Information Security procedure * UPDATED

[Rilescat]

Good day all,

I am a CISSP, trained in HIPAA, and familiar with security methods.

I have an interesting situation at my workplace. This situation is nothing new, but the response of the organization I am working for is very odd to me.

Situation:
A nurse shared her LAN ID and password with some patients. She claims this is in an attempt to increase patient satisfaction. The medical institution does not have a network system available for patients. Her sharing her ID has allowed the patient access to internal systems and confidential information. She has shared her ID was several patients.

Conditions:
Her actions do not seem to be malicious. She does seem genuinely interested in patient care and the fact she was doing something wrong did not occur to her. She has been on staff since 1989.

She has completed annual HIPAA training that stresses confidentiality and security. The entire organization is continually briefed on network security and patient confidentiality. A complete organization wide campaign on password security was completed in 2006.


Please give me some recommendations as to what actions, if any, you would take against this person for this infraction. Once some people have replied, I will share what my organization did.

Thank you.

 

[Oakenfold]

I'll bite.

Does your company have a code of ethics? If so does the code address sharing passwords? (I.E. does the COE address the employee responsibility to maintain confidentiality of passwords/user account information)

Does your company have an information security policy/procedure that addresses this?

What are the reprimands described in these policies/code of ethics for providing a password/system to someone other than the intended user of the password/account.

There should be a "tone set at the top" regarding this for the entire organization that should be formalized in a document that is signed periodically. I'm assuming that the organization password security password campaign addressed this. If management does not stick to what is formalized they are not supporting policy as created, this could lead to future problems for further employee incidents and possible legal problems involving any inconsistent action taken against employees for similar infractions. In addition this negates the preventive control.

Important to note about the individual employee is why did they think they were not doing anything wrong? There is an apparent disconnect with this employee. They do not understand the risk they put the organization in, why does the employee see nothing wrong with what she did? This needs to be addressed to ensure other employees do not feel similar, this could be a symptom of a larger problem (one would hope not but you never know..)

This can all be said without addressing the regulatory concern, which is another thing in itself I'm sure. I work for a financial institution so we don't have the pleasure of dealing with HIPPA compliance from the depth that your employer is required (sounds like your employer is a healthcare provider).

If this had happened at my work, I would be shocked to hear of any reprimand short of termination.

 

[Medea]

Come on, now. Is the woman daft? How many people here would "share" their ID and password on their home computer?

HIPPA is a VERY strict statute. Given that she's had training and is on notice about patient confidentiality, I would terminate her and hold another mandatory staff conference - and wait for the investigation and pray that nobody sued.

 

[bsobel]

Immediate termination with notice to any patients who's records may have been accessed.

 

[vital]

I don't know what I would do but I'd like to know what they did now.

 

[Woodie]

At my work (corporate)...suspension and probably dismissal.

At the hospital where I used to work? Probably nothing, and pray they didn't get sued.

IMHO, immediate suspension, followed by termination after review of the events. Then the union would fight it, and she'd probably get her job back. In the mean-time, the message would get around.

 

[MadAmos]

In the place I work it would mean immediate loss of site access and without a doubt loss of employment, also probable federal prosecution on multiple charges. Yes it has happened just as I have outlined for much less of an infraction.... ahh the joys of working in Nuclear Power in a post 9/11 world.

Amos

 

[vital]

are you gonna tell us or not?

 

[fartbag]

She should be Fired. You are there to protect the information not the nurses!

 

[Zugzwang152]

Immediate termination. There is no excuse for sharing your user ID and password.

In my organization, it would be a minimum suspension if shared with another employee. Probably would be immediate termination if shared with a non-employee. We've never had anyone actually share a password with someone outside the company though. This is unbelievable, especially considering the amount of training health care organizations do these days.

 

[FLegman]

The actions to be taken against such a person, if i were you :
Make it as painfull as painfull could get to give out her ID and password to patients by implementing a mandatory daily password change policy for her so she knows how serious data control is in such an environment.
By doing so, she will quickly find herself with a long list of passwords to manage and hopefully she will start understanding the security related issues that shes causing.
You will just be doing your job by taking and implementing such drastic measures for the benefit of all (you in the first place in case of any breach you would be held resposible for not tightining up the security on whatever level ).

