IoT
IoT
Comments
Colleagues In Cuffs: When Employees Steal Patient Records
Threaded  |  Newest First  |  Oldest First
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
4/7/2014 | 9:57:52 AM
Identifying unhappy employees
Is there any science to identifying the unhappy/disengaged employees who might be the source of patient data theft problems? Is unhappiness really the key? I'd think some sort of psychological screening for ethical thinking would be more important. But I don't know how you measure either happiness or ethics on an ongoing basis, other than to pay attention to those individuals who are openly grumbling.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
4/7/2014 | 10:52:55 AM
Re: Identifying unhappy employees
I am not sure, but that's a great question. Just because employees are unhappy, it doesn't automatically mean they'll go on to do something unethical, either. Most unhappy workers will either stay where they are or start looking for new employment. It's only a certain percentage that will proactively sabotage their organization. 

In reading and writing about this in the past, a lot comes back to strong, good managers who know their teams and can sense when something is amiss. It also involves implementing the right technology tools to ensure individuals are accessing only the data they need, as often as they need to, and that alarms go off when someone appears to be doing something odd -- copying info, sharing data, accessing info they don't need, etc. It's more difficult when IT is the one doing the misdeeds, of course, but the combo of savvy managers, well-trained employees who are alert to oddities (like a $12/hour colleague who drives a 2014 Porsche and wears Armani), and strong tech will help. 
Gary_EL
50%
50%
Gary_EL,
User Rank: Ninja
4/7/2014 | 3:01:17 PM
Re: Identifying unhappy employees
Well, anyone trying to get by on $12 an hour is bound to be unsatisfied and unhappy, so that means that almost everyone is a "suspect". There's a lesson to be had here, and that is, you can and should tighten up computer system security, but you can't control the human heart.
Shane M. O'Neill
50%
50%
Shane M. O'Neill,
User Rank: Author
4/7/2014 | 5:00:11 PM
Re: Identifying unhappy employees
"Installing firewalls and locking down databases doesn't work if thieves have the keys or designed the infrastructure." 

Another reason to keep IT staff happy!

But seriously, worker unhappiness is often a hard thing for even the most conscientious managers to detect. An employee could be unhappy but also quite competent and good at concealing his or her emotions. Displays of "active disengagement" and undermining others work are the real red flags and that's where a smart, observant manager is the company's best ally. At the same time, IT must fortify the hospitals systems and only allow employees access to the data they need for their jobs. And also monitor suspicious activity regularly. As Allison mentioned in her comment, savvy managers and strong tech are the best medicine.

 

 
Alison_Diana
IW Pick
100%
0%
Alison_Diana,
User Rank: Author
4/11/2014 | 10:22:22 AM
Re: Identifying unhappy employees
While at Internet Evolution I wrote a horrifying story about employee bullying that centered on a top network pro who bullied a junior network administrator. As an IT manager looked into the bullying, he discovered the bully was also reading executives' mail, stealing documents and sharing data with union reps, and doing all sorts of other nefarious deeds that damaged the corporation. Although there had been a suspicion that someone had been reading email, this guy was never a suspect because he'd seemed so dedicated to the job, had been there a long time, etc. So yes, it's very difficult to figure out who really is unhappy if they want to hide the fact from management and colleagues. 
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
4/11/2014 | 10:19:31 AM
Re: Identifying unhappy employees
Studies have shown money isn't always the most important part of keeping employees happy and engaged. That said, people should (IMHO) earn a livable wage, especially when they're in a career that's involved training and education. 
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
4/11/2014 | 10:19:31 AM
Re: Identifying unhappy employees
Studies have shown money isn't always the most important part of keeping employees happy and engaged. That said, people should (IMHO) earn a livable wage, especially when they're in a career that's involved training and education. 
gosmartyjones
50%
50%
gosmartyjones,
User Rank: Apprentice
4/16/2014 | 3:26:25 PM
Re: Identifying unhappy employees
Once again, it's internal threats that are outweighing the external threats and causing monumental problems for companies. Doing the basic due diligence - background checks, credit checks, employment references, drug testing - all help, no question about it. But what's really imperative is creating the notion of accountability within a company. More specific, a sanctions policy and supporting procedures that clearly outlines and details the legal and criminal penalties faced by employees and other workforce members who undertake such malicious activities. You would be surprised at the number of employees who would NOT undertake such actions if they knew that jail time, fines, and other significant legal troubles lay ahead.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
4/17/2014 | 9:22:20 AM
Re: Identifying unhappy employees
That's very interesting, @GoSmartyJones. To be honest, that's an aspect I had not considered -- educating employees about the penalties they will face if they do leak or steal data. It's definitely a natural fit with other best practices: Teaching new and existing employees how to safeguard information, both technologically and from social engineering, and the importance of maintaining secure patient records, emails, images, etc. I wonder, do you have any examples you can please share that demonstrate how merely taking that extra step and telling healthcare workers about the fines and jail time involved led to decreased breaches? 

