The problem here stems mainly from improper levels of access control, and lax, or nonexistent enforcement policies where data access is concerned. The good news is that there are a number of things you can do about this problem, starting today.
First and foremost, you’ll need to conduct an end-to-end review of your current data access policies and procedures. For example, many doctor’s offices allow all staff to access all patient data, even though in practice, most of the staff only needs access to a tiny fraction of the total patient data available in order to perform their job function. Here, it comes down to putting new gateways in place, and instead of treating a patient record as a single entity, to break it into discrete chunks, and assign access to each piece individually.
Hand in hand with that, of course, must be an access log which is audited on a regular basis to check for improper access, and policies to outline both the new procedures and the consequences for breaking them. Many companies are also finding success with “whistleblower policies,” that protect employees who spot and report suspicious data access.
The bottom line is that these issues are real, and potentially just as threatening to the future of your company as the successful breaches that make the headlines. The good news is that you’ve got a much better chance at preventing them, provided you’re willing to invest in the technology and infrastructure to make it happen.