Is curiosity killing patient privacy?
The digitization of healthcare is changing the face of fraud. With the growth of electronic health records (EHRs), online patient portals and virtual clinics, a wealth of sensitive medical information is available across multiple digital channels and while hackers and cybercriminals pose a massive risk to this information, it’s not just “outside” fraudsters that are raising concerns.
Increasingly, insider threats are putting patient data at risk – employees within a healthcare organization can often access a patient’s protected healthcare information (PHI) such as medical histories or personally identifiable information (PII) such as social security numbers and payment card data – without a valid reason.
Despite the numerous laws and industry standards designed to protect patient data – from the Health Insurance Portability and Accountability Act (HIPAA) to the Payment Card Industry’s Data Security Standard (PCI DSS), to the new EU General Data Protection Regulation (GDPR) – data breaches in the healthcare industry continue to occur at a rate of more than one per day in the U.S.
Though employees can lose their jobs, their professional licenses, or even face prison time for inappropriately accessing or sharing a patient’s data, the temptation to snoop often proves too great. In fact, almost 60 percent of healthcare data breaches originate from insiders.
Sometimes the temptation for an unsolicited peek at medical records arises because the patient is a celebrity. For example, late actress Farrah Fawcett’s cancer diagnosis was leaked to the National Enquirer by an employee of the UCLA Medical Center – before Fawcett had a chance to personally tell her family or even process the devastating news herself.
Similarly when Michael Jackson passed away, unauthorized staff, including contractors and medical students, accessed his death certificate more than 300 times. More recently, NFL player Jason Pierre-Paul suffered a hand injury that necessitated the amputation of one of his fingers. While he was in the hospital, two employees leaked his medical information to ESPN – a potentially career-altering blow right when he was negotiating a $60 million contract with the New York Giants.
It’s not only celebrities who must worry about the privacy of their PHI, though. Private citizens also fall victim to healthcare data breaches. Cases can be as innocent as a concerned friend or neighbor curious to know why their acquaintance has checked into the hospital, or more nefarious in nature, such as a disgruntled former friend or ex-lover seeking revenge. In other cases, the patient’s healthcare data is used for identity theft or fraud. For example, UMass Memorial Healthcare recently agreed to pay $230,000 to resolve a lawsuit when two employees inappropriately accessed patients’ data and used the information to open credit card and cell phone accounts. In fact, one in five healthcare provider employees admit they would be willing to sell confidential patient data – a truly shocking statistic when you really think about it.
Now, all this is not to say that employees in the healthcare industry are bad. In fact, most are loyal and honest. However, many large healthcare systems are the size of a small city, and there are numerous factors that can contribute to cases of insider fraud or compound the risks of a potential data breach.
I recently spoke with Phil Fasano, CEO and co-founder of Bay Advisors, and former executive at Kaiser Permanente and AIG. He mentioned that when he worked at Kaiser in the early 2000s the organizations had more than 300,000 employees, including some 60,000 to 80,000 temporary staff – such as contact center workers, custodians and administrative staff – working on any given day. With that many people, there will unfortunately be somebody with ill intentions at some point. Individuals employed in temporary roles or those where turnover is high, such as in the contact center, may not be as familiar with compliance regulations, or may be more tempted to violate the rules because they figure they will be long gone before they get caught.
Cost of a data breach
The fallout from a data breach can be disastrous for a healthcare organization. HIPAA violations can incur fines that range anywhere between $100 and $50,000 per violation or per record. And breaches in PCI DSS compliance – for example, failure to adequately secure patients’ payment card information in the healthcare contact center or billing and collections department – can range from $5,000 to $500,000 per month. For repeated offences, the payment card brands can even revoke the rights of the healthcare organization to process transactions using their cards. And these costs don’t even begin to consider the damage done to a healthcare organization’s brand reputation when a data breach occurs and patients no longer believe their provider or insurer is adequately protecting their personal information.
Though human curiosity will never go away, the right training, tools and technology can help healthcare organizations mitigate the risks posed by insiders and better-protect their patients’ personal information. Here are a few best practices you can implement today.
Best practices for securing patient data from your curious employees
Background checks – I cannot stress enough the importance of conducting thorough background checks on all employees, even temporary staff and contractors. Many organizations skip this step, but there should be no exceptions and no excuses. Background checks can be critically important in identifying individuals who should not be allowed to work in roles that have access to PHI, payment card information or any other type of sensitive data.
Compliance training – All employees with access to any type of sensitive data – whether patient medical histories or billing and payment information – should undergo thorough data security and privacy compliance training. At a minimum, they should be trained on the relevant requirements for HIPAA, GDPR and PCI DSS. Employees should have their training refreshed at least annually.
Limit access to sensitive data – Healthcare organizations should enforce the principal of least privilege user access (LUA) on all computer systems. LUA states that an employee should only have the minimum level of access necessary to do their jobs. For example, an agent in the health system’s contact center needs access to some patient information in order to accept payments or schedule appointments; but they should not be able to access the patient’s private medical history or pull up their information when they are not on the line with the patient.
Segment networks – Healthcare providers should segment their networks not only to strengthen data security, but also to ease regulatory compliance. For example, with a segmented network, the healthcare provider need only worry about PCI DSS compliance on the portions of the network where payments are processed and transmitted. By accepting payments on dedicated terminals that are separate from ordinary business activities like email, the healthcare provider can limit the scope of compliance for PCI DSS and HIPAA alike, potentially saving tens of thousands of dollars and many man hours in compliance program costs.
Break the glass – Healthcare organizations should adopt “Break the Glass” solutions that alert appropriate staff if an employee views sensitive patient data unnecessarily or asks the employee to re-enter their password when accessing confidential information or the records of a high-profile patient. Some even use sophisticated pattern recognition to automatically flag suspicious activity, such as when an employee who views tens of thousands of patient records a month, when his peers typically only view a few thousand. The growth of technologies like machine learning are making these solutions more sophisticated and available to healthcare providers of all sizes.
Don’t hold data you don’t need – No one can hack data you don’t hold. So in addition to segmenting their networks, healthcare organizations should, when possible, keep sensitive data out of their IT and computer systems in the first place. For example, healthcare providers can minimize the risk of a data breach and ease compliance in their contact centers through dual-tone multi-frequency (DTMF) masking solutions. Such solutions enable the contact center to capture numerical data over the phone, while keeping the sensitive information out of the contact center’s computer network. Patients simply enter their payment card numbers, birth dates, social security numbers or other sensitive numerical data directly into their telephone’s keypad. The keypad tones are replaced with flat tones, making them indecipherable to the patient service representative (PSR) on the line and call recording systems. Once captured, the data is encrypted and routed directly to the appropriate third party, such as a payment processor. This ensures that the sensitive data such as the payment card information is not handled or stored within the contact center’s network.
Ultimately, protecting the confidentiality of PHI, PII and sensitive payment card data is part of the responsibility of healthcare providers, as an extension of the Hippocratic Oath to respect the privacy of patients. That includes securing patients’ medical records and cardholder data from both inside and outside threats, whether they are of malicious intent or simply the result of over-curious human nature.
By adopting best practices and technologies – from background checks and training, to DTMF masking solutions and Break the Glass technologies – healthcare providers can ensure their patients’ privacy, and trust, remains intact.