As an information security professional the majority of your time and focused is on the technology used to secure the environment. The other side is creating policy frameworks, procedures, training and communicating to the users on best practices when it comes to security. I am a firm believer that in today’s world a corporation’s biggest threat to data leakage is not from an external breach but from the internal people that were given the access for business purposes. If you look at the latest breaches this has held true. Target was taken down through a legitimate account that had too much access that was used by a vendor. Anthem was penetrated from system administrator accounts getting phished out. Social engineering, psychology of user’s behaviors, are the easiest ways to getting at what you want. The Hollywood scenario of cracking through firewalls and forced penetrations are wasted efforts when tricking people or exploiting pre-existing vulnerabilities is so much simpler.
Although technology to protect and defend critical systems get more advanced each year all your millions of dollars and time to build an impenetrable fortress can be brought down from the inside with little or no effort. This was shown recently by a breach notice that came out from Prima CARE. No accounts were compromised, no systems were hacked, no laptops were lost. Prima CARE had an employee that cared about their personal performance and use paper print outs to track his/her work. Somehow this collection of sensitive information was kept by employee and ended up in the bushes in another town. Tossed aside.
On June 4, 2015, Prima CARE was notified that two binders containing miscellaneous information related to patients treated by our health care providers between 2007 and 2012 were found on May 25, 2015 in the bushes near a parking lot at Dave’s Beach on Jefferson Street in Fall River. The following categories of information were included in the recovered documents: names, addresses, phone numbers, dates of birth, medical record numbers, hospital account numbers, insurance numbers, treatment date(s) and certain clinical information. One individual’s full social security number was included. There were various types of documents included in the binders and, therefore, no affected individual had every category of information identified. The binders were promptly returned after being discovered and are now safely in Prima CARE’s possession. An investigation determined that the binders were created by a former Prima CARE employee who used the information to track work performance, but had failed to appropriately file or discard the documents following their use. This was done without Prima CARE’s knowledge or consent, and in violation of our practices.
We take the privacy and security of our patients’ information seriously and have taken steps to mitigate the potential for any harm to result from this incident and to prevent a similar event from occurring in the future. We sent notification letters by first class mail to all affected individuals for whom Prima CARE has up-to-date contact information, offered complimentary credit monitoring services where appropriate, and notified prominent media outlets that are likely to reach our patients. We are also reviewing our policies and procedures and employee training programs and will make any changes that are appropriate in order to prevent a similar incident from occurring in the future.
If you did not receive a notification letter from Prima CARE and would like to determine whether your information was involved, please contact us toll free at (855) 804-4399 or email email@example.com. http://www.databreaches.net/prima-care-notifying-patients-after-binders-with-protected-health-information-found-in-bushes/
Prima CARE had policies, procedures, technology to control access and training how to handle HIPAA data and it was all rendered useless by a seemingly innocent act. On the surface this situation appears to not be malicious but rather falls under the umbrella of naive or negligent employee actions. When employees have the legitimate access to the data you are trying to protect the implied trust to do the right thing with that access isn’t enough. In this case the employee printed out the information that probably should have remained digital, not to be printed, and there may have been a policy that forbid printing HIPAA data. Who knows?
The point is that a policy is only as good as your ability to measure is effectiveness. If there’s a policy to not print or email HIPAA data and you don’t sample print jobs or monitor the corporate emails then why do you have a policy? No technology without a hard focused governance program will prevent those with the access mis-handling or taking the information 100% of the time. The old argument is that you can have all the technology to prevent copying, moving, printing, emailing, recording everything… until someone takes out a camera and takes a picture of the screen.
Implementing technology solutions to secure is your best way to prevent unauthorized access but focusing on the physical use, employee behavior and looking at the ways the data could be moved out of your controlled environment by those that have the access cannot ignored. I personally am finding more and more use studying psychology of social engineers and varying types of employees (executive vs. hourly) to help define a more robust policy structure.
100% is unattainable, no such thing. You can get closer to it if you don’t only rely on technology controls to help you secure an enterprise.
Humans make mistakes, don’t make the mistake by ignoring that fact. Intentional or inadvertent a breach is a breach and you are accountable either way.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.