This breach outlines the dire consequences that can result when critical and extremely private personal data can be accessed by the wrong people.  In this case, employees who had open access to not only confidential patient data, but also billing information, were able to steal account info and rob elderly and vulnerable victims.

The hospital contends that this was the result of a crime and not due to hospital procedures and this may be the case.  But health care organizations are going to have to change policies quick to restrict access to this type of information, or these type of stories will only increase with dire results for patients and the hospital alike.

I contend that organizations should perform a review of their current identity management and protection policies to see how easy and how many employees could potentially compromise data, such as happened here at the University of Maryland Medical Center. I believe that an identity management solution that is well planned and implemented can allow health care organizations to restrict and monitor access to critical systems containing confidential information. In my own consulting work, I have heard from many security officers admissions of improper access; that too many people can easily access patient data.  An organization without an identity management policy is giving a huge advantage to these criminals.

The story below is from the Baltimore Sun, July 14. http://www.baltimoresun.com/health/bs-md-identity-theft-20110714,0,3173292.story

For information on Tools4ever identity management solutions and how they can benefit any health care organization, please click here.

This article recently published in the Worcester Telegram & Gazette highlights the dangers of shared user accounts, open kiosks and weak authentication protocols.

Computer access breach exposed UMass Memorial pay stub data

By Lee Hammel TELEGRAM & GAZETTE STAFF

WORCESTER —  Personal pay stub information of some UMass Memorial Healthcare employees was subject to unauthorized access for five months. 

The organization learned March 10 that at 10 kiosks where employees could view their pay stub information, and also at shared workstations, subsequent users were able to access the information of previous users, according to Rob Brogna, UMass Memorial spokesman. Upon confirming the problem, UMass Memorial removed the kiosks from use, he said.

The day after the breach was discovered, UMass Memorial applied a systemwide software change to disable the pertinent setting on the organization's HRConnect application, he said. On March 16, the direct deposit bank account number was redacted from the information on HRConnect, and subsequently the 10 kiosks were returned to the campuses for employee use, Mr. Brogna said.

The personal information potentially exposed included name, bank name, bank transit number and bank account number. The breach did not involve employee Social Security numbers or medical record or patient information, he said.

Only UMass Memorial employees who accessed HRConnect using the kiosks or a shared workstation between Oct, 7 and March 11 are potentially affected by the breach, Mr. Brogna said. What portion of the 13,500 employees of the health care system was affected was not available last night.

UMass Memorial has no reason to believe that any of the personal information on HRConnect has been misused, according to Mr. Brogna. Nevertheless, UMass Memorial is notifying all potentially affected employees of the incident.

The organization is offering potentially affected employees reimbursement of the costs to institute a security freeze with the three national credit reporting agencies, Mr. Brogna said, and is also offering one year of free credit monitoring through TransUnion Interactive.

“UMass Memorial deeply regrets this incident,” Mr. Brogna said, and “is continually evaluating and modifying its practices to enhance the security and privacy of all confidential and sensitive information entrusted to it.” 

http://www.telegram.com/article/20110412/NEWS/110419891/1116

As of late, Tools4ever has been implementing more solutions on the healthcare market and I wanted to take a look at our clients and ascertain if there are common issues that this market sector needs to address.  Not surprisingly, the issue above was a common themes with a number of these accounts.

Shared User Accounts

One of the top reasons for implementing Identity Management in healthcare is the need to eliminate the “shared” accounts.  Quite frequently, all the nurses on a floor will have one or more shared computers. Everyone utilizes the machine utilizing a common, generic account.  The issue becomes security and privacy.  It is impossible to restrict access or determine who is doing what and when.

Identity management solves this issue typically by linking an HR application to the Active Directory and creating individual logon accounts. Fast user switching, available in Vista and 7 makes this a quick process for busy healthcare professionals.  Further, the Tools4ever Single Sign On product allows for credentials of users to be provided automatically fro authorized applications when utilizing fast user switching.

For more information, please visit: http://www.tools4ever.com/products/user-management-resource-administrator/