Critical Infrastructure Case Study
A report in March 2010 indicated that the Veterans Affairs (VA) department had a security breach. The breach involved a physician assistant who was accused of copying two sets of recorded patient data onto a personal laptop. The assistant was doing research. One set included three years of patient data and another held 18 years of medical information.
There was an incident with the VA in 2006 in which 26.5 million patient records were downloaded to an unsecured computer. Later that computer was stolen. Because of the incident in 2006, the VA instituted new policies that all patient data stored on department computers must be encrypted.
The assistant was discovered and stopped by a nurse-scientist visiting the medical center. The nurse-scientist discovered that the physician assistant was part of an unapproved project. On February 8, 2010, the nurse-scientist reported the incident to the compliance officer. On February 26, the physician assistant resigned.
This case study is an example of an effective enforcement of security policies. Although there was an original violation of policy by the physician assistant, the breach was quickly stopped by a coworker. It’s a clear indication that security awareness was at the top of the nurse-scientist’s mind. The quick action of that person prevented data loss. In this case all the data was recovered.