The statistics are startling: In April 2012 alone, three major security breaches that hit the Utah Department of Health (UDH), Emory Healthcare and South Carolina’s Department of Health and Human Services accounted for nearly 1.1 million records lost.

And it was the work of insiders.

According to an article entitled “Healthcare Unable to Keep Up with Insider Threats” by Ericka Chickowski on the Dark Reading website, the three incidents are typical of “the types of consequences healthcare organizations face when they fail to address insider threats through improved employee screening, monitoring, data controls, and security awareness training.”.

These insider threats were and are potentially malicious and at the very least inept. In the case of the UDH, records were exposed due to the misconfiguration of a server containing the files. At Emory, human error accounted for the loss of a significant number of patient records when 10 backup disks went missing. In South Carolina, a DHHS employee (who has since been fired and arrested) sent thousands of Medicaid patient records to himself in an email.

The healthcare industry, by and large, “has been notoriously incapable of pinpointing risks in general, let alone those from insiders,” the article offers. Sourcing the problem is difficult because these security holes include loss or theft of portable devices such as laptops, smartphones, external drives and backup tapes; actual theft by data thieves; and simple staff ignorance in terms of security, protocol and training.

With solutions available today, those institutions could easily tell the difference between intentional and non-intentional privacy violations, achieve full regulatory compliance, and pass any audit with real-time user activity log files. As the “insider threat” continues to grow right along with the healthcare industry, major steps will need to be taken to stanch the flow of lost and misappropriated records that can and will lead to increased fraud and identity theft. The time to act is now.

To learn more about Attachmate’s Luminet enterprise fraud management software please visit http://www.attachmate.com/Products/efm/luminet/luminet.htm.

Enterprise fraud and workplace policy abuse come in many forms, and every business is at risk.

 Unfortunately, it’s not always obvious when workplace fraud occurs. Perpetrators are often insiders – long-time employees or trusted staff members who have access to sensitive information.

 The very idea that these people would cheat you can be hard to accept. It may even be tempting to think, “It could never happen here.” But it could. And the less you do to prevent it, the more likely it is to occur.

 Workplace fraud could mean failed compliance audits, hefty fines, or irreparable damage to your brand. It could also mean a serious blow to your bottom line.

 So don’t let others profit unethically at your expense – take steps to stop them. Here are four common types of workplace fraud and some suggestions for avoiding an all-out fraud nightmare.

1. Accounting mischief

 If your accounts are vulnerable, employees can use them to their advantage. Think “skimming” small amounts of money from the tops of checks or taking unreported cash payments.

 When the amounts are small, this type of fraud can be hard to detect. And if you never perform any audits, it could be virtually untraceable. While internal audits are an option, they’re often difficult to conduct. Slinging together data in an attempt to create a complete audit trail can quickly become a nightmare.

 On the other hand, by bringing in external auditors, you’ll be able to keep your accounts in check. Make external audits routine, and you can prevent accounting fraud before it even starts.

2. Exchanged credentials

 Or falsified ones. With counterfeit documents, records, or licenses, scammers may seek employment at your organization. They may also use someone else’s credentials to gain access to your office or work facility.

 Don’t forget: In hiring, even one fake reference represents a serious case of fraud.

 Always call professional references, verify credentials, and conduct background checks of each new hire. After all, you should be confident in the employees who represent your organization, not suspicious of them.

3. Unauthorized data access

 The use of false credentials can also help employees access data that was never theirs to consume.

 When this happens, the privacy of your patients or customers – not to mention confidential business information – could be in jeopardy. And what if employees don’t even need to use false credentials? What if they’re accessing sensitive information because it’s already easy to do so without being caught?

 That’s why you must implement data-handling policies that specify who has access to what. Also establish a system for verification before anyone can access sensitive material. Things like passwords and account numbers should never be shared and, if possible, should be changed often.

4. The address swap

 This is what happens when an employee changes the address to which a check is sent – presumably to his or her own – and then changes it back.

 To combat this kind of fraud, conduct regular reviews of all purchases. Consistent audits of accounts and contracts will also help protect you. While you don’t want to create a culture of surveillance that makes employees feel like Big Brother is lurking behind every corner, audits and reviews should create an atmosphere of accountability.

 Because when employees are accountable for their actions, you’ll enjoy greater security.

 For more information about Enterprise Fraud Management, be sure to check back here on Insider Fraud Spotlight!

Recently, on the heels of the ISSA International Conference, noted authority Michael Angelo raised the question of ethics in security. It is a topic that comes up from time to time and never ceases to fascinate me. In his recent blog posting, Michael writes “Ethics is a particularly interesting topic as the security industry is always concerned about addressing issues in a constantly changing environment. It is easy to follow a set of ethics if the environment is consistent, however if the environment changes will those ethics still apply or do they need to evolve?”

Over the years, we’ve seen huge shifts in the issue of ethics and security. The spectrum of recent dialog ranges from securing end points and the interests of enterprise all the way to hacktivism. The core tenants of privacy, security and personal responsibility are all represented in the current debate. I was heartened to see the diversity of opinion expressed by our community. It shows that we are examining critical issues, considering the implications of choice and the why of new technologies rather than mindlessly favoring the technical possibilities

Michael concludes his article by stating, “In the 70’s corporate and professional ethics demanded secrecy around all aspects of security. The corporate and professional ethics from the 70’s have gradually evolved to enable us to disclose information and work together on solutions so that we can not only survive but we can innovate and surpass our individual boundaries. In the end it is important to remember that while our environments are evolving we must re-examine our ethics and see if they also need to evolve.” I, for one, whole heartedly agree.

Here are some other positions on the issues of ethics in security:

ISACA: Auditors Ethics for Continuous Monitoring and Continuous Auditing: http://www.isaca.org/Journal/Past-Issues/2008/Volume-3/Pages/Auditor-Ethics-for-Continuous-Auditing-and-Continuous-Monitoring1.aspx

SANS: The Legal System and Ethics in Information Security: http://www.sans.org/reading_room/whitepapers/legal/legal-system-ethics-information-security_54

Dell SecureWorks: Crossing the Line: Ethics for the Security

http://www.secureworks.com/research/articles/other articles/ethics/