Hospitals’ biggest threat to patient data is hiding in plain sight
The Dark Overlord made headlines earlier this year by advertising the availability of 9.2 million US hospital records on the Dark Web and selling them for 730 bitcoin, which is more than $450,000. Just a few weeks ago, Fancy Bear, a Russian cyber espionage group, exposed medical records of top olympians, revealing that they had received exemptions to use doping medications. Hackers receive a great deal of media attention because their tactics are deeply mysterious to the average person and frequently result in the exposure of thousands of records. However, one group’s activity potentially represents the biggest threat to patient data: insider snooping. These snoops are hospital employees who have access to the EHR and misuse this privileged access. They look at the medical records of colleagues, family and friends out of curiosity, for potential blackmail purposes, or a host of other reasons.
Insider threats to electronic health information can cost affected healthcare organizations millions of dollars when breached. Download our Cost of a Breach white paper to better understand how much insider snooping can cost your organization.
Insider Snooping Can Result in Life-altering Damages
A ProPublica story from 2015 documented the effects a data breach caused by insider snooping had on a single family. A nurse living in Tampa, Florida looked at the medical records of her nephew’s partner, whose records she was not authorized to see. From these, she learned that his partner had delivered a baby and had put the child up for adoption. The nurse printed out these records, showed them to another family member, and the secret came out during a family funeral in 2013. The nephew’s partner complained to the hospital, leading the hospital to fire her and the nurse to relinquish her Florida nursing license. When OCR Director Jocelyn Samuels was asked about the role that small-scale breaches play in the larger data breach landscape, she described them as “heartbreaking stories”, an accurate description of the story just told.
It’s human nature to be curious about what’s going on in the lives of friends and family, and hospital records are a prime place to snoop. HIPAA regulations and employee education on the rules are intended to teach proper and improper access to medical records. Employee snooping in records without authorization is one example of inappropriate access covered in every HIPAA training conducted throughout the nation’s hospitals. While hacks might expose snippets of personal information about hundreds or thousands of patients, the Tampa nurse’s story proves that the personal nature of insider snooping can lead to damages that alter the course of an individual’s life. Training for employees is a necessary first step, but falls short in preventing human nature pushing the boundaries of rules to the detriment of many individuals’ lives.
Hospitals Recognize Insider Snooping as a Top Threat
Healthcare institutions across the country recognize insider threats as enormous barriers to keeping their institution’s data safe. In 2014, Ed Marx, CIO of Texas Health Resources, which recently earned Level 7 EMR revalidation, said, “The biggest risk, as much as we talk about hackers and the people trying to get in and steal healthcare data…is still the individual employee who maybe forgot what the policy was and does something they shouldn’t do.”
In addition to statements made by healthcare leaders like Samuels and Marx, insights gleaned from large studies on the threats of data breaches further highlight the challenge insider snooping presents. A HIMSS security survey revealed that 80% of healthcare IT security professionals identify insider snooping as the top threat motivator for breaches. OCR cites a recent HfS and Accenture survey showing that that 69% of organizations have experienced a data breach or attempted data breach by an insider. Of this 69%, 35% involved snooping into medical records of fellow employees, and 27% involved snooping into medical records of friends and family.
Dwelling on the challenges that hospital insiders present is only worthwhile if solutions to the problem are simultaneously considered, forcing the question, how can hospitals reduce the likelihood of data breaches stemming from insider snooping and the associated damages?
How to Reduce the Risk of Insider Snooping
Comprehensive employee education is a baseline activity that all healthcare institutions must perform. In addition to solid policies and procedures, a technical layer of protection can be added to greatly enhance efficiency and effectiveness in reducing snooping. Proactive patient privacy monitoring solutions use advances in big data, artificial intelligence, and involve four key components made possible by machine learning techniques.
- Detect inappropriate access quickly. When a hospital employee snoops in records, it’s likely that they’ll do it again in the near future, making quick detection essential. With proactive patient privacy platforms, the hospital compliance team is notified quickly and violations are confirmed within minutes. This access to quick, accurate case information ensures the offending employee is properly sanctioned.
- Avoid false positives. In time-sensitive situations, false positives become a compliance officer’s worst enemy. Implementing systems that can support compliance officers by analyzing thousands of dimensions to the boundaries of appropriate user-patient access at any given moment will reduce false positives and elevate true threats.
- Identify relationships between people. Understanding the links between between employees and patients helps answer the question of why they are viewing certain records. Systems that recognize familial and neighborly relationships between employees and patients help build networks of relationships, giving compliance teams a much clearer picture of threats.
- Integrate clinical context. Clinical care changes with practice updates, new employees, and quality improvement work. Platforms that can automatically adapt to these changes without employee intervention are essential.