I have sat on the Health System's Information Security Workgroup for a couple of years now, and have gained a lot of insights into the kinds of threats that actually put patient data at risk. The teenage hacker and the identity thief from some country in the former Soviet bloc get a lot of traction in the press as villains.
However, what I have come to understand gradually is expressed in the title of this article from last November on SearchSecurity.com: Insider security threats come in many forms. The most likely candidates for identity theft in your organization are the people working alongside you.
Per the article:
Whatever the insider's tactics or motives may be, Anderson said there are some common warning signs to look for, such as someone who isn't getting along with managers or co-workers and may be preparing to leave the company. If someone is leaving under unhappy circumstances, there's always the chance they could sabotage network data on the way out the door, she said.
Companies must also keep an eye on people who may start working hours when nobody else is around. Anyone who suddenly changes their normal work routine bears watching, Anderson said.
Companies must also be prepared to deal with people who create security risks without necessarily meaning to. If the network suffers a security breach because an employee was visiting seedy Web sites on company machinery, for example, there must be a plan for punishment.
"People need to understand that their computers are for business only and that they can be disciplined or even fired for using them for anything that isn't business related," Anderson said.
IT security professionals also need to watch for personal technology that could put the company at risk, she said. Cell phones with embedded cameras, for example, could be used to photograph and transmit sensitive data.
This last paragraph bears further examination. Many cell phones now attach directly to your computer, either via USB or Bluetooth, and have many megabytes of space available for file transfers. Files may need to be renamed to look like MP3s or some other format the phone recognizes, but out the door they go in perhaps the most innocuous and ubiquitous of all electronic gadgets.
Another source of worry for me: my daughter has a year-old iPod with a 60-gig hard drive. Not only is it small enough to fit in my pants pocket (as if she'd let me have it to try), but the iPod ownership is so prevalent that they are invisible to people around the iPod wearer. And corporations are actually in effect encouraging their use by producing employee-targeted podcasts, as described in an eWeek article entitled Podcasting: An Enterprise Hit.
The advantages of podcasts—produced audio delivered to a digital music player—are obvious: They are easy to create and are portable, and users can download them and listen at their leisure without office distractions. A message from the boss? Facts about a new product? Procedures for a new business process? Technology support tips? Download and listen.
Bottom line: determined and resourceful insiders will steal data. Identity theft is going to have to be handled post- rather than pre-breach, and we're going to need to find ways as a global society to make that efficient and cost-effective.
That's a gargantuan task with respect to financial data alone, but patient data often contain information that is potentially more damaging to the individual than a blemish on his or her credit record. Public knowledge that you are genetically susceptible to a debilitating disease could make you uninsurable; being "outed" as a homosexual could bring you ignominy or in certain subcultures leave you vulnerable to physical violence.
What You Can Do
Not every threat can be headed off, nor can every threat be mitigated after the fact. We live in an increasingly dangerous world. Then again, determined insiders have long been able to do damage to their employer or their employer's clientele through misappropriation of property to which the insider had access for legitimate purposes. Embezzlement is a good example. If an employee has legitimate access to the employer's funds, misappropriation of funds was not a violation of common law and was for a long time not considered a crime. The United States finally made it a felony in 1948, encoded in 18 USC Chapter 31 Section 656. Until that point, the only remedy for embezzlement was a civil lawsuit.
Laws against identity theft at the Federal level began with the Identity Theft and Assumption Deterrence Act of 1998, and many states have now enacted similar laws with stricter definitions and stronger penalties, and to make it a crime for organizational leadership to fail to notify victims of a security breach occurring in their organization. Michigan's governor signed such a bill only yesterday.
As with embezzlement and most other crimes, ex post facto legal remedies are cold comfort to the victims. We can learn by analogy from the banking industry's best practices for preventing embezzlement. This list is adapted from the International Encyclopedia of Judicial Studies:
Put procedures in writing. Develop standard operating procedures for handling sensitive information and put them in writing. Develop a handbook and include the procedure and make sure employees have acknowledged it. The more uniformity your systems and routines demand, the more routine your employees' actions will become, and the easier it will be to spot irregularities and other problems.
Establish individual access accounts, and provide "need-to-know" granularity in access controls. All access to sensitive information should be attributable to the individual accessing the information, so all access must occur after successful authentication and authorization. Make sure that terminals obscure their displays and lock up when an authorized person is not in the immediate vicinity (see http://www.ensuretech.com for a way to do that). Maintain audit trails for all access to sensitive information.
Monitor access records. Employers should ensure, and employees should know, that audit trails are not "write-only memory".
Plant bait. This is a variation on the "trust, but verify" principle. How you do this will be very situation-dependent.
Don’t rely on your IT staff. Hire security experts to perform regular reviews and audits, as well as to undertake "black hat" activities like those described above. Certification of the information security professionals you retain should be a requirement.
Set the tone at the top. Employees, who view their leaders as honest people, are more inclined to copy that behavior. The opposite is also true. Do not give employees an excuse to be dishonest or lax.
Finally, keep in mind that many if not most leaks of sensitive information are the result of negligence or ignorance rather than malfeasance. Diligently educate your staff on the many ways information security can be breached without intent. Make sure your policies and procedures are designed to prevent such losses, and make sure your employees know and follow them.
That about covers it. The rest is execution...
Whilst I acknowledge the risk I don't agree with your bleak assessment. Just imagine what people would have made of the Caxton printing press if that were the case. It's just a minor, maneagable downside of some extremely beneficial technology. Powerful technologies need to be managed. Twas always thus.
Posted by: ClickRich | January 04, 2007 at 03:07 PM
Point taken. I was having a bad morning. I was actually in the midst of updating the post to make it less bleak when you posted this comment. See if it sounds more balanced to you and let me know.
Posted by: Hunscher | January 04, 2007 at 03:29 PM
Bravo :)
Posted by: ClickRich | January 05, 2007 at 01:17 PM
Hi, there are a number of ways to prevent identity theft, and everyone should know how to protect themselves from this crime. Know the tips to prevent...
http://www.identitysafetytips.com/prevent-identity-theft/ways-to-prevent-identity-theft.html
Posted by: Jim | April 23, 2007 at 01:00 PM