Another link to ongoing stories coming from the UCLA Medical Center where employees improperly accessed confidential medical information of celebrities and even co-workers. I consider this situation an important illustration that policy does not ultimately work. The article mentions 68 persons snooped on 61 personal records. That means this is not an isolated incident. The article also mentions the sharing of passwords. Whoa.
Human curiosity or even greed (if any info was sold) was beating policy. I believe such impulse will always beat policy, in fact. These are crimes of opportunity, and technology/process should be limiting that opportunity. Yes, that might impact the ability for people to get some things done, but there is always that balance between getting things done any way you can and getting things done in a secure, trustworthy manner that limits unlawful opportunity.
However, in the end, someone has to have access to the information. Usually, someones so they can make decisions or even perform clerical work. This is where audits, logs, policy, managerial oversight, and hiring practices come into play. Does someone need to be watching the audit logs and report possible violations? Maybe, maybe not, but that could certainly be a measure for an organization that really needs to provide a high sense (or real state) of security.
Do you open your neighbor’s mail if it mistakenly comes to your mailbox? What about if it says strictly confidential?
Some of the medical records systems can put flags on sensitive case files for enforcement in cases like this. Database activity monitoring also isn’t bad- can set up real-time alerts, but doesn’t always track to a specific app due to connection pooling. Depends on how things are coded.
Or you can use honeytokens.