By Tim Critchley, CEO, Semafone.
In the more than 20 years since the landmark passage of the Health Insurance Portability and Accountability Act (HIPAA), healthcare organizations have come a long way in protecting the security and privacy of patient data. Organizations now use sophisticated tools in the form of electronic health records (EHRs), online patient portals and virtual clinics that have elevated modern medicine to a new level of care. As a result, patients have come to expect a seamless interaction – whether digitally or in-person – with their healthcare provider, and trust that their personal information is safeguarded throughout.
But just as these new digital records and online portals make it easier to access and manage patient care and medical history, there still looms a security threat that organizations may not be as well-equipped to prevent. Despite the regulations put in place to guard against privacy violations and data theft, healthcare data breaches now occur at a rate of more than one per day, with nearly 60 percent of these breaches coming from insiders. You read that right. Unfortunately, the greatest threat to a healthcare organization may not always be from outside cybercriminals hacking into an organization’s network and stealing patient medical records. While the vast majority of healthcare workers are good and honest people, it only takes one employee succumbing to curiosity and taking a peek at a patient’s EHR without a valid reason, to violate HIPAA compliance laws and potentially cause a massive data breach.
Why are insider threats on the rise?
The healthcare sector employs tens of millions of people across the country, and organizations go to great lengths to hire quality employees. But the fact remains that access to sensitive information, coupled with large organizations that employ people with varying levels of commitment – whether full-time, part-time or as contractors – can present opportunities for unethical and unlawful actions.
For instance, I recently spoke with Phil Fasano, CEO and co-founder of Bay Advisors, LLC, and former executive at Kaiser Permanente, and he noted that the size of many large healthcare providers is more like a city than a business, and they often employ temporary staff and contractors. When he was executive vice president and chief information officer at Kaiser in the early 2000s, the organization employed more than 300,000 people, with some 60,000 to 80,000 being temporary, such as contact center workers, custodians and administrative staff. In high turnover roles and with temporary staff, not only may there be a lower familiarization with compliance regulations and data security protocols, there may also be a greater willingness to skirt the rules for short-term gain. Thus it becomes even more imperative for businesses to have the right tools, technology and training in place in order to ensure data security and privacy – not only to comply with the law, but to protect patients and the long-term viability of their business.
This issue is not hypothetical. There have been many high-profile examples in the news of healthcare insiders stealing patient data to use for fraudulent purposes, or simply viewing it out of sheer curiosity, which is still a major violation. In a recent case of identity fraud, UMass Memorial Healthcare had to pay $230,000 to settle a lawsuit that resulted from two employees stealing patient information to open credit card and cellular phone accounts. In a truly egregious example from several years ago, an employee of the UCLA Medical Center leaked the late actress Farrah Fawcett’s cancer diagnosis to the National Enquirer before she even had the opportunity to break the news to family and friends herself. These cases are unfortunately not isolated incidents. Shockingly, a recent survey of healthcare workers found that one in five would be willing to sell confidential patient data if given the opportunity.
How to mitigate insider threats
First and foremost, healthcare organizations should institute mandatory background checks on all full-time, part-time and temporary hires – no exceptions. They should also aim to improve employee awareness and understanding of the laws by conducting annual training sessions and refreshers on all relevant data security and privacy regulations, including HIPAA, the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standards (PCI DSS) – this last one being especially important for patient billing and contact centers that handle payment card data. There are also several advanced technologies and strategies that an organization can implement to improve its defenses from insider threats, namely:
Establish staff guidelines for patient record access
The best way to avoid an internal compromise of sensitive information is to establish and enforce the principle of least privilege user access (LUA) on all computer systems, which states that an employee should only have the minimum level of access necessary to do their job. For example, an agent in the health system’s contact center may need access to some patient data such as payment or scheduling information, but they may not need to see information about medical history. Creating LUA controls limits unnecessary access and adds a strong, first level of security.
Monitor and flag staff access to patient data
Systems can include various levels of protection, from asking employees to enter password information twice before accessing confidential patient information, to red-flagging abnormal activity. Red-flagging provides an alert to senior staff of suspicious behaviors in the cases where an employee may be accessing large amounts of patient information or performing irregular activities within the network.
Segment networks, minimize the data you hold
Segmented networks can strengthen data security and make regulatory compliance easier to navigate. With a segmented network, the healthcare provider can reduce the scope of compliance for PCI DSS, for example, to only the portions of the network where payments are processed and transmitted. I also recommend, wherever possible, that healthcare organizations reduce the amount of sensitive data they process and hold. For example, they can keep patients’ sensitive payment card data out of the contact center completely through the use of dual-tone multi-frequency (DTMF) masking solutions.
This technology enables callers to enter numerical information, such as payment card data, directly into their telephone keypad, while being able to stay in full communication with the agent throughout the process. The usual keypad tones are masked by flat tones, rendering the digits indecipherable to the patient service representatives on the line, as well as call recordings. The sensitive data is encrypted and routed directly to the appropriate third party – such as a payment processor – so the data is never stored or processed in the contact center’s computer network and staff do not have access to this private information.
The Hippocratic Oath requires a high bar of responsibility from healthcare providers to respect the privacy of patients – and protecting the privacy and security of their sensitive information should be an extension of this promise. Hospitals, clinics and treatment centers everywhere have worked hard to earn patient trust, and the risk of a data breach caused by an insider’s unethical behavior threatens that integrity. The best practices and technologies described above will go far in fortifying an organization’s infrastructure to prevent curiosity from sinking the business.