This step is something healthcare organizations can do almost immediately. Sadly, there's a ton of data freely available on fines and jail sentences healthcare employees have incurred because they've stolen or leaded patient data. And no doubt government organizations will be glad to share other info to encourage medical pros to be more proactive in their security efforts. Love this idea!
gosmartyjones
100%
0%
gosmartyjones,
User Rank: Apprentice
4/21/2014 | 10:23:39 AM
Re: Identifying unhappy employees
As part of security awareness and training that I conduct for organizations - such as for PCI DSS, HIPAA, and other regulatory compliance frameworks, I always emphasize the criminal and legal aspect of stealing data. It seems to make people sit up in there chair and pay attention.  The accountability aspect of this is so important, because if employees know the true ramifications of their actions, they probably will not undertake such malicious tactics. I use myinformationsecuritypolicy.com for security awareness materials, if you are curious. 
BobH088
50%
50%
BobH088,
User Rank: Moderator
4/9/2014 | 8:12:08 PM
security solution

One of the most common causes of data getting in the wrong hands is the loss of mobile devices that often contain a frightening amount of private information. I want to share a protection option that worked for me. Tracer tags (mystufflostandfound.com) let someone who finds your lost stuff contact you directly without exposing your private information. I use them on almost everything I take when I travel like my phone, passport and luggage after one of the tags was responsible for getting my lost laptop returned to me in Rome one time.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
4/11/2014 | 10:23:23 AM
Re: security solution
Sounds like a good option. Thanks! Will have to look into it.
Gary Scott
50%
50%
Gary Scott,
User Rank: Moderator
4/10/2014 | 1:38:10 PM
Employee Data Theft
Employees don't need to be unhappy, greedy or unethical to cause a data breach – information that is lost, stolen or compromised – just misinformed.    

The amount of information stolen by employees is a fraction of the information lost during the computer recycling process.  Why?  Companies usually rely on low-level employees to dispose of old IT equipment.  In turn, those employees rely on the local electronic recycling company to remove equipment and, only as a secondary part of the process, erase or destroy hard drives. 

One of the most common causes of data getting in the wrong hands is NOT the loss of mobile devices.  Research has shown that up to 30% of computer equipment purchased in the secondary market – think eBay – contains confidential information.  There are currently 115,000 used hard drives listed on eBay, which does not include whole PCs, laptops, servers and storage equipment.  The math does not look good for secure data.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
4/11/2014 | 10:26:55 AM
Re: Employee Data Theft
That is a great point, @Gary. I believe I mentioned errors in the article; it's very easy to make a mistake, one that ends up being extremely costly to your organization, with absolutely NO malice intended. For one thing, orgs should make sure people removing data or destroying drives understand why it's so important to do it correctly. Knowledge brings power; understanding why you each step is important is more likely to ensure the vast majority of employees follow procedures. If they don't know, then they may be more likely to skip a step or two. QA is also critical. Someone with some degree of authority should check to make certain the job is done right. 
anon5450533792
50%
50%
anon5450533792,
User Rank: Apprentice
4/18/2014 | 8:17:44 AM
The threat from within rife in the healthcare sector
Our findings show organisations in the healthcare sector are experiencing double the average amount of internal security breaches, in comparison to all industries. The findings are based on research revealed in our recent report 'The Insider Threat Security Manifesto'.

The report also highlighted how the vast majority of IT professionals consider insider threats to be a purely cultural issue, and are not aware that technology can help them address internal security issues,
Alison_Diana
100%
0%
Alison_Diana,
User Rank: Author
4/18/2014 | 9:37:38 AM
Re: The threat from within rife in the healthcare sector
Thanks for sharing this IS Decisions report, @anon. Wish I'd run across it during the course of my research! Why, do you think, healthcare experiences this high rate of internal security breaches? I was also surprised to read the report's findings regarding culture vs. technology. A combination of the two -- hiring, ongoing training and education, plus technology tools -- are needed in order to combat internal threats. It's always amazing, for example, to discover how many organizations (across industries) don't deactive a former employee's log-on rights as soon as they leave, whether voluntarily or involuntarily. That's one small example. 
chrisbunn
50%
50%
chrisbunn,
User Rank: Apprentice
5/12/2014 | 5:16:30 AM
Re: The threat from within rife in the healthcare sector
Glad you found the IS Decisions Report usefull. The research suggests many organizations are complacent about the issue of internal security - a prime example as you point out with regards to former employee's log-on rights. Why healthcare suffers double the average amount of internal security breaches? The reason my be connected to the proliferation of password sharing in healthcare. The good news is that there is a lot that IT departments can do to mitigate the risks - including passwords sharing. It's a technology issue as well as a cultural one, and can be addressed from both of these angles. 


Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of August 14, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.