An IT manager for the NHS in Yorkshire has been warned he faces jail after admitting illegally spying on medical records of patients. Dale Trever, 22, was working for a primary care trust as a data quality manager when he accessed patient records – all for women and mostly for his family, friends and colleagues. It is thought he looked at records on 431 occasions, even going in on weekends to have an illicit peek. On 336 of those occasions, he was checking out the records of family, friends and colleagues.
Dale Trever had been accessing the information between October 2008 and June last year and worryingly has only been caught now. With such a large system with very sensitive information in it, you would have expected the NHS to have some sort of alert system which monitors access and alerts in real-time when company policy is violated.
Just 6 months ago the NHS were exposed when it was found that as many as 140,000 non-medical staff, including porters and housekeepers, had access to sensitive NHS patient files. When there is a problem, a responsible organization should be able to assess the scope of the damage.
These incidents raise the fact again that the biggest issue related to insider threat is excessive privileges and the abuse of these privileges. This is a very though issue to resolve without an automated system that can alert when it detects abnormal behaviour. The UK health industry needs to update its access controls. With such a large number of sensitive records, doing this manually is obviously a near-impossible task so they will have to automate their process of user rights management.
The system should be able to alert on an illogical access to a database by a user who should not be accessing the data. To avoid such incidents happening again in the NHS or for any organisation, they need to invest in a system that will:
1. Automatically update business policies according to normal usage
2. Remove excessive access controls to allow access only on a ‘business need-to-know’ level
3. Detect abnormal behaviour
4. Alerts on business policy violations
5. Presents the clear picture of how was it accessed, by whom and how was it accessed.