Snooping staff still top security issue
Former health plan employee slated to get jail time for accessing member records
When it comes to data breaches, hacking and loss or theft of unencrypted devices are far from healthcare security professionals' only concerns. Employee snooping and insider misuse also prove to be among the biggest privacy threats in the healthcare sector today.
Just last week, a former Tufts Health Plan employee was convicted of disclosing patient information in a fraudulent tax refund scheme after stealing the personal data of more than 8,700 members. The former employee, Emeline Lubin, started working at Tufts Health Plan in Watertown, Mass., back in 2010. For that time, Lubin sent lists of member data to a Florida man in efforts to file false income tax returns. Lubin could face up to five years in prison and a $250,000 fine.
[See also: 4-year long HIPAA breach uncovered.]
It's cases like this that have many healthcare security officials on edge.
"The biggest risk, as much as we talk about the hackers and people trying to get in and steal healthcare data, I think the biggest risk is still the individual employee who maybe forgot what the policy was and does something they shouldn't do," said Texas Health Resources Chief Information Officer Ed Marx, in an interview with Healthcare IT News, this month.
Marx isn't alone in thinking this. A whopping 80 percent of healthcare IT security professionals identified snooping on personal patient information by employees to be the top threat motivator for breaches, according to a 2013 HIMSS security survey released earlier this year.
[See also: Healthcare security stuck in Stone Age.]
Verizon's 2014 Data Breach Investigations spring report released also highlighted numbers pertaining to unauthorized access. Officials found that the healthcare sector saw its second highest numbers in the insider misuse category (second only to loss/ theft), with 15 percent of healthcare's security incidences due to insider misuse. That's higher than 13 other industries outlined in the report. Only the administrative, mining, public sector, real estate and transportation industries saw bigger numbers.
Speaking to Healthcare IT News in April, Suzanne Widup, senior analyst on the Verizon RISK team, said they see insider misuse "quite a bit," especially affiliated with organized crime groups where they either have someone recruited as an insider, or they are specifically sent to get a job in healthcare where they will eventually facilitate access to sensitive information that's easily monetized, like Social Security numbers associated with patient records, for instance.
There's also the employee snooping problem, which Widup said is actually underreported.
The biggest way to avoid this is auditing your users and the data, said Widup. "You need to know who has the data, who has access the data, and you need to monitor it," she said. "When you see organizations implement some sort of auditing scheme, suddenly they start finding a lot of stuff they couldn't see before."
Indeed, unauthorized access/disclosures are involved in nearly 20 percent of all HIPAA breaches reported by the Office for Civil Rights, the HHS division responsible for investigating HIPAA violations.
[See also: Breach alert: Hackers swipe data of 4.5M.]
Several breaches involving employee snooping have already been reported in recent months.
In December, for instance, the five-hospital Riverside Health System in southeast Virginia notified close to 1,000 of its patients that their protected health information had been compromised after a former RHS employee inappropriately accessed patients' Social Security numbers and electronic medical records. The breach was ongoing for four years before health system officials discovered the employee had been inappropriately accessing data after conducting a random audit.
In October 2013, a similar incident transpired at the Iowa-based UnityPoint Health after they notified nearly 2,000 patients of a HIPAA breach after officials discovered an employee of the health system's third party contractor gained unauthorized access to patients records. The individual was able to access the records for nearly six months before being discovered.