Last year, a Montefiore Medical Center employee in New York stole names, addresses, dates of birth, Social Security numbers, next of kin information and health insurance details of more than 12,000 patients and used those identities to purchase clothing and other merchandise from some of New York’s finest department stores. The employee printed thousands of patients’ records every day and sold them for $3 per copy to outside accomplices. The hospital had no way of preventing or controlling this activity.
The same year, an employee of the Children’s Medical Clinics of East Texas with a retaliatory agenda to cause damage to the clinic’s reputation, stole and improperly disclosed the confidential data of 16,000 patients by taking paper records from the facility and sending screenshots of electronic patient records to a former clinic employee.
Today increasing regulations and standards for managing sensitive or confidential information are raising the stakes higher and higher. This in turn forces many organizations to look for ways to implement data security to comply with various mandates. Most organizations secure sensitive information at rest and in motion, but not while in use.
Often missed is the threat gap that exists when sensitive data is used by authorized users, leaving organizations wide open to data theft and compliance violations. Paper printouts in particular presents a very specific challenge in addressing this type of threat in many organizations. A 2015 Incident Response Report by BakerHostetler shows for example that one in five breaches involved paper records.
Employees access sensitive and confidential patient information daily so they can do their jobs. Without a persistent data security measure in place, they can devise creative ways to defeat traditional perimeter based solutions most companies rely on. They can change the name of a sensitive file before printing it to avoid detection by security systems or make screen captures of sensitive information.
There are technologies to help organizations control print activity and to prevent data breaches. Organizations can easily block printing or require approval prior to printing a document if the document contains sensitive information. Each printout can be forced to contain a visible watermark showing who printed it, including company logo, user name, IP address, time, date and other identifying information. This type of measure allows organizations to know the source of a potential data breach and deters people from inappropriate behavior when handling sensitive patient information. Organizations can control any physical or virtual printer eliminating problems of using different printers or printer drivers. When a full audit trail of all print activities is added to the control measures, including the text or image of the actual printed content, organizations can have complete control of their printing environment. Organizations can go even further with their security by preventing screen captures to further reduce risk of exposing sensitive information.
The technology to prevent employee theft and data breaches via paper printouts exists today. It is up to each organization to make the determination to seek out these solutions and put them in place to protect their sensitive and confidential information such as PII, PHI, customer or company specific data.
Photo credit Marcin Wichary