|
By Mike Spinney
Here's a brazen bit of breachery from the Miami Herald. It's a neat little proposition: for a flat monthly fee, a data broker (of sorts) acquires medical records from a hospital employee and passes them through to a personal injury lawyer for a fee, plus a percentage of his lawsuit earnings.
Apparently the scheme went on for two years before the hospital employee blabbed about it. Luckily for Miami-area residents, someone with a clearer moral compass recognized the crime and told authorities.
This isn't all that different from the revelation that UCLA Medical Center employees were abusing their access privileges to snoop in the files of celebrity patients, either for their own amusement or to pass info along to the tabloids.
While both stories are a reminder of the serious threat posed by malicious insiders, the Jackson Memorial case offers another lesson: don't overlook the importance of personal ethics in your security strategy.
We have no information about the security and ID/access management technologies in place at Jackson Memorial, and we don't know if the person who tipped the police was a co-worker.
But we do know that someone who knew right from wrong had the moral courage to do the right thing when confronted with information related to misconduct.
Good, consistent training and an ongoing awareness campaign -- along with a visible example set from the top down -- can have a positive effect on your company's overall security program (and at a very reasonable cost).
We cannot emphasize enough the importance of creating a security-conscious culture within every organization.
Copyright © 2008 To Present · Information-Security-Resources.com
Mike Spinney, Senior Privacy Analyst, CIPP is a senior privacy analyst with the Ponemon Institute, a research organization dedicated to advancing responsible information and privacy management practices in business and government.
Only registered users can write comments.
Please login or register. |
