Preventing Insider BreachesTips for How to Detect and Deter Snoops and Fraudsters
With promises of ramped up HIPAA enforcement by federal regulators, and changes in the breach notification rule under HIPAA Omnibus Rule, it's time for healthcare organizations to get serious about insider risks.
Incidents involving insiders are a significant problem, but they're not all the same.
Remember, it's not just large data breaches that need to be reported to the Department of Health and Human Services; it's all breaches. And under the HIPAA Omnibus breach notification rule - which ditches the subjective "harm" standard in favor of a more objective standard to assess data compromises - it's likely your evaluation of incidents will result in more reportable breaches. And if your organization reports a string of smaller breaches, there's also a good chance you could end up on HHS' radar screen for an investigation or a HIPAA audit (see: HIPAA Audits: The Next Round).
The bottom line: It's time to pay more attention to what employees are doing with patient data.
"Incidents involving insiders are a significant problem, but they're not all the same," says Kirk Nahra, a privacy and security attorney I recently interviewed. Those incidents often range from insiders gawking at celebrity records, to snooping on family, neighbors and co-workers. At the other end of the spectrum, you see serious abuse, such as inappropriate access and misuse of data to commit ID theft and fraud.
Just this week, the University of Florida notified more than 5,600 patients and families about potential ID theft. A former employee has suspected ties to an ID theft ring that's being investigated by law enforcement. That news comes on the heels of two earlier incidents at the university involving other insiders arrested for stealing patient IDs (see: Insiders Arrested In 2 ID Theft Cases).
So, what can be done to prevent insider breaches? Nahra offers some tips:
- Restrict Staff Access - "Healthcare organizations must realize ... there are lots of workers at their companies that have access to lots of information in order to do their jobs," Nahra says. And it's often hard to cut off front-end access. For instance, a customer service worker of a health insurer "needs access" to records because you never know what questions might arise. But is that chance worth the risk?
- Block Data Access - You can take steps to protect certain information, such as blocking access to particularly sensitive data, he says. "Social Security numbers are very high risk ... there're very limited reasons why people need access to that."
- Enforce Your Policies - Increasingly, healthcare organizations are taking steps to protect data by policing, Nahra says. "In the best practices area, that's a mixture of audits, training, investigations, responding to complaints and sanction policies-making to ensure employees know this will not be tolerated, even if it's for an innocuous reason like checking on [the records of] Aunt Sally."
I've recently encountered healthcare providers that are actively working to stem insider breaches. Among them: Partners Healthcare in Boston and Caromont Regional Medical Center in Gastonia, N.C.
Partners, which operates several hospitals, is rolling out a new automated monitoring and fraud prevention system co-developed with Oracle that promises to have "a chilling effect" on employee health record snooping, says Partners CISO Jennings Aske .
The system alerts Partner's privacy team to patterns of suspicious patient records access by workers based on a number of "snooping variables." For instance, there are different suspicious patterns associated with snooping on VIP patients versus inappropriately accessing the records of family or colleagues.
Aske described the effort at a recent HIPAA security conference jointly hosted by OCR and National Institute of Standards and Technology. "We are doing this because it's right for patients. There are bad actors out there."
Meanwhile, at 435-bed Caromont Regional Medical Center, a monitoring system from Fairwarning is crucial to protecting the privacy of patients, says Shallie Bryant, assistant manager HIPAA privacy and security. Caromont employees aren't even allowed to access their own records. "If an employee goes into their own record, that's a potential breach," she says.
When Caromont rolled out monitoring last year, staff got educated about how the move is meant to protect patient data. "E-mails went out ... 'we will watch you,'" Bryant says. As a result, incidents are now sporadic. "If you have no culture of confidentiality, you have everyone doing their own thing," she says.
While monitoring can help transform cultures and protect patient data, it isn't a perfect solution. Organizations need staff to investigate alerts of unusual record access activity. Yet many lack such resources.
And even when incidents are investigated, they can turn out to be "false positives." Say, a nurse forgets to document giving a patient a flu shot when accessing an electronic health record - that omission might make the viewing appear unnecessary.
But these speedbumps shouldn't derail your efforts to crack down on insider breaches. Nahra offers great perspective:
"Recognize it's a real documented concern in healthcare," he says. "Make sure you've developed a plan to restrict access on the front end as much as you can, but also build a back-end policing and enforcement process to keep an eye on what's going on with your employees."
Be vigilant now so that you don't have to explain later to patients, lawyers and HHS why your employees are prying into records.