Tuesday, March 27, 2012

Police Officer Fined for Data Privacy Breach on Police Computers

A law officer was fined more than £2,000 and lost his job after being caught using police systems to access information about "individuals known to him socially".

The fines and resignation are a result of an investigation launched by anti-corruption officers based on complaints within the force about the officer's actions.
"We have to ensure the information we hold as a police service is managed appropriately and responsibly and we will take action against anyone who takes advantage of their position to access inappropriate information." - Jon Green, of the force's professional standards
The officer admitted four counts of breaching the Data Protection Act. The Court fined him £250 for each of the four offences, told him to pay £1,000 in court costs and £15 to victims of crime.
Download a white paper on privacy breach detection. Learn how to proactively identify unauthorized breaches of data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Ex-Hertfordshire constable Adrian Moir fined over data breach - BBC, March 23, 2012

Saturday, March 24, 2012

Ponemon Report - Malicious Insider are the Real Danger

The Ponemon annual report on the cost of a data breach states that "Companies who are not able to manage your data are viewed as less trustworthy."

This would explain why heavily regulated organizations, such as financial services and healthcare organizations, are reported to have higher breach costs than normal.
"It’s really the malicious insider – someone who’s nefarious or angry at the organization – that presents the real danger to the company." - Larry Ponemon, chairman and founder of the Ponemon Institute
The seventh annual U.S. Cost of a Data Breach report from Ponemon Institute examined the 2011 data breach experiences of 49 U.S.-based organizations and interviewed a total of 400 people with direct knowledge of the IT, information security, and data breach cleanup efforts at those organizations.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Ponemon Annual U.S. Cost of a Data Breach - Ponemon, March 20, 2012

Tuesday, March 20, 2012

Top 10 Internal Threat CERT 2012

Dawn Cappelli, technical manager at Carnegie Mellon University's CERT Insider Threat Center, spoke at the RSA conference in San Francisco on the best ways to stop insider data breaches.
Create clear security policies such as: "If you get caught, we log everything that everyone does here, and the evidence is going to point to you."
Here are two of Cappelli's top 10 ways to stop insider breaches.
  • Protect crown jewels first
    To put an effective insider-threat program in place, first ask: What's the single most important piece of information in your company? Then secure it, preferably not just with encryption, but also by restricting access, as well as logging and monitoring who touches that data.

  • Train employees to resist recruiters
    Many employees who commit fraud are recruited from outside and insiders often say that they're not committing a crime, but rather just giving data to someone else, who then commits a crime. Alter such thinking by creating clear, related security policies such as: "If you get caught, we log everything that everyone does here, and the evidence is going to point to you.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) 10 Best Ways To Stop Insider Attacks - InformationWeek, March 13, 2012

Tuesday, March 13, 2012

Insurer Fined $1.5 Million for Patient Privacy Violations

A Tennessee insurer has agreed to pay the U.S. Department of Health and Human Services (HHS) $1,500,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules, Leon Rodriguez, Director of the HHS Office for Civil Rights (OCR), announced today.

"This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program" - Leon Rodriguez, director of the HHS Office for Civil Rights (OCR)

Under the settlement, the insurer agrees to monitor its employees to ensure that HIPAA requirements are met and to review and revise its privacy and security policies.

The HHS Resolution Agreement can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/
resolution_agreement_and_cap.pdf.

Monday, March 12, 2012

Moving "at the Speed of Trust" - Kaiser On the National Coordinator forHealth Information Technology

Patient privacy protection is a top priority for Dr. Farzad Mostashari, the National Coordinator for Health Information Technology at the U.S. Department of Health and Human Services

Mostashari says the program will only move forward “at the speed of trust,” as physicians implement data-sharing systems in increments, with special attention to encryption and rules on access, password protection and audit trails.

This challenge may be something over which he has less control. . Every week, it seems, another hospital reports a breach of hundreds or thousands of patient records.

Source - http://www.kaiserhealthnews.org/Stories/2012/March/09/Farzad-Mostashari-health-information-technology.aspx

Sunday, March 11, 2012

HHS/OCR - Expect Penalties for "Abject Failure of Due Diligence" on Patient Privacy

OCR plans to hand out more penalties in cases where it finds “an abject failure of due diligence,” said Leon Rodriguez, head of HHS’ Office for Civil Rights (OCR).

Speaking at the International Association of Privacy Professionals’ Global Privacy Summit he warned that OCR is seeing organizational failures to assess and manage risk at many HIPAA-covered entities.
"The big issue for me is what’s going on inside the entity that makes those things happen. - Leon Rodriguez, Director of the HHS Office of Civil Rights
Download a white paper on user activity monitoring . Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Sources:
(a) HHS to Step Up HIPAA Privacy Enforcement in ‘Abject Failure’ Cases - Smart HR Manager Blog, March 9, 2012

Monday, March 5, 2012

Kaiser Director of Medical Informatics on Patient Privacy Breach Detection

Eric Liederman, Director of Medical Informatics at Kaiser Permanente, gave a great talk on best practices for protecting patient data privacy at HIMSS (Healthcare Information and Management Systems Society) meeting in Las Vegas.

