Geisinger Health System has notified about 3,000 patients about a breach incident in which a physician inappropriately e-mailed unencrypted health information from his work computer to his home computer.
"The environment that started by supporting whistleblowers ... is essentially morphing into 'Gee, we as an organization need to be completely transparent, whether we want to or not,'" says Cal Slemp, managing director of Protiviti.
"Managing risk with regard to information systems and security sometimes doesn't go to the highest levels and that's why the risk framework is a way to get senior leaders involved early in the process," NIST senior computer scientist Ron Ross says.
The innocent use for three years of a Yahoo calendar application exposed personally identifiable information of 878 patients at the Department of Veterans Affairs' Chicago Healthcare Systems, a violation of VA policy.
Thwarting the insider threat entails more than knowing an individual with access to a computer, but to recognize the synergy between the individual, organization, technology and environment, I3P Research Director Shari Lawrence Pfleeger says.