The leading cause of data breaches in the past twelve months, according to Forrester in its “Understand the State of Data Security and Privacy” report, might surprise you. Neither hacking nor fraud emerges here as the primary culprit; rather, internal threats wear the crown. Naturally, every breach comes in a different garb, from the faux pas to the deliberate thefts and exposures. Indeed, Forrester’s examination revealed that 36 percent of breaches
came from an organization’s own employees accidentally misusing data, while 25 percent of respondents - m SMB and enterprise companies in the US, Canada, France, Germany, and the UK - attributed the most common cause in the last year to malicious insider abuse.
Incidents of the former cause are understandable, especially in light of the survey’s numbers that show how only 42 percent of the North American and European company employees surveyed actually received training in their company’s security policies, and only 57 percent even being cognizant of them. When laboring without full knowledge, it is no surprise that there will be the occasional accident, like what occurred in August at theHospice of the Chesapeake in Pasadena, Maryland, where an employee, in order to work from home, emailed spreadsheets with confidential patient information to a personal account. That information included the names, ages, dates of service, diagnoses, and medical record numbers of over 500 patients, putting them all at risk. The breach was discovered August 8 and was initially suspected to have been caused by a computer intrusion; it was only this October that the breach was publicly announced, “because we didn’t want to jump to conclusions,” says Hospice president Michael McHale. It is unclear if the employee was terminated.
Then there are the intentional, malicious insider attacks, the people who launch eggs and toilet paper at their own homes. An indictment has been brought against four women on charges of “stealing more than $750,000 in merchandise using personal information obtained from patients in medical offices where two women worked,” reports to Associated Press. Those two women, Michelle Jernell Cole of Baltimore, and her sister, Chanell Cole ofOwings Mills, both worked in healthcare practices in Maryland from 2010 through 2013, including at Lynn Billingsley, M.D. (at Good Samaritan Hospital), MedStar Health Inc., Padder Health Services, LLC, and BW Arthritis and Rheumatology. During these stints, theyhad access to patient information databases, from which they have been accused of stealing the Social Security numbers used to make purchases from Macy’s, which itself requires customers who call to place orders to give their name, address and SSNs to place the order on a credit account. In all, around 100 customers, about 60 of whom had been patients at these medical offices, contacted Macy’s regarding misuse of their accounts.
Unguarded, healthcare databases can be a gold mine for unfettered access by employees looking to do some early holiday shopping; if an organization collects sensitive patient information it has the duty to keep it safe and inaccessible. As for the mishaps, proper knowledge of and instruction in an organization’s security policies can help reduce their frequency. After all, “people don't know what they don't know," says Heidi Shey, Forrester analyst and author of the aforementioned report. "You've got to give them some kind of guidance and guard rails to work with.”
Written by Jonathan Weicher
No comments:
Post a Comment