This scenario was brought front and center last week by the data breach incident at UMass Memorial Medical Center (UMMMC) in Worcester, MA. UMMMC reported this data breach:
“On March 6, 2014, we learned that an employee may have accessed information of certain patients outside of the employee’s normal job duties. The information may have been used to open commercial accounts, such as credit card and cell phone accounts. Upon receiving this information, UMMMC immediately began an internal investigation. We continue to investigate and cooperate with law enforcement. Our investigation has determined that the employee had access to patient information such as name, date of birth, Social Security number, and address at some point between May 6, 2002 and March 4, 2014. We are not aware of the misuse of any medical information. The employee no longer works at UMMMC.”
Preventing insider data theft is extremely challenging. I am sure in the UMass case their internal investigation must have sought answers to a number of questions such as:
- How did the employee get access to the patients’ records outside normal job responsibilities?
- Where did this individual get the access authorization credentials from?
- Was the system login password shared among employees in the department?
- Was access to electronic protected health information (ePHI) restricted to only a minimum number of employees that needed it as a part of their jobs responsibilities?
- How often were the system access /audit logs reviewed? Who reviewed them?
- Did the audit logs show any suspicious activity such as access during non- working hours or access to a large number of patient records at one time?
So how does a healthcare organization or any business for that matter prevent insider fraud? This is an extremely difficult task especially if the employee has access to confidential information in their normal job routines. That being said, the organization can still implement appropriate technology, policies and procedures to minimize the risk namely:
- When granting employees access to confidential information, follow the “Minimum Necessary” Rule. i.e. Restrict ePHI access only to those people that need it to perform their jobs AND restrict access to ePHI data to the minimum necessary for people to do their jobs. Be STINGY in giving ePHI privileges.
- Have a well written access policy and procedure in place that clearly communicates the approval procedure for granting ePHI access to an individual.
- Implement audit software which generates the list of individuals with ePHI access, provides a log of recent access activity and alerts management to any attempts to gain unauthorized access to ePHI.
- Implement policy that mandates periodic audits of the ePHI access procedure. Revoke or grant access privileges as needed.
- Regularly train employees on their ePHI security and compliance responsibilities.
- Encourage employees to report any suspicious behavior within the organization.
- Implement a strict sanction policy that holds employees accountable for their actions. Remind them that non-compliance will result in termination.
- Get management buy-in to commit to a culture of data security in the organization.