How to Leak Patient Data

Here at the TechnoSecurity 2014 Conference, a security officer at Ernst and Young was reminiscing on a past case he worked on. A large US company contacted him and requested an investigation due to known data loss / discovery. They have no idea how the data was leaked, but they did know that their IT security was phenomenal. This company had a very eager new hire that integrated the most beautiful charts of company progress into a powerpoint that showed increasing profits, positive customer feedback, and general information relevant to investors and potential investors. 

What the CEO did not realize - embedded in his powerpoint, was a trove of private patient data (which powerpoint used to generate the charts and graphs.) 

This CEO would regularly get requests and casually send out this powerpoint to interested investors, and voilà, the data was leaked out to a public source and somehow ended up on the Internet. (Slideshare?)

It's always worthwhile to be sure all your employees know and understand the ramifications of data and its whereabouts - given the data flexibility of the modern organization is expanding in a sometimes uncontrollable fashion. 

How could this have been prevented??

1. One of the systems we deploy contains a feature called DLP - Data Loss Prevention. It works with the IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) to detect and sniff out data that fits certain patterns. This could be arranged however the client desires, and will flag data within emails and email attachments containing patterns that look like social security numbers, credit card numbers, etc. and notify the administrator of the IDS/IPS for review.

2. Another way to prevent this leak? Employee training and awareness. Enough said. Employees need to know how data moves around the company and when it needs to be protected. 

Lesson Learned : Hire us before you need us for investigative purposes.

~Ben