Privacy & Security Public Sector Northern Canadian hospital confirms staff wrongly accessed patient records Howard Solomon @HowardITWC Published: May 10th, 2016Security experts emphasize that organizations have to limit access to databases with sensitive information. However, they also have to carefully design information systems themselves so sensitive data doesn’t appear on screens users have legitimate reasons to see.That appears to have failed at a health authority in Canada’s far north, which confirmed Monday that employees inappropriately accessed patient health records through an online scheduling system in what appears to be a case of employee snooping.CBC News reported that some staff the Beaufort-Delta Health and Social Services Authority, which serves 6,700 residents of the Beaufort Delta Region in the Northwest Territories including the Inuvik Regional Hospital have been disciplined for wrongly accessing records of 67 patients.The information “had been inappropriately accessed by staff outside a legitimate scope of duties,” Arlene Jorgensen, CEO of the Inuvik Health Authority, was quoted as saying. Related Articles Ten tips from Canada’s privacy commissioner to prevent employee data snoopingSix years ago a bank employee was caught going through the financial records of another staff member who was in... April 1st, 2016 Howard Solomon @HowardITWC How a Canadian hospital faces insider threatsRecent data thefts by outside attackers at several U.S. hospitals have grabbed headlines in the past year for stealing millions... September 30th, 2015 Howard Solomon @HowardITWC The institution’s scheduling system includes expected information such as appointment times and check-out dates. But it also lists the reason patients were at the hospital. Several staff members who had accessed this information did not need it to do their jobs, according to the health authority.The authority emphasized that detailed information, such as diagnoses were not accessed during the breach.Last month the federal privacy commissioner warned that “employee snooping poses a serious privacy risk that if left un-checked can cause significant and lasting financial and reputational damage to both your customers and your organization.”Some staffers snoop out of curiosity; others, like those at a Toronto-area hospital, used data from its electronic patient system to sell Registered Education Savings Plans to new mothers, or sold data on new mothers to a firm that sold RESPsIn case you didn’t get the privacy commissioner’s report, here’s a link. He suggested 10 ways organizations can eliminate employee snooping including:–Fostering a culture of privacy;-Have periodic and/or “just-in-time” training and reminders of policies around snooping;–Ensure employees know that consequences will be enforced. That includes having employees sign (upon hiring and at regular intervals) confidentiality agreements;–Ensure access is restricted to information required to perform the job. Related Download Sponsor: CanadianCIO Cybersecurity Conversations with your Board – A Survival Guide A SURVIVAL GUIDE BY CLAUDIO SILVESTRI, VICE-PRESIDENT AND CIO, NAV CANADA Download Now Privacy & Security, Public Sector privacy, security strategies
