Employees Suspended for Alleged Record SnoopingTragic Case Spotlights Challenges in Detecting Insider Incidents
A health system's decision to reportedly suspend about a dozen employees for apparently snooping at health records related to the tragic death of a co-worker spotlights the many challenges involved with preventing and detecting insider breaches.
Washington Health System, based in Washington, Pennsylvania, has suspended the workers while it conducts an investigation into possible inappropriate access to patient records, according to a June 18 report from local news outlet, the Observer-Reporter.
The Observer-Reporter reports that the suspension situation is believed to be related to the June 6 death of an employee of WHS' Neighbor Health Center, who was killed when a car careening out of control rammed into the building where she was working at the receptionist desk. The driver and another person were reportedly admitted to two area hospitals with injuries following the crash, reports the Observer-Reporter. WHS operates Washington Hospital, although the local news report did not mention the names of the hospitals where the driver and other injured person were taken.
Larry Pantuso, WHS vice president of strategy and clinical services, confirmed the employee suspensions to the Observer-Reporter, adding that the disciplinary action was "related to a high-profile case," although he would not confirm if the case was related to the tragic death of the WHS worker.
WHS did not immediately respond to an Information Security Media Group request for comment.
Insider Snooping Snafus
The case highlights the various challenges involved in preventing and detecting insider incidents related to record snooping, whether it pertains to fellow employees, VIPs, or "ordinary" patients.
"Insider snooping is not easy to detect since the snoopers are generally users with authorized access to the protected health information systems," says Kate Borten, president of privacy and security consulting firm The Marblehead Group.
"Electronic health records include audit logs, and all organizations with such systems should have been using the logs for proactive snooping detection for many years now," she says.
"Determining when someone misuses her/his access permission is usually a multistep process. It begins with proprietary or in-house software that scans logs and attempts to identify outliers. Then humans must review the suspicious accesses to determine if the user had a work-related reason to access the PHI."
Joe Gillespie, senior privacy and security consultant at tw-Security, notes that the auditing tools of many electronic records systems are burdensome and time-consuming to use.
"Most EMR vendor-supplied tools are just seemingly endless transaction logs of record access," he says. "These require the healthcare entity to establish various scenarios to research in the logs. For example: Records of patients being seen in a cancer clinic are being reviewed by someone working on another unit. Or someone looking at EMR records of someone with the same last name. These scenarios can be endless and take a great deal of time to find that one needle in a haystack, in a field of haystacks."
Borten notes that some organizations attempt to flag records of "VIP" patients, but says the designation can be broad and arbitrary - and may not cover all employees as VIPs. "That's why a privacy or compliance officer needs to work with the information security officer to audit access on a case-by-case basis - as presumably happened in this [WHS] case," she notes.
Mac McMillan, CEO of security consultancy CynergisTek, says the healthcare industry is making progress in discovering and addressing insider snooping incidents with the help of patient privacy monitoring tools.
Particularly helpful are those monitoring products that incorporate behavioral analytics tools "that can look at many different attributes of access and provide more accurate determinations of activity that is not normal or sanctioned with the fewest false positives," he says.
"Many hospitals now have the tools that enable them to recognize very quickly inappropriate employee access to another employee's information, an all too common scenario for snooping," he says. "All of the privacy monitor [tools] on the market today will see employee-on-employee snooping, and the more advanced ones will weed out the false positives quickly to remove doubts as to whether the other employee was part of the care team or not."
So, did WHS act appropriately in suspending the employees suspected of inappropriate access violations?
"Immediate suspension is a good practice."
—Kate Borten, The Marblehead Group
"Immediate suspension is a good practice," Borten notes. "Hopefully, as each case is reviewed, those who accessed the PHI for a nonwork related purpose will be terminated or, at minimum, suspended without pay for a significant time."
Some provider organizations adopted a zero tolerance policy on snooping many years ago and it appears to have radically reduced this misbehavior in those organizations, Borten says. "Of course, the policy must be accompanied by workforce training and awareness so that the message is clear."
Susan Lucci, privacy and security consultant at tw-Security, offers a similar assessment, especially in cases where employees are tempted to snoop at the health information of a fellow worker. "Regardless of an employee's care and concern for their co-worker, they must not forget the right to privacy and the education they participated in which explains why their organization has a policy against unauthorized access," she says.
"In many cases, we have seen situations where snooping is met with zero-tolerance and terminations follow. However, [WHS] has shown great compassion in this case because of the sensitive circumstances by choosing suspension over termination."
While many record-snooping incidents are driven by curiosity, healthcare entities need to also utilize their monitoring tools to help prevent and detect inappropriate insider access incidents that are potentially more malicious, McMillan notes.
"I'd say overall, those organizations that are making a commitment to the right technology for discovery and the right resources ... are getting better at ... shortening the time that bad actors can go undetected," he says.
"The problem is there is no foolproof solution for detecting all bad actions, especially an insider who knows the rules and is actively working to get around them. Generally though, if the right controls are in place, the chances of them going undetected for long drop," he says.
Gillespie notes that monitoring tools are helping to red flag incidents that need to be investigated, regardless of motive.
"Many organizations now use software that can be programmed to spot unauthorized access based on a number of different elements. The frequency of a single employee accessing records can be programmed, which would alert the privacy officer to this type of unusual activity and begin to investigate."