Recently ProMedica Bixby and Herrick Hospitals contacted 3,472 patients informing them that their private medical records had been improperly accessed by seven employees. As is standard practice with the breach of patient information, patients received letters from ProMedica explaining the situation, the hospital’s action plan to prevent additional breaches and offering a full year of free credit protection monitoring. The hospital also reported this incident of an insider threat to the U.S. Department of Health and Human Services.
The breach was discovered on April 7, 2016. An internal investigation revealed that seven employees accessed patient medical records for patients they were not treating, without a valid business or clinical reason between May 1, 2014 and April 26, 2016. The information accessed included the patient’s full name, address, phone number, date of birth, insurance, diagnosis, medications and other clinical information. ProMedica commented that it did not appear that the employees intended to retain or use the information accessed, but could not verify it. Not being able to verify intent or access is a major problem with sensitive information.
On May 12, 2016 during a congressional hearing, FDIC CIO Lawrence Gross Jr. was questioned by Congresswoman Lofgren about 7 recent data breaches by employees and if the FDIC had any technology in place to ensure that information that was inappropriately accessed and returned was not indeed further copied or reproduced. Lawrence Gross commented the FDIC did not have the technology in place.
These examples illustrate the challenges security officers and other executives face when trying to protect sensitive information. What was once considered sufficient to guard an organization’s IT perimeter is no longer effective by itself against the most damaging problem – insider threats.
Today, the right solution is to add data-centric security to traditional perimeter security. Data-centric security includes methods to protect data as it travels both within the organizational perimeter and beyond, by limiting access to sensitive data according to policies that cover both users and activities. With this approach, an organization can locate sensitive data and monitor the ways users copy, move, and access it over time. Since data-centric security incorporates identity management systems to correlate specific users with activity on sensitive data, security officers can not only prevent unauthorized activity automatically, they can detect suspicious behavior patterns to take action before it’s too late. When necessary, they can even render sensitive data useless with a simple click of a mouse.
A particular set of data-centric security techniques focuses on unstructured data – files stored on PCs, file servers, other repositories and the mobile devices that more people are using to access enterprise networks – as it is stored, accessed, moved, and used over time.
Data-centric security should also allow users to work without undue interruptions as they pass information among multiple devices. A people-centric policy allows for flexibility and dynamic enforce-ability based on the contexts of content, users, devices, time of day, location, and so on, acknowledging the need for exceptions to predefined policies based on the unpredictable nature of legitimate data creation and usage while relying on advanced analytics to catch excessive deviations from the norm.
If the hospitals and the FDIC has used these approaches, no sensitive data would have been breached or misused, since only authorized users could have accessed the information. Are you looking at a better way to protect your data from insider threats?