Who can blame you for being worried about patient privacy violations? They have been all over the news lately:
- Kaiser Permanente Bellflower Hospital in Los Angeles fined $250,000 because 23 employees wanted to look at records of the mother who grabbed national headlines after having eight children
- Hackers hijacked 8 million patient records from the Virginia Prescription Monitoring Program Web site
- Hackers stole approximately 160,000 records of personal information of students and alumni of the University of California-Berkeley
In addition, HHS promises more enforcement through the Health Information Technology for Clinical and Economic Health (HITECH) Act, so hospitals must get prepared.
How does the healthcare industry quell the curiosity of staff members who are peeking into patient records?
Some industry leaders say give them what they want–full access to medical records–and see if they take it. In other words, bait them, then catch them in the act.
Monitoring staff members and tracking their access to medical records will only get you so far. Some facilities use fictitious medical records that IT monitors to determine whether anyone is accessing them.
"This is frosting on the security cupcake," says Gary Nichols, CISM, chief information security officer (CISO) at Blue Cross Blue Shield of Arizona. "You put something so sweet out there that they can't resist."
Nichols does not use these so-called "honeypots," but he's hearing an awful lot about them across the industry.
"It has spectacular results," he said. "If you have 500 users who have access to a system, and you are aware of patient information system access requirements, you know something is wrong when people start searching for and accessing records for Barack Obama."
Not everyone will use the information, says John R. Christiansen, founder of Christiansen IT Law in Seattle.
"I tend to doubt it's being done in smaller hospitals at all," Christiansen says. "It does require a certain sophistication and commitment of resources, and it isn't clear to me that the costs are necessarily worth the benefits compared to other commitments of compliance resources."
A couple of quick tips to get started:
- Gain executive sponsorship. "Using a honeypot implicitly communicates we don't trust our staff, even though we know that insider snooping is by far the most common cause of privacy or security breaches," Christiansen says. You need to have executive sponsorship willing to back you in the event that the use of honeypots results in controversy.
- Get HR buy-in. HR must be looped in to ensure that it will take appropriate action if you catch someone accessing records inappropriately, Christiansen says, adding that "legal counsel should vet the whole program to make sure legal risks are avoided."
- Less is more. The fewer people involved, the better your plan will work. One healthcare company that Nichols has spoken with uses a honeypot with only 15 people involved in establishing and monitoring it.
- Conduct a risk assessment of your systems and equipment. Then create records for five media-centric personalities, making them as real as possible. Don't be too obvious. For instance, Madonna would probably not end up in a central Montana facility. "You also want to be careful that you don't establish them in a way that might affect actuarial research," Nichols says. "Create the records, but do it in a way that leaves a secure way to remove them as well."
- Beware of entrapment. Honeypots are analogous to entrapment; they're bait that wouldn’t work if someone wasn't predisposed to snooping, Christiansen says, because, as W.C. Fields said, "You can’t cheat an honest man." Organizations should be certain that staff members know about policies that prohibit snooping and that system configuration prevents accidental access, says Christiansen.
Ultimately, do we want to operate in a healthcare industry where set-up is the only way to catch inappropriate snooping of patient records? No. But because of recent violations, the message is clear: Some just do not respect HIPAA privacy laws enough.
"We are still trying to change the norms in the industry," Christiansen says. "Paradoxically, maybe once we have shifted the balance so that the norm is a robust respect for the privacy and security of personal information, we can deal more leniently with offenders."