The Virginia Commonwealth University (VCU) health system suffering a data breach. Information security experts reacted below on what went wrong and how to protect against such breaches.
“The exposure of nearly 4,500 organ donors and transplant recipients’ data is another example of poor identity management processes. Having access to someone else’s medical data is a serious issue, if regular users can exploit these flaws, then cyber criminals can. Proper data classification and controls should have identified that this information was sensitive, and that users should not have access to other peoples’ medical records.
Organisations must define access levels to identity data based upon risk and justifiable need. A strong identification management system would have only presented identity data to those who had the right to access it. In the case of this particular exposure, it is clear that such a program was not in place.
Organisations need an Identity Access Management solution which can unify and streamline their identity data to provide complete and accurate user profiles. With complete visibility over systems, security teams are then able to properly track who should be accessing what, therefore reducing the risk of a serious breach.”
“The exposure of nearly 4,500 organ donors and transplant recipients’ data is another example of poor identity management processes. Having access to someone else’s medical data is a serious issue, if regular users can exploit these flaws, then cyber criminals can. Proper data classification and controls should have identified that this information was sensitive, and that users should not have access to other peoples’ medical records.
Organisations must define access levels to identity data based upon risk and justifiable need. A strong identification management system would have only presented identity data to those who had the right to access it. In the case of this particular exposure, it is clear that such a program was not in place.
Organisations need an Identity Access Management solution which can unify and streamline their identity data to provide complete and accurate user profiles. With complete visibility over systems, security teams are then able to properly track who should be accessing what, therefore reducing the risk of a serious breach.”