Here are his advice for monitoring healthcare staffs’ access of protected health information on computers:
  • Monitor logs of employee access to patient data to proactively find violations; don’t just investigate allegations.

  • Use analytics with high specificity so that few false-positives occur. Doing so will make enforcement easier, because offenders will be easier to detect.

  • Find existing frequent offenders by using the monitoring before implementing a surveillance policy.

  • Announce the plan to monitor access to all employees. This can deter those tempted to Inappropriately access patient data.

  • Monitor all employees and apply consequences consistently to be equitable and avoid lawsuits.
"The goal is deterrence, an effort to prevent normal, fallible people from giving in to momentary temptation." - Eric Liederman, Dir. Medical Informatics, Kaiser Permanente
Detecting patient privacy breaches in this manner will fostering accountability to protect privacy and remain compliant with the Health Insurance Portability and Accountability Act.
Learn how patient privacy breach detection proactively identifies unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Spying on staff: The solution to patient privacy, HIPAA - Modern Medicine, 2/29/2012
(b) Accountability, Fueled by Surveillance, Reduces HIPAA Violations - HIT Community, 2/22/2012

HIMSS on Patient Data Privacy Breaches

Data breaches are among the most common reasons that electronically stored information lands doctors in court, according to Lisa Gallagher, senior director for privacy and security at the Health Information and Management Systems Society, which advocates health information technology.

Source - http://www.ama-assn.org/amednews/2012/03/05/prsa0305.htm

Sunday, March 4, 2012

Utility Engineer Commits $1 Million Insider Theft

A civil engineer at a Pacific Northwest utility initially commited the crime of accessing his own residential account and that of a rental property to show payment when none had actually been made.

He did this by abusing his legitimate computer accesses that was required for his job of researching and issuing water-availability certifications to property owners and developers,

Then he moved on to a $1 million dollar insider crime that only came to light when a developer contacted the engineer's manager to ask about the crediting of a previous deposit and provided a copy of the check. The manager could find no record of the check ever being deposited with the city.

The police determined that all the checks had been deposited in his account and not the utilities bank account. Like many other insider thieves the engineering began his career when the intial crime of user access abuse went undetected. Then embolden by getting away with his initial crime he committed additional crimes.
Learn how to catch user access rights abuse by authorized users - with no hardware and no on-site software.
Sources:
(a) Former city employee arrested in $1 million theft from Seattle Public Utilities - The Seattle Times, 3/1/2012

Utility Employees Abused Access Rights to Adjust Own Bills

Five call-center workers at a Pacific Northwest utility company have been fired for accessing their own accounts. One of the fired employees was a supervisor and a sixth employee was disciplined.

One of the utilities employees, with 29 years on the job, repeatedly adjusting her utility bill. Between 2002 and 2010 she had made 71 adjustments to her account, including many that deferred payment and avoided credit and shut-off action.
"I worked almost 30 years. I was a good employee. I messed up without knowing it was that serious." - Employee who abused access
The employees acknowledged knowing they shouldn't be fixing their own utility bills, but thought they would not be caught. The utility is examining data going back 10 years and said it would discipline all employees who inappropriately accessed accounts or adjusted their own bills.
Learn how privacy breach detection proactively identifies inappropriate access by authorized users - with no hardware and no on-site software.
Sources:
(a) Ex-city worker fined $1,500 for adjusting her utility bills 71 times - The Seattle Times, 3/1/2012

Saturday, March 3, 2012

Police Officer Violates Co-worker's Data Privacy by Abusing Computer Access

A police officer is charged with violations of the Data Protection Act. He allegedly abused his access to police computer systems to investigate a female colleague who will testify at his misconduct investigation.

The charges state that "knowingly or recklessly without the consent of the data controller (the Chief Constable) he accessed information relating to Constable [name withheld] and other persons contained within the records of incidents of Northern Constabulary’s electronic Information and Management of Police Applications incident recording system, knowing or believing that she was likely to be a witness against him in a misconduct investigation."
Learn how a data privacy breach detection can proactively identify unauthorized breaches of data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) North cop faces data protection breach charges - Highland News, 3/2/2012

Friday, March 2, 2012

Hospital Employee Steals Data from 445 Patients

An employee stole information on 445 patients from a university medical center. The clerk stole patient names, addresses, dates of birth, social security numbers, driver’s license numbers, and insurance information.

Hospital officials learned about the theft from law enforcement officials on Sept. 26 but were asked not to inform patients or the public until now to avoid compromising the investigation.
"This was one person who had legitimate access to information as part of their job in a secure area who chose to take that information, circumvent policy and sell it for personal gain." - hospital chief compliance officer
In response the hospital conducted a time consuming audit of its electronic records system and it is offering affected patients one year of free credit monitoring and identity theft protection.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of electronic patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Information stolen from records of 445 Hackensack University Medical patients - NorthJersey.com, 3/2/2012

Popular Posts

Copyright © 2010-2011 by Veriphyr Incorporated, All Rights Reserved.

Contact us at Veriphyr.com.