Your organization can have the most well-crafted privacy and security policies in the world. But if those policies are accompanied by lukewarm emphasis and no accountability, or your staff just downright ignores them, you have a big security problem – just like the folks at one Ohio-based health system did last week.
Cleveland-based University Hospitals on Friday notified nearly 700 patients of a HIPAA privacy breach after one of its employees was caught snooping on confidential medical records. What's more is the employee was able to inappropriately access patient medical and financial records for nearly three and a half years without UH knowing.
UH had received a complaint over the employee's inappropriate access to the health system's electronic medical record system, and only after the allegation did UH audit the user's EMR access, according to a UH spokesperson. On Oct. 2, health system officials discovered the staff member had been snooping into the EMRs of 692 patients from January 2011 through June 2014.
The staff member, whose employment has since been terminated, was able to gain unfettered access to patient names, medical diagnoses, health insurance numbers, dates of birth, home addresses and additional treatment data. Other patients had their Social Security numbers, financial data, credit card numbers and driver's license numbers viewed.
"UH takes the protection of patient health information very seriously," wrote UH officials in a Nov. 28 press release. "UH continually evaluates and modifies its practices to enhance the security and privacy of its patients' information, including the ongoing training, education and counseling of its workforce regarding patient privacy matters."
The biggest way to avoid the employee snooping problem? Audit your users and the data, said Suzanne Widup, senior analyst on the Verizon RISK team, who spoke to Healthcare IT News this spring regarding Verizon's annual breach report. "You need to know who has the data, who has access to the data, and you need to monitor it," said Widup. "When you see organizations implement some sort of auditing scheme, suddenly they start finding a lot of stuff they couldn't see before."
It's cases like what transpired at UH, where the action comes down to an individual employee, that have many healthcare security officials on edge.
"The biggest risk, as much as we talk about the hackers and people trying to get in and steal healthcare data, I think the biggest risk is still the individual employee who maybe forgot what the policy was and does something they shouldn't do," said Texas Health Resources Chief Information Officer Ed Marx, in an interview with Healthcare IT News this summer.
Indeed, Marx is in good company. According to a HIMSS security survey released earlier this year, a whopping 80 percent of healthcare IT security professionals identified snooping on personal patient information by employees to be the top threat motivator for breaches.
More than 41.4 million people have had their protected health information compromised in a reportable HIPAA privacy or security breach, according to data from the Department of Health and Human Services.