Thursday, December 30, 2010

Terminated Employees Retaining Access to Sensitive Data?
Why it is so Prevalent and How to Really Fix it.

The media is full of stories about ex-employees who accessed their former company’s computers after they had been terminated.

Some former employees steal patient or customer data to commit identity theft. Others steal customer lists or intellectual property. A few attempt to blackmail or publically embarrass their former employer.

Customers are Angry
The comments posted in response to these reports are sobering. Members of the general public are livid when the data theft involves customer/patient data and they feel they could have been victimized.

Many incorrectly demand action against the company’s IT security management. A common mistaken analogy is “I had to turn in my office key when I left my last company, how hard can it be to revoke an employee’s access”.

Knowing is the Hardest Part
Unfortunately, knowing an employee’s access should be revoked is the hard part. Every IT Security organization I have known can quickly revoke employee access but they are at the mercy of the managers who must request the access be revoked. It is the human element that is repeatedly the weakest link in the chain.

Terminated but Still on Payroll
I was told about an employee who was escorted to the door with no advanced notice of their termination. But IT was not notified until 6 months later. Why? Because the ex-employee’s severance agreement included 6 month salary so he remained on the payroll and HR systems as an active employee until his severance agreement ended. (And no, I won’t tell you what this angry employee did during those 6 months.)

Manager Mistakes – “I Forgot”
I have been told many variations on the story “the manager did not report the terminated employee to HR for weeks after the last day”. Often managers were busy and knew they gave the employee 2 or more weeks of severance so the manager did not worry about informing HR until it was time for the paychecks to stop.

Other times the manager wanted continued access to the ex-employee’s accounts to help in a transition. A few times the manager had malicious intent of misusing the ex-employees access. (See this blog posting)

Employee ID Baked into Critical Application
There have been other instances where turning off the access for an ex-employee would break an important application because the employee had baked his or her user id into the code to do the data retrieval or update. (And this is not just IT staff but other departments that had hacked their own data access.)

IAM and SSO are Important but Do Not Solve the Problem
Implementing a provision system (IAM/IdM) or single sign-on (SSO) or cracking down on manager not following policy are not a comprehensive solution. All such preventive systems can be subverted for innocent or malicious reasons. The key is to have an automated detective control that can find terminated users and their unrevoked rights so IT is NOT wholly dependent on people and process.

Automatically Discover Unrevoked Access of Terminated Users
Veriphyr is an analytics service that discovers unrevoked access of terminated users on mainframe, midrange, Linux/Unix, and Windows systems.

Every user has an activity profile based on their unique pattern of usage. Veriphyr can differentiate between the activity patterns of current employees verses terminated employees – even terminated employees who continue to access sensitive systems. Veriphyr can even differentiate between full-time employees and those on vacation or contractor accounts between projects.
Learn how Veriphyr Identity and Access Intelligence service effectively prevents or quickly detects patient data loss or theft, even "snooping" by terminated employees.

Wednesday, December 15, 2010

Terminated Nurse Breaches Privacy Rule by Accessing Electronic Health Records (EHR) of Former Patients

Yet another terminated employee was caught accessing their former employer's sensitive data.

"Macon police are investigating a former employee of Coliseum Hospital accused of entering a secure area and accessing patient information" (a)

Investigators believe the former employee was at the hospital for a nurse’s birthday party when she logged into the hospital’s computers.

Privacy Software Does Not Know "Terminated"

Unfortunately traditional patient privacy audit ("snooping") software can not recognize terminated employees as inappropriate if the employee still has his or her access codes. This is because traditional "snooping" products have no ability to differentiate between a terminated employee and a regular employee.

Traditional privacy surveillance solutions would see access by a terminated employee as normal if the terminated employee was accessing patient records similar to those he or she dealt with while employeed.

It is not sufficient for privacy breach detection products to audit for inappropriate patient record activity. Protecting patient privacy requires solutions that understanding both activity and identity.

Fortunately there is a new breed of identity and access intelligence services that can identify terminated employees based on their on-line behavior, even if the employee's access rights were not completely turned off when they were terminated.

"the former employee, who still had her access code, entered a secured area and logged into the hospital’s computer records, allegedly accessing patient information." -, November 20, 2010 (a)

Learn how Veriphyr Identity and Access Intelligence service effectively prevents or quickly detect patient data loss or theft, even "snooping" by terminated employees.

(a) "Ex-Macon hospital worker accused of accessing patient information"

Popular Posts

Copyright © 2010-2017 by Veriphyr Incorporated, All Rights Reserved.

Contact us at