Make sure her passwords are complex and long enough so she will spend 10 min to type it in. Only make things easy for her when she will fully understand and comply to the regulations (yours above all)

Hope this is not too extreme as a solution.
My 2$

Good Luck

 

[bsobel]

Originally posted by: FLegman
The actions to be taken against such a person, if i were you :
Make it as painfull as painfull could get to give out her ID and password to patients by implementing a mandatory daily password change policy for her so she knows how serious data control is in such an environment.
By doing so, she will quickly find herself with a long list of passwords to manage and hopefully she will start understanding the security related issues that shes causing.
You will just be doing your job by taking and implementing such drastic measures for the benefit of all (you in the first place in case of any breach you would be held resposible for not tightining up the security on whatever level ).

Make sure her passwords are complex and long enough so she will spend 10 min to type it in. Only make things easy for her when she will fully understand and comply to the regulations (yours above all)

Hope this is not too extreme as a solution.
My 2$

Good Luck

I'm gonna venture a guess and say that you don't work in the security field.

 

[FLegman]

Originally posted by: bsobel

I'm gonna venture a guess and say that you don't work in the security field.

Ooops, seems i undeliberatly said something that makes no sense...
Good guess bsobel, my professional activities are far away from IT security.

However, i thought the little i know about home computer user accounts security implementation could somehow be trasposed in the corporate environment. Wrong.

Now i will step back and follow closely this thread in the hope to learn little more about security in big entreprise network.

 

[Zugzwang152]

Have we been Syringered? Where is the update on what you did.

 

[SSSnail]

She violated not just company policy (you have one right?), and also put your organization at risk of noncompliance with HIPAA. Has she been doing something that she's trying to cover up her track, or planning for plausible deniability? At any rate, I think termination is appropriate; someone that has been with an organization that long cannot be that ignorant about information security.

 

[Oakenfold]

Originally posted by: Zugzwang152
Have we been Syringered? Where is the update on what you did.

Maybe he was the employee?:laugh:

I jest I jest!
Yes I believe we have been Syringered.

 

[Medea]

Originally posted by: Oakenfold

Originally posted by: Zugzwang152
Have we been Syringered? Where is the update on what you did.

Maybe he was the employee?:laugh:

I jest I jest!
Yes I believe we have been Syringered.

Maybe he's the union rep looking for 'inspiration' in representing the person.

I personally have no respect for the nurse or whomever it was. About a year ago, a local hospital had a laptop stolen. It had been anchored to something with a cable and, of course, someone came along, cut the cable and took off with the laptop.

People's sensitive info, i.e., name/address/ssn/dob/phone no., etc., was on that laptop. I had gone to the ER once, so my info was on it. I had to go through taking all of the necessary steps in my power to take to report the incident to the appropriate authorities as did the hospital. I heard the laptop was recovered eventually, but I now have absolutely no sense of comfort when it comes to my personal info with any entity.

I now term myself as having 'intelligent paranoia'...

 

[Rilescat]

My apologies for the long delay in returning to this thread.

I was wisked away to a project in NEW ZEALAND....if you have ever been there you would know it is a pain of a flight (from the mid-west States), and really screws with the sleeping.

Anyway.

What did we do to the nurse in question?

NOTHING.

In fact, the Vice President of Inpatient nursing put up a major fight and whine and decided that it must be the IT department's fault because we failed to stop her from giving away her own password to a patient.

In fact, we are now being charged with "finding a solution" to this issue and providing stop gap measures of PCs and internet access to the patients.

--so.... now I have to consider my future with this organization.

 

[mechBgon]

Originally posted by: Rilescat
--so.... now I have to consider my future with this organization.

When I first read the thread, that was my preferred solution There's a point at which you simply get into the lifeboat and let the Titanic go on without you.

Anyhow... two-factor authentication, perhaps?

 

[Medea]

I agree about your considering to change jobs in the future. If they're blaming the IT Dept. for this, imagine if it should happen again (or something similar to it). Guess who'd get blamed again..?

Technically, the nurse's actions were a breach of confidentiality. Under HIPAA, the employer was supposed to notify state authorities and ALL patients whose confidential information could've been accessed by the nurse's 'chosen few'.

Well, this thread made me feel all warm and fuzzy inside about how careful health care providers are with patient confidentiality. :frown:

 

[Zugzwang152]

Time to file an anonymous report with CMS! The day after you get out safely of course.

 

[Rilescat]

Originally posted by: mechBgon

Originally posted by: Rilescat
--so.... now I have to consider my future with this organization.

When I first read the thread, that was my preferred solution There's a point at which you simply get into the lifeboat and let the Titanic go on without you.

Anyhow... two-factor authentication, perhaps?

