TABLE 3—
Risks to Public Health Departments, by Type of Intruders and Security Threats Posed
Risk | Risk Description | Prevention |
External intruders | ||
Physical intruders (i.e., burglars) | Physical theft of health department property such as files and computers. | Lock buildings. Employ security guards and require identification for access. Centralize and enforce access management. Encrypt sensitive computers so that data are unavailable if computers are stolen or otherwise accessed. |
Electronic intruders (e.g., hackers) | Unlawful access to equipment (desktop or laptop computers) or network (intra- and internet). May create hole for subsequent hacking (e.g., by sending viruses to Web-based e-mail). | Enhance both intrusion detection and intrusion protection systems. Contract with “ethical hacking” firms to identify and fix vulnerabilities. |
Internal intruders | ||
Current employees | Internal access with malicious intent. | Background checks of all personnel handling sensitive data. Video surveillance of areas where highly sensitive data are stored. Monitor Web-browsing activity of personnel. |
Former employees | Continued physical and electronic access despite termination of employment with the agency. | Immediately and automatically revoke access, both physical (i.e., keys, identification card) and electronic (i.e., network access, remote access token), upon termination. |