Healthcare Insider Crime Cases Spotlight ChallengesThree Incidents Show How Threats Vary
Three recent criminal cases involving hospital insiders who allegedly committed a variety of fraud, identity theft or egregious privacy violations that victimized patients highlight just how difficult it is to mitigate insider threats.
"Sometimes, staff betray the trust that the provider and patients put in them," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine. "The risk of staff violations can be reduced through background checks, training, regular auditing of system activity and consistent use of discipline. But problems like these can never be eliminated entirely, so it is important that prosecutors pick up the baton and bring criminal prosecution for the more egregious incidents."
Here's a look at the three recent criminal cases involving insiders at healthcare organizations.
Kyle Steed, a former worker at New York City-based Lenox Hill Hospital, was convicted of crimes related to stealing patient information. Those included the theft of identity information from recently deceased patients, which he allegedly passed on to his wife, Krystle Steed.
On Sept. 19, she pleaded guilty to charges related to using the stolen ID information of 80 emergency room patients to take over victims' credit card accounts and place fraudulent phone orders for designer merchandise valued at hundreds of thousands of dollars. She faces sentencing on Oct. 16 on several charges, including grand larceny, ID theft, and criminal possession of stolen property.
In a statement provided to Information Security Media Group, Lenox Hill Hospital says individuals affected by the Steed incidents were offered free credit monitoring. "The hospital continues to take aggressive steps to strengthen the security protocols we have in place to protect patient information," it adds.
In another recent case, Tariq Mahmood, M.D., the former owner of several Texas hospitals who lost an appeal, was resentenced to 135 months in federal prison for conspiracy to commit healthcare fraud, healthcare fraud and aggravated identity theft.
Federal prosecutors say that for more than three years, Mahmood and others carried out a scheme to defraud Medicare and Medicaid through the submission of false claims. Prosecutors say Mahmood and co-conspirators added, changed and incorrectly sequenced diagnostic codes in a way that did not reflect the actual diagnoses and conditions of the patients. In addition to submitting the false claims to Medicare and Medicaid for payment, Mahmood and others also unlawfully used Medicare beneficiaries' names and Medicare numbers in order to commit healthcare fraud, prosecutors say.
The third case involves allegations of egregious privacy violations. New York prosecutors say four nursing home aides were recently charged with felonies and misdemeanors related to their alleged use of a smartphone to take "degrading" still and video images of residents at two facilities in Oswego, N.Y. The defendants were arrested on Sept. 15 and released on their own recognizance. They're are slated for court appearances on Oct. 19.
Prosecutors note in a statement that both nursing homes say they have "strict policies" forbidding the use of cell phones by staffers and the creation of either still or video images of nursing home residents.
These three criminal cases highlight common security and privacy challenges.
"The insider threat is of great concern because they may have authorized access to a lot of confidential information," notes Tom Walsh, founder of security consulting firm tw-Security. That includes patients' protected health information, credit card data, financial records, as well as personally identifiable information of employees, including Social Security numbers, and bank accounts for direct deposits.
"The expression, 'the more time you spend in the hiring and screening process, the less time you'll spend on firing process,' seems relevant to the three news stories," Walsh says. "There is an addressable implementation specification within the HIPAA Security Rule - the 'workforce clearance procedure'. [However], the rule does not provide a lot of guidance on what the 'clearance' process may look like."
Many HR departments conduct one-time screenings of new hires and fail to take follow-up action, Walsh argues. "While a new employee's background may be good at the time they were hired, over time people change and that could influence behaviors," he says.
Mac McMillan, CEO of security consulting firm CynergisTek, notes: "What makes these incidents tough to detect is that you have insiders who know the rules/controls and how to skirt them."
Insiders incidents, such as the recent criminal cases in Texas and New York, also spotlight a number mistakes made by covered entities and even business associates that handle patient data, McMillan says.
Those include: inadequate prescreening of employees; deficient training; ineffective security controls; a lack of proactive monitoring or audits; and weak leadership from senior executives, McMillan says.
Insiders who commit crimes involving patient data often "count on organizations operating in an environment of apathy," he adds.
Privacy and security incidents involving the use of healthcare worker smartphones are particularly tricky to prevent and detect, Walsh says.
"Hospitals have had nursing policies on photography for a long time," he says. "Back when these policies were created, photo and video technology involved some type of camera that was easily identified as such. With the integration of the camera into mobile phones, it becomes less obvious when someone is taking a photo, recording a conversation or creating a video clip."
Requiring workers to "check their phones at the door" is a step most healthcare organizations aren't willing to take, Walsh adds.
Sometimes workers bypass security and privacy controls that are put place by covered entities, says Kerry McConnell, partner and principal consultant at tw-Security.
"Any authorized user/insider has been granted enough access/power to do their jobs, and if they decide to become greedy or have moral character flaws, even repeated vetting of employees will only reveal repeat offenders," McConnell says. "When one commits to doing bad things, the ability to carry out such acts is only limited by the fear of getting caught. Access to information that can be used for bad intent is made available by employers with the best of intentions."