This is that problem in front of you:
You got an information that a laptop is stolen. The laptop was in a secure building, in a locked room, with a security cable attached. The researcher who was using the laptop had several thousand patients on the registry and was authorized by the IRB to use this data for research. The PC had a password to the file. Your team concluded that it was an inside job.
There were numerous devices in the room. The person broke into the room, cut the cable, and stole a lot of equipment. They then passed it on to someone else. Once the hospital knew it was stolen, they knew what was on the PC because they had an IRB for the researcher. It still took two weeks to figure out how to notify everyone affected.
One of the recipients realized he had a stolen device, which he then gave to his attorney, who returned it to the hospital. They verified that the laptop had never been turned on using an outside security firm. No data was accessed They notified the affected people that the data has not been accessed and therefore their privacy was not compromised.
Estimated cost at $100,000.
Your job is to develop a new security protocol. What are your first steps and what are solutions that you will propose?