HIPAA requires healthcare organizations and business associates to protect the confidentiality, integrity, and availability of all personal health information (PHI); however, this is increasingly challenging as the evolving threat landscape creates new risks for patient privacy and increases the risk that healthcare organizations may overlook critical vulnerabilities.
Best practices like system-level risk analysis, proper education and training, and adequate access monitoring are just a few ways that organizations can reduce the risk to patient data and adopt a proactive posture toward cybersecurity, privacy, and compliance.
Without visibility into who can access your systems, what and how much data they can access, and how they’re using it, there is an increased likelihood of attackers taking advantage of your security weaknesses and putting patient privacy at risk.
Patient Privacy Threats
When looking at patient privacy and protected data risk, focus on identifying three key areas: improper access, improper use, and impermissible disclosure.
Improper Access, ask:
- Who has access to what?
- Who is monitoring access?
- Examples: Intruders and individuals who do not need/require access
Improper Use, ask:
- How is health information used, shared, or discussed within the organization?
- Examples: Marketing, research, curious employee snooping
Impermissible disclosure, ask:
- Am I sharing protected information with third parties in permitted ways?
- Have I ensured proper oversight?
If these areas are not properly addressed through policies, processes, and training, your organization has increased opportunities for patient privacy risk.
Real World Context
Since 2019, more than 50% of all Office for Civil Rights (OCR) resolution agreements found potential violations of requirements directly related to user access monitoring.
Interestingly, it’s not that half of all OCR resolution agreements were specifically focused on monitoring or auditing. The reality is that they were likely focused on other security or privacy incidents, but the OCR found user access monitoring and audit violations during the investigation.
When team members aren’t properly trained on patient privacy policies and procedures-and when they don’t have a clear understanding of what they can access and how-it increases the risk for your organization and your patients.
But there is good news. We can learn a lot from organizations that are managing privacy risk correctly.
Just one example: an academic medical center experienced a nearly 40% increase in user numbers during a two-year period, but its alerts decreased by half during that same time. How? This workforce had the right training and education about patient privacy, and when this happens, risk decreases.
Access monitoring is not just about watching for external threat actors or potential risks from third parties. It’s also about monitoring who has access to that information within your organization.
While proper education and training can reduce risk, as demonstrated in the academic medical center example, the reality is that humans are curious by nature. Even if they know what they’re supposed to do and what they can’t, curiosity could be one of the many overlooked risks to patient privacy that hides in plain sight.
For example, employees might be curious about what’s going on with a coworker receiving care or get excited about a celebrity or famous person in your facility. A close eye should be kept on these potential issues, and your policies, procedures, training, and education should be routine and updated as needed.
Ultimately, health information is valuable, and that curiosity could come at great cost, especially if you haven’t implemented proper monitoring. Here’s an example:
In 2020, the City of New Haven, Connecticut, faced a more than $200,00 OCR penalty after failing to terminate a former employee’s PHI access. The city filed a breach report to OCR in early 2017 for an incident that occurred in mid-2016.
After the employee was terminated, she returned eight days later to the health department where she had worked, logged into her old computer with the same username and password she had as an employee, and then downloaded PHI for nearly 500 patients.
That employee also shared credentials with an intern who could access PHI after the employee no longer worked for the health department.
According to OCR, the organization failed to conduct an enterprise-wide risk analysis and hadn’t implemented termination procedures that included access control.
In addition to the penalty, the organization agreed to a corrective action plan that included two years of monitoring and 180 days to complete a risk analysis, inventory, and submit findings to the Department of Health and Human Services (HHS).
In addition to the penalties and corrective action plan, this incident likely cost the organization much more. For example, there were likely operational costs, costs associated with patient notification, potential litigation, system and processes improvements, and more.
Had the organization implemented proper access monitoring and other controls, it may have prevented this PHI breach or, at the very least, could have caught it much earlier. This could have enabled the city to respond proactively instead of reactively.
Here’s another example with a much bigger financial impact.
In 2021, Lifetime Healthcare Companies, a large insurer, agreed to a more than $5 million OCR penalty after cyber-attackers gained access to its systems sometime between the end of 2013 and mid-2015.
Attackers successfully installed malware on the company’s systems and conducted surveillance that ultimately led to the impermissible disclosure of PHI of more than 9 million people.
Like the City of New Haven incident, OCR found Lifetime failed to conduct an enterprise-wide risk analysis and had also not implemented risk management, information systems activity review, and access controls.
Like the previous example, the company agreed to a corrective action plan that included two years of monitoring and requirements to implement regular reviews of audit logs and access reports to monitor and respond to suspicious events, including the frequency of the reviews and procedures for documenting and reporting results of these reviews.
Addressing Threats That Hide in Plain Sight
In both of these examples, threats were hiding in plain sight. That’s why it’s so important to implement policies and procedures that ensure your organization always knows who’s accessing your PHI, where it’s going, and what’s being done with it.
With that in mind, you can take a deeper dive into additional questions and may discover other unknown issues that need resolution.
Ask these questions:
- What assumptions has your organization made about access monitoring and insider threats?
- How often are you providing training? Is it frequent enough to address some of these hidden risks?
- Have you implemented access monitoring?
- How are you monitoring?
- Are you monitoring manually?
- Are you monitoring regularly, and is it proactive or reactive monitoring?
- Remember, had these two organizations conducted the required enterprise-wide risk analysis and taken a proactive approach to access monitoring, they both may have been able to identify PHI access issues much earlier than they did.
- Who is responsible?
- This should go beyond just looking at who accesses your systems and data but also ensures you have the right people in place across your organization to manage education about patient privacy policies and procedures. This should also include ensuring proper disciplinary procedures exist and are followed.
- Which alerts are you reviewing?
- Most organizations juggle many alerts. Is your team reviewing the right ones? Have you ensured no one has turned off necessary alerts? How does your team effectively manage these notifications?
- Why do you have these specific alerts in place, and what cadence can best help your teams address organizational and patient risk?
Who’s helping you manage patient privacy and HIPAA compliance? If you need a partner you can trust to help you stay proactive and ready to tackle the challenges of protecting patient data, we can help. Let’s schedule a call.