Later investigations revealed that it was an insider incident, involved the theft of subsequent selling of patients' credit card numbers, and that the activities emanates from the Call Centre. Having provided you with a general overview of the situation, I will now explain its potential and actual consequences, summarize the results of the post-mortem and clarify both lessons learnt and future action.
In regulating conduct related to the use of computers, the United States government currently defines a computer as "an electronic, optical, electrochemical, or other high-speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such a device" (United States Computer Fraud and Abuse Act (e)(l), 1984, cited in Kipper, 2007, p. 194). This definition accounts for the way in which IT has fused data storage, computing and telecommunications technologies and in so doing, touches upon the potential of both the computing and telecommunications technologies to violate the integrity and confidentiality of the stored data. The United States Department Of Commerce (2000) highlighted this threat in its report on the proliferation of computer use and internet access, not just in the United States but, across the world. As the greater majority of corporations, both in the United States and worldwide, are relying on IT for data storage and processing, increased popular access to IT renders corporate systems vulnerable to unauthorized penetration and the associate accessing of private and confidential data (U.S. Department of Commerce, 2000). While it is the responsibility of corporate entities to ensure the securitization of their networks, absolute inviolability is practically impossible to achieve. It is, thus, that recent years have witnessed the ever-increasing adoption of computers in the commission of crimes of fraud and theft (Power, 2000). Our company has recently fallen victim to one such incident.
3 Incident Overview
On January 16th, 2008, a periodic review of our IT activities logs evidenced a string of unusual activities. Almost 10,000 patient files had been accessed and the data they contained had been transferred to an external medium, possibly an external hard drive. The IT department had no record of authorizing any individual this level of access and, indeed, there was no legitimate justification for the access of 10,000 patient files. The incident was terribly worrisome as these files contain sensitive data such as patients' social security, insurance and credit card numbers, not to mention home and place of employment addresses and contact information. The IT department immediately contacted the Legal Department and appraised its Director of the situation who, in turn, contacted law enforcement and did the same.
4 Post Mortem
After reporting the incident to the Legal Department and law enforcement officials, the IT department launched an intensive post mortem investigation. The investigation, which followed standard procedures which will be described shortly, had several objectives. These were the identification of the source, as in whether it was an insider or outsider incident;