human nature 1, security controls 0

More than a couple hospital workers have been fired or punished for accessing private information on singer Britney Spears at the UCLA Medical Center. This brings up two quick points.

First, considering how many people checked out the information, I’d have to say access controls are pretty lenient. I think I’d be safe in saying that if this many people accessed her records even though they had no need to know, it indicates this has been done before…maybe up to a point where some didn’t think this was a bad thing. That hot girl in bed 312? Let’s check her records out! Lenient controls may help everyone do their jobs, granted. But at least it sounds like they had good auditing to track the accessing.

Second, give your management a new test, something that can be called the “Celebrity” test. Assume you have some huge profile celebrity using your services. How many of your own authorized employees would let curiosity pull them to access information about the celebrity? Or perhaps a hot new movie you have access to. Or hot new game. Or important information that could lead to recommendations to trade or not trade for your parent’s stock portfolio. And so on. Assume that instead of the normal run-of-the-mill corporate data you have, replace it with something very enticing to normal employees. Do your controls rely on people beating the curiosity beast? Or at least being able to audit those breakdowns? Good employees who’ve resisted accessing data 34,212 times previously may think differently in the Celebrity test, “Just this one time…” Guess which makes the presses?

Sure, that may over-value the data you really do have, but it is a good exercise to mentally test your own controls and security posture. Besides…do you know for sure that tomorrow won’t see Britney Spears as a new customer of yours?