature of the information and your security needs. Not only does this ensure that legitimate users are seeing up to date information (the information in a file can go stale), it means that incompetent or malicious users have to work harder to breach your system.
Flag files as sensitive if they contain sensitive information. If you have a document management system, it should tag appropriate documents as sensitive automatically. If you have a system that allows exporting of information to a file, it should tag that file if needed. For example, there’s a standard way (and simple) to do this for Excel documents.
Never distribute sensitive information by email. Once you commit the information into a file and send it to someone else, the information is no longer under your control. If you send it to the wrong person, you have a breach. If you send it to the right person, but they make a mistake, you have a breach. If you send it to the right person, but someone else has access to their email, you have a breach.
Block sensitive files from being emailed by configuring your organizations’ email gateway to block emails with sensitive files attached. This can be as simple as checking for document metadata, or as complicated as only allowing a file to be sent to someone if their email address is present in the file (this can help prevent files from being sent to the wrong person).
Above all, we all need to do better as an industry. We can’t blame people for making mistakes if the only way they can do their jobs is by taking risks. If we want to avoid breaches caused by the distribution of sensitive information in files, we need to give people a better way to do their jobs.