Jump to content
January 17/11/2011 Following the news that a former NHS care assistant has been convicted of obtaining the medical records of five members of her ex-husband’s family in order to obtain their new phone numbers, Varonis Systems says this rogue employee incident shows why the automation of IT security enforcement is critical to organisations with large amounts of sensitive data.
According to the data governance specialist – whilst the case initially appears to be one of a rogue employee with access to the medical records of the patients concerned – the Information Commissioner’s Office (ICO) has reported that the patients whose details had been compromised were not under the worker’s direct care.
“Put simply, this means that she was accessing the medical records without express or implied permission from her employer – and was clearly committing an offence under section 55 of the Data Protection Act. This is why she was fined £500 for the offence, which was also a breach of her employer’s trust,” said David Gibson, Varonis’ director of strategy. And, he notes, who knows what other data was made available to the staff member concerned?
This isn’t terribly surprising– managing authorisation to fluid data sets is a very difficult challenge for organisations that haven’t automated permissions management with data governance technology. Smart card logs were used as evidence that strong authentication was in place—pretty much eliminating the possibility that the account was compromised. The problem is that when users are authenticated, you then need to make sure that those users only have access to the data that’s relevant to them, and nothing more—especially sensitive data. Automation is the only real way to adhere to the principle of least privilege with present-day digital collaboration,” he said.
Healthcare data, he explained, is some of the most dynamic in the IT industry, with new patients coming in every day for lots of reasons, then being treated and moving on, and with some returning for further treatment. The end result is that there are numerous digital files for every patient treated, he says, adding that health records contain the most personal of information, with phone numbers certainly being private, as well as the medical issues those family members were treated for.
It would be interesting to discover, Gibson says, to what extent other NHS bodies use data governance technology when securing the medical records and other data of patients. Data governance technology can not only be used to optimize authorisation, but also to monitor what those authorized users are doing with their access, and to alert on potential abuse.
“In a large hospital or health trust environment, even an army of people couldn’t keep up with the pace of authorization changes. Automation is clearly the only way to effectively optimise authorisation and monitor the use of the data concerned, but the good news is that this technology is available in the marketplace, without resorting to untested leading edge systems,” he added.
For more on Varonis: http://www.varonis.com
For more on the NHS care worker prosecution (ICO release): http://www.ico.gov.uk/news/latest_news/2012/health-worker-convicted-of-obtaining-patient-details-unlawfully-12012012.aspx
Varonis is the leader in unstructured and semi-structured data governance for file systems, SharePoint and NAS devices, and Exchange servers. The company was named "Cool Vendor" in Risk Management and Compliance by Gartner, and voted one of the "Fast 50 Reader Favorites" on FastCompany.com. Varonis has over 4,000 installations worldwide. Based on patented technology and a highly accurate analytics engine, Varonis' solutions give organizations total visibility and control over their data, ensuring that only the right users have access to the right data at all times. Varonis is headquartered in New York, with regional offices in Europe, Asia and Latin America, and research and development offices in Hertzliya, Israel.
Varonis, the Varonis logo, DatAdvantage and DataPrivilege are registered trademarks of Varonis Systems in the United States and/or other countries and Data Classification Framework and Metadata Framework are under a registration process in the United States and/or other countries. All other product and company names and marks mentioned in this document are the property of their respective owners and are mentioned for identification purposes only.Varonis, the Varonis logo, DatAdvantage and DataPrivilege are registered trademarks of Varonis Systems in the United States and/or other countries and Data Classification Framework and Metadata Framework are under a registration process in the United States and/or other countries. All other product and company names and marks mentioned in this document are the property of their respective owners and are mentioned for identification purposes only.