Is Your Janitor Cleaning Out Your Sensitive Information?

Thursday, September 30, 2010

Katie Weaver-Johnson


One of my last blogs discussed the risks of third-party contractors and their responsibilities for protecting information.  This blog will address yet another third-party risk – your janitors.   

A janitor was recently arrested for removing boxes of records from a Southern California health care clinic. 

Interested only in getting money for the paper, the janitor sold 14 boxes of patient records to a recycling center for $40. 

This janitor was not interested for identity theft, but the next one might be…

In an earlier case, a janitor stole personal information from patient files at a Chicago hospital, participating in an identity theft ring that affected more than 250 patients.

  1. Is your organization addressing risks with the cleaning crew?
  2. Do you know your cleaning crew? 
  3. Do they have a good reputation? 
  4. Have all janitors and other crew members signed off on your organization’s policies for protecting information? 
  5. Are you monitoring their activity on an ongoing basis? 
  6. Are you limiting access to secured systems?
  7. Do they understand the consequences for mishandling sensitive information?
  8. Are suspicious incidents (missing papers, back-up devices, etc.) reported to the appropriate personnel?

Organizations should also ensure employees are protecting sensitive information with simple best practices for the office:

  1. Don’t leave sensitive files/information on your desk.
  2. Properly dispose of/shred sensitive information. Don’t just toss documents in garbage cans or recycling bins.
  3. Lock and secure file cabinets containing patient information.

How is your organization addressing risks with third-party contractors?

Possibly Related Articles:
Enterprise Security
Security Awareness
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.