Recently ProMedica Bixby and Herrick Hospitals contacted 3,472 patients informing them that their private medical records had been improperly accessed by seven employees. As is standard practice with the breach of patient information, patients received letters from ProMedica explaining the situation, the hospital’s action plan to prevent additional breaches and offering a full year of free credit protection monitoring. The hospital also reported this incident of an insider threat to the U.S. Department of Health and Human Services.
The breach was discovered on April 7, 2016. An internal investigation revealed that seven employees accessed patient medical records for patients they were not treating, without a valid business or clinical reason between May 1, 2014 and April 26, 2016. The information accessed included the patient’s full name, address, phone number, date of birth, insurance, diagnosis, medications and other clinical information. ProMedica commented that it did not appear that the employees intended to retain or use the information accessed, but could not verify it. Not being able to verify intent or access is a major problem with sensitive information.
The Federal Deposit Insurance Corporation (FDIC) will implement Digital Rights Management (DRM) software to prevent unauthorized redistribution of digital information. This is in reaction to security incidents where departing employees accidentally took sensitive files on portable media. According to numerous studies, trusted insiders pose a greater risk to sensitive information than hackers and cybercriminals.
I applaud the FDIC for taking this key initiative to proactively protect and control its most sensitive information. DRM will help prevent unauthorized access and distribution of sensitive files regardless of location or device. It can limit a user’s ability to view, edit and print and can even limit the validity time for accessing sensitive information. This applies to both internal and external users.
There is a lot happening lately in the financial sector to help stem the tide of constant data breaches. This week a financial industry coalition in the US is promoting a campaign called “Stop The Data Breaches” to encourage people to get their members of congress to pass The Data Security Act of 2015 (H.R. 2205 and S. 961).
The effort is backed by seven trade groups, including the American Bankers Association, the Consumer Bankers Association, the Credit Union National Association and the National Association of Federal Credit Unions (NAFCU). By running online and print ads, they are trying to get Congress to enact this important legislation that would protect consumer data.
A few weeks ago, on May 12, 2016, the Federal Deposit Insurance Corporation (FDIC) was in front of a Congressional Subcommittee to answer if Americans can trust the FDIC to protect their private banking information. One of the interesting outcomes was the FDIC announcing a new cyber security initiative after 5 more breaches. Part of this initiative is the implementation of Digital Rights Management technology to locate, recall and/or render data useless when appropriate. This new development should have a major impact on the financial sector who will follow suit if they have not implemented this type of data-centric and people-centric security approach already.
On Thursday May 12, 2016, the Congressional Subcommittee on Science, Space and Technology held a special hearing in Room 2318 of the Rayburn House Office Building. The hearing addressed if Americans can trust their private banking information is secure by relying on the Federal Deposit Insurance Corporation (FDIC).
During the session, lawmakers stated that the FDIC has a long history of cyber-security incidents and that it is failing to safeguard private banking information of millions of Americans who rely on the FDIC.
In the last seven months alone, seven departing employees at the FDIC have left with personal banking information on thumb drives and other removable media.
While Lawrence Gross Jr., the FDIC’s CIO told lawmakers that the FDIC considered the data breaches as “inadvertent” copying of personal banking information that happened when departing employees were copying personal information to removable media, some of lawmakers called taking something that does not belong to employees as “theft”.