Peepers, Terrorists, Doctors and Data Threats - Oh My!
Have database breaches and leaks of sensitive data become a finger-in-the-dike scenario? The threats are persistent not only because of black hat hackers and criminals seeking data to sell, but also because of people abusing their privileges. And we cannot ignore other nefarious types.With apologies to the Wizard of Oz, we can imagine a scene such as this:
Dorothy: Do you suppose we'll meet any scoundrels? Scarecrow: Mm, we might. Scarecrow: Scoundrels that want to sell our ... identity? Tin Woodsman: Some, but also peepers, and terrorists, and doctors. Dorothy: Peepers? Scarecrow: And terrorists? Tin Woodsman: And doctors.
There are multiple reasons for concern about protecting sensitive data, such as electronic health records and U.S. government databases being transferred to data centers run by cloud service providers. Not the least of reasons is the scoundrels who will exploit inadequate safeguards. Recently there's been more evidence of employees disregarding privacy rights because of curiosity, opportunities to sell information, and assisting criminals or terrorists.
Following the shooting of Congresswoman Gabrielle Giffords and 18 others, the victims were brought to the University Medical Center in Tucson, Arizona. It wasn't long before we were reminded of the not infrequent problem of medical staff members invading patient privacy. Three staff members at University Medical Center were fired for improperly accessing medical records of shooting victims.
Industry consortia and standards bodies have put a lot of energy into ensuring protected data access. They've developing standards for data authorization, authentication, encryption, and secure data exchanges, including X.509 certificates, SAML, XACML, XML-Encryption, and Transport Layer Security (TLS). But despite encrypted data, secure sockets and authenticated sessions, we find that insiders remain a serious threat to databases and sensitive data. In some instances the intrusions happen by impersonating someone whose password gives them greater access. Sometimes organizations are simply inept. They inadequately review responsibilities and 'need to know' when they rely on role-based security. The worst-case scenario is the trusted insider who abuses administrator privileges.
Peepers with low regard for privacy, acting without proper approvals, have been successful at bypassing safeguards for various types of sensitive data. Incidents involving misuse or unauthorized access of medical records are pervasive. But unfortunately medical personnel are not the only database snoopers. Previous blog postings here have already discussed criminal conspiracies that were successful in stealing personal identifying information for identity theft. There have also been data leaks due to incompetence and to individuals with other motives besides identity theft.
Terrorists and Criminals
Terrorist organizations and criminal gangs often surprise by their level of technical sophistication. When the Department of Justice prosecuted members of a gang involved in the drug trade, Eastside Riva (ESR), they learned the 500-member gang knew how to exploit cyberspace.
ESR members use MySpace.com to communicate about gang business, and they use rap music videos and recordings to deliver messages of violence and intimidation;
Like criminals, terrorists understand that computers, databases and access to sensitive information can advance their agenda. Authorities have known terrorist organizations used web sites and chat rooms to communicate and recruit. But now we know they are interested in data access and data theft.
Aaron Hill, a 24 year-old man doing data entry for a police database in Northern Ireland, was jailed for supplying information for terrorists. When given car registration information of Catholics attending political meetings, he used the database to look up names and addresses for an enemies list. He confessed to having used the police computers for snooping for more than two years.
In separate incidents in India, anti-terrorist police arrested software engineers for terrorist activity. Both were employed by multinational companies located in the Bangalore tech corridor. Indian authorities warned in 2005 that Bangalore had made its way onto the terrorists' radar.
In 2006 Indian anti-terrorist police apprehended software engineer Muzammil Sheikh and revealed he was a member of the LeT terrorist cell responsible for the 7/11 train bombings in Mumbai. Following his arrest, authorities in India warned hi-tech employers about the need for thorough background investigations of potential employees.
In 2008 software engineer Mohammed Yahya Kammakutty (aka Yahya Iyash Kamkutty), was arrested after police uncovered his ties to a outlawed terrorist organization and the Hubli terror plot. Indian authorities expressed concern about a terrorist network involving techies and again urged companies in India's Silicon Valley to conduct thorough background investigations.
Besides the Hubli plot, Mohammed Yahya Kammakutty raises a red flag for another reason. The Hindu reported that Kammakutty set up a business in Dubai using software and data he stole from GE Health Systems, where he had been a senior systems specialist.
According to the Hindustan Times, Kammakutty was "the seventh young professional held in Karnataka on similar grounds, marking the emergence of a "new face of terror". The Indian Express reported four of the seven are "tech savvy" medical students.
In the run-up to the 2008 presidential election in the US, there was illegal snooping at the Department of State. Three contractors accessed the database of the Passport Information Electronic Records System to peep at the passport records of candidates Barack Obama, John McCain and Hillary Clinton. An investigation by the State Department's Inspector General revealed there had been other incidents of peeping at records of celebrities and other high-profile individuals. Several State Department employees were prosecuted.
Celebrities were also the victims of staff members of the UCLA Health System who peeped at their medical records. The victims included Britney Spears, Farrah Fawcett, Lindsey Lohan, Michael Jackson and Maria Shriver. An August 2008 report by the California Department of Public Health revealed 127 staff members at UCLA Medical Center had examined the patient data of prominent persons without authorization. One peeper spied on the record of 939 patients, sold the information to the National Enquirer and was prosecuted. She'd used her supervisor's password to gain access.
Staff members at healthcare institutions and medical students have access to patient data that's supposed to be confidential. But violations of patient privacy have escalated with the popularity of blogs and social media such as Twitter and Facebook. A survey of 80 medical-school deans found that 60% had reported incidents of unprofessional postings by medical students. Five nurses at Tri-City Medical Center in Southern California were fired for Facebook postings that violated privacy rules.
Medical records privacy is protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Snooping employees at healthcare institutions can be prosecuted for disclosure of patient data, such as the person who sold data to the media.
Acting United States Attorney George S. Cardona has said:
There is a persistent problem with improper and illegal viewing of medical records by individuals who abuse the access they have as a result of their employment. HIPAA's criminal privacy provisions protect not only celebrities, but all of us from curious neighbors, disgruntled co-workers, and other snoopers.Recently there's been more evidence of employees disregarding privacy rights because of curiosity, opportunities to sell information, and assisting criminals and even terrorists.