Patients in Manitoba are receiving notification from their healthcare providers, that their personal and sensitive information has been lost or inappropriately accessed. As all who have responsibility for the security of information, the insider threat is very real. Often times we associate the insider threat to be associated with the actions of nefarious individual. As you’ll read below, the breaches involved an employee wanting to update their contact list and a hard-copy file walking out of a locked and access controlled office.
In both instances, the health authorities have an excellent opportunity to heighten the awareness of all employees as to the sensitivity of individual patient records. The security and privacy awareness training should include special admonishment on the requirement to follow the principles of least privileged access. That is to say, only access that which you must in order to do your assigned duties and then return the information to its secure, at rest location. Carelessness and curiosity are two very real insider threats which all entities need to address to ensure the protection of sensitive and private information of the individual.
[bctt tweet=”#Insiderthreat: Does your DLP protect against inappropriate access? #privacy #infosec #Canada” username=”PrevendraInc”]
Inappropriate Access
In mid-November 2016, the Winnipeg Free Press, reported that a former worker of the Manitoba Health, Seniors and Active Living (MHSAL) broke the trust between the MHSAL and their constituency, when the individual took a peek into the confidential protected health information (PHI) records of approximately 197 individuals. The reason? The employee wanted to update her address book. The Manitoba Health Minister, Kelvin Goertzen said Monday his department has wrapped up an internal investigation and the employee has moved on to other opportunities, outside of the MHSAL.
Read the full article: Private data breach ‘not nefarious’; former Health worker wanted to update contacts
A file goes for a walk
Separately, the CBC reports that the Winnipeg Regional Health Authority (WRHA) is dealing with a data breach involving the the PHI and personal identifying information (PII) on over 1,000 people, when an administrative file was taken from a “locked” office inside Winnipeg Health Sciences Centre on Oct. 7. Réal Cloutier, the WRHA’s vice-president and chief operating officer said, “We take our responsibility as a trustee of health information seriously and we expect that we protect that information, and unfortunately in this case we have a situation where information was taken.” (See video below).
Read the full article: File with 1,000 patients’ personal details taken from Winnipeg hospital