...I hate to tell you, but we already use multi-factor systems. We have biometrics or password with a companion RFID Xyloc login system. The nurses use their fingerprints most of the time (because passwords are 'too hard') and have to have their RFID card present to stay logged in. Otherwise the system auto locks when they walk away. SOOOOO>.....of course, she left her card on the cart.

What then??? Seriously....the only thing I can do with a staff member that WANTS to give away their password and ID is to staple the damn RFID card to her face so she can't get it off.

Seriously....I am really thinking about it being time to head for a transfer.....

 

[Oakenfold]

Originally posted by: Rilescat

Originally posted by: mechBgon

Originally posted by: Rilescat
--so.... now I have to consider my future with this organization.

When I first read the thread, that was my preferred solution There's a point at which you simply get into the lifeboat and let the Titanic go on without you.

Anyhow... two-factor authentication, perhaps?

...I hate to tell you, but we already use multi-factor systems. We have biometrics or password with a companion RFID Xyloc login system. The nurses use their fingerprints most of the time (because passwords are 'too hard') and have to have their RFID card present to stay logged in. Otherwise the system auto locks when they walk away. SOOOOO>.....of course, she left her card on the cart.

What then??? Seriously....the only thing I can do with a staff member that WANTS to give away their password and ID is to staple the damn RFID card to her face so she can't get it off.

Seriously....I am really thinking about it being time to head for a transfer.....

I really don't know what to say, that's pretty wild. If you have someone that is willing to circumvent controls and give someone access I really don't know what you could do, I don't think you can stop that. Alternatively I do have a stapler that I'm willing to FedEx to New Zealand...

Got a compliance officer or an internal audit department? Would dropping them a hint do any good?

 

[Rilescat]

Originally posted by: Oakenfold

Originally posted by: Rilescat

Originally posted by: mechBgon

Originally posted by: Rilescat
--so.... now I have to consider my future with this organization.

When I first read the thread, that was my preferred solution There's a point at which you simply get into the lifeboat and let the Titanic go on without you.

Anyhow... two-factor authentication, perhaps?

...I hate to tell you, but we already use multi-factor systems. We have biometrics or password with a companion RFID Xyloc login system. The nurses use their fingerprints most of the time (because passwords are 'too hard') and have to have their RFID card present to stay logged in. Otherwise the system auto locks when they walk away. SOOOOO>.....of course, she left her card on the cart.

What then??? Seriously....the only thing I can do with a staff member that WANTS to give away their password and ID is to staple the damn RFID card to her face so she can't get it off.

Seriously....I am really thinking about it being time to head for a transfer.....

I really don't know what to say, that's pretty wild. If you have someone that is willing to circumvent controls and give someone access I really don't know what you could do, I don't think you can stop that. Alternatively I do have a stapler that I'm willing to FedEx to New Zealand...

Got a compliance officer or an internal audit department? Would dropping them a hint do any good?

Guess which VP I report to? ....Corporate Compliance.

I asked our Foundation Information Security group to come down and they basically said they are unable to make the Health System decisions......so I wonder why we have them....

Anyways...I am just going to have to accept this one.

 

[Zugzwang152]

Originally posted by: Rilescat

Originally posted by: Oakenfold

Originally posted by: Rilescat

Originally posted by: mechBgon

Originally posted by: Rilescat
--so.... now I have to consider my future with this organization.

When I first read the thread, that was my preferred solution There's a point at which you simply get into the lifeboat and let the Titanic go on without you.

Anyhow... two-factor authentication, perhaps?

...I hate to tell you, but we already use multi-factor systems. We have biometrics or password with a companion RFID Xyloc login system. The nurses use their fingerprints most of the time (because passwords are 'too hard') and have to have their RFID card present to stay logged in. Otherwise the system auto locks when they walk away. SOOOOO>.....of course, she left her card on the cart.

What then??? Seriously....the only thing I can do with a staff member that WANTS to give away their password and ID is to staple the damn RFID card to her face so she can't get it off.

Seriously....I am really thinking about it being time to head for a transfer.....

I really don't know what to say, that's pretty wild. If you have someone that is willing to circumvent controls and give someone access I really don't know what you could do, I don't think you can stop that. Alternatively I do have a stapler that I'm willing to FedEx to New Zealand...

Got a compliance officer or an internal audit department? Would dropping them a hint do any good?

Guess which VP I report to? ....Corporate Compliance.

I asked our Foundation Information Security group to come down and they basically said they are unable to make the Health System decisions......so I wonder why we have them....

Anyways...I am just going to have to accept this one.

You should ask those monkeys (your infosec group) just exactly what they do here.