Data breaches of different kinds are reported by the media on a daily basis, and it seems there is a certain apathy that can be sensed in the public’s response when the theft of yet another set of credit card details is published.
Incidents at well-known companies such as British Airways, SunTrust or Yahoo! – just to name a few – are still making headlines, but the majority of attacks and their impact remain largely unnoticed. A recent lawsuit in Portugal might be a good reason to take a closer look at the situation and to draw some consequences.
On October 22, 2018 the Portuguese publication “Publico”, and subsequently some IT Security Portals reported, the Barreiro hospital in the Portuguese district of Setúbal was fined for 400,000 Euros for GDPR non-compliance. The fine was applied by the National Data Protection Commission (CNPD) for irregular access to the data of the patients, and for breach of the GDPR regulation which was put into effect Europe-wide on May 25, 2018.
Now it’s real: First GDPR lawsuits
The Barreiro hospital case is, in a number of ways, interesting. It shows one of the first example where GDPR and its penalties have been applied by the data protection authorities – the first time GDPR has been put into practice. Of course, this is not the first case where European national data protection authorities have fined companies. Before GDPR was established, national data protection laws did exist, and were applied, with fines being paid. In the German state of Bavaria for example, data protection authorities worked on 173 data protection violation cases in 2015/16 and fined 52 organizations. But all fines were below 100.000 Euros, in most cases considerably lower. The increase of incidents compared with 2014/15 was almost 50%. A similar pattern can be observed in other EU member states, like the U.K where several companies paid five and six figure penalties for data breaches, based on pre-GDPR legislation. The incidents ranged from unlawfully disclosing lists with Personally Identifiable Information (PII), to illegally collecting and selling personal information, and insufficient data protection in IT systems.
So, what can we expect from GDPR now?
Corporate management across all industries is nervously awaiting the first trials because fines are potentially more severe than before, and jail sentences can even now be applied. With added legislation, there is also a higher risk for companies to exhibit data breaches. On the other hand, GDPR (83.1) makes sure that fines are “appropriate” in relation to the concrete case, based on a set of criteria. As the German data protection officer Michael Ronellenfitsch puts it: “We were toothless and have got teeth now. That doesn’t mean we are snappish.\” It is fair to assume that authorities are going to use a sense of balanced proportion when determining fines, but there is no doubt that we will see a rude awakening for some market actors who are not caring at all about IT security.
It can happen to anyone
In the case of the Barreiro hospital the new regulations were applied to an organization that is not one of the large blue-chip firms but a ‘normal’ medium size organization, in the security-sensitive health care business. It demonstrates that below-the-radar of journal headlines, data breaches can and do happen in any organization, and that data protection authorities are now swift and effective in enforcing the legislation.
It is worth having a look at the reasons for the breach at the Barreiro hospital and drawing some conclusions for improved identity and access governance. From recent publications on this case we know that an inspection by Portuguese Data Protection Authority (CNPD) discovered three flaws in the hospital’s access management. Firstly, it was discovered that nine persons who were non-medical professionals (social workers) had been granted IT access to patients’ clinical data. Secondly, 985 users with an access role for medical doctors were registered, while there are only 296 physicians working at the hospital. And thirdly, patient data at the hospital was not separated properly from archived data of another hospital.
Best practices – just a matter of execution
The Barreiro hospital could have avoided these findings easily, by applying best practice Identity & Access Management (IAM) procedures. These include the following principles:
- The procedures for granting access should be tied to the contexts in which the access is used. Request and approval of permissions should be related to the job function, the project or another context in which the user needs the requested information or IT service. This allows a clear purpose-based granting of access. It also facilitates the review and withdrawal of access and therefore supports the least-privilege principle.
- When taking on a new job in the organization, moving to another cost center or changing other, contexts, recertification and removal of access should be triggered automatically, to avoid the aggregation of rights.
- Data quality matters! – If for example HR information is not up-to-date, access provisioning policies which rely on this information might lead to granting the wrong access.
- Revoke accounts should be done in a timely fashion.
- It is key to synchronize the HR employment status and IT accounts on a permanent basis, to avoid situations where people who have left the organization still have accounts. For automation, many companies have just deployed some scripts which trigger the creation of accounts for new employees. But secure account management also requires the handling of temporary absences and leavers. In addition to provisioning actions, a comparison of the actual accounts with the desired accounts (“reconciliation”) is strongly recommended.
- Multi tenancy capabilities of IT systems enable the secure separation of data. But the separation can only be enforced by access management systems which support this principle as well and allow the granting of access on a tenant-related basis. In the IAM system, users and resources need to be classified accordingly, and constraint policies must be applied to make sure that the separation of access is implemented.
For Barreiro hospital, an IAM solution would have been a very cost-effective investment. While the implementation of an IAM solution can be done with a relatively low effort, the current case with its cost of management attention, legal expenses, fines to be paid, and the immense reputational damage adds up to a considerable amount. On top of this, the automation of IAM processes could have made end users happier, saving a lot of administrative work.