Nosy NHS Employee Accesses Patient Records 336 Times: When Will The NHS Learn?

An IT manager for the NHS in Yorkshire has been warned he faces jail after admitting illegally spying on medical records of patients. Dale Trever, 22, was working for a primary care trust as a data quality manager when he accessed patient records – all for women and mostly for his family, friends and colleagues. It is thought he looked at records on 431 occasions, even going in on weekends to have an illicit peek. On 336 of those occasions, he was checking out the records of family, friends and colleagues.

Dale Trever had been accessing the information between October 2008 and June last year and worryingly has only been caught now. With such a large system with very sensitive information in it, you would have expected the NHS to have some sort of alert system which monitors access and alerts in real-time when company policy is violated.

Just 6 months ago the NHS were exposed when it was found that as many as 140,000 non-medical staff, including porters and housekeepers, had access to sensitive NHS patient files. When there is a problem, a responsible organization should be able to assess the scope of the damage.

These incidents raise the fact again that the biggest issue related to insider threat is excessive privileges and the abuse of these privileges. This is a very though issue to resolve without an automated system that can alert when it detects abnormal behaviour. The UK health industry needs to update its access controls. With such a large number of sensitive records, doing this manually is obviously a near-impossible task so they will have to automate their process of user rights management.

The system should be able to alert on an illogical access to a database by a user who should not be accessing the data. To avoid such incidents happening again in the NHS or for any organisation, they need to invest in a system that will:

1. Automatically update business policies according to normal usage
2. Remove excessive access controls to allow access only on a ‘business need-to-know’ level
3. Detect abnormal behaviour
4. Alerts on business policy violations
5. Presents the clear picture of how was it accessed, by whom and how was it accessed.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Amichai Shulman is Co-Founder and CTO of Imperva, where he heads Imperva's internationally recognised research organisation focused on security and compliance. Prior to Imperva, Amichai was founder and CTO of Edvice Security Services, a consulting group that provided application and database security services to major financial institutions, including Web and database penetration testing and security strategy, design and implementation. Amichai served in the Israel Defense Forces, where he led a team that identified new computer attack and defense techniques. He has B.Sc and Masters Degrees in Computer Science from the Technion, Israel Institute of Technology.