In a recent report, "2015 Data Breach Investigations Report," conducted by Verizon, analysts put healthcare security under the microscope and identified that insider snooping (think employee snooping and organized crime groups) jumped from 15% in 2014 to 20% in 2015. They observed a surge in organized crime groups that position themselves as people in healthcare so they can swipe data for tax fraud.
Combine that report with the "HIMSS Analytics Report: Security of Patient Data," revealing that healthcare organizations have not been allocating the appropriate resources or specific focus required to ensure all patient health information remains protected and secure. The most surprising figures show that while 91% of organizations review audit logs, 84% do it manually.
So why have healthcare organizations not fully implemented preventive measures to defend against a data breach and protect patient privacy? Why are organizations performing manual random audits, and not seeking technology to reduce the cost of the manual effort, stop insider snooping, and find that needle in the haystack?
The primary problem stems from a lack of understanding about privacy violations and the potential consequences. Another contributor is the ‘but I can trust my team,’ mentality. What this mentality doesn’t take into account is human nature, looking into neighbors records just to be helpful, or being curious by looking at VIP records, or worst case, employees looking to make a profit.
If healthcare leaders really understood how frequently access to Protected Health Information (PHI) is going on in their facilities; if they understood their patients' privacy expectations; and fully understood the ramifications, they would make this a higher priority.
Our customers tell us effective auditing can’t be done without using technology to automate patient privacy monitoring. There are literally hundreds of thousands to millions of audit events being generated every day in healthcare from all the systems that are being used. Technology is used in all other aspects of our healthcare business, so why isn't it used for auditing?
It’s not all gloom and doom. Mark Combs, a customer of ours at West Virginia United Health System (WVU), was able to stop insider snooping by implementing policies, procedures, and technology with a strong culture of trust.
Mark now feels confident that they are doing everything possible to mitigate risk and protect patient privacy. The technology they have implemented:
- Stopped insider snooping by finding VIP accesses and accesses to friends, family and neighbors
- Provides behavioral reports that analyze changes in activity/volumes from normal, established (baseline) levels
- Includes medical identity theft that detects changes in patient records
- Facilitates the entire lifecycle of a privacy breach investigation
Review these articles, reports, and case studies to learn the steps you can take to end insider snooping at your healthcare organization.