Hospitals and physician practices conducting computer security risk analyses for HIPAA compliance and for meaningful use (per HIPAA Security 45 CFR 164.308(a)(1)) must assess the threats and likelihood of occurrence. Because most breaches are never reported, accurate information on likelihood of occurrence is difficult to come by. Another study was recently published, by identity and access intelligence vendor Veriphyr. While this is a small study, the results are instructive.
The study design was an 18 question survey. Half of respondents were employed by organizations with over 1000 employees, the other half less than 1000. 52% were employed by hospitals or integrated delivery systems, and 63% indicated that “compliance” was their functional role.
The results indicated the following breach prevalence for 2011:
- Medical Records Snooping – Employee – 35%
- No Breaches Occurred – 28%
- Medical Records Snooping – Friend/Relative – 28%
- Loss/Theft of Physical Records – 25%
- Loss/Theft of equipment Holding PHI – 20%
- Other – 20%
- Unauthorized System/Application Access – by Insider – 9%
- Medical Records Snooping – 9%
- Medical Records Snooping – 6%
With any survey instrument, the results are influenced by the survey design. This survey provides high granularity on insider threats, particularly medical records snooping. A technical control to prevent snooping is the access control mechanism in medical record software. In actual practice, however, large organizations have problems when they attempt to limit employee access too tightly because of job rotations, the need for interdisciplinary consultations, and the nature of certain functions. As a result, employees frequently have the technical ability to look at records for patients they are not involved with.
As a result, additional controls should include:
- Unique User Ids, strong passwords, and a computer usage policy that stresses to employees not to share User Ids or passwords, and consistent enforcement of this policy
- Employee and physician training, educating them about HIPAA allowed uses and disclosures, and that employees will be held accountable for all activity conducted using their user ID
- A robust auditing program to detect inappropriate accesses by employees
- A meaningful sanction program that sanctions employees (including non-employee physicians!) for inappropriate use and disclosure, with sanctions commensurate with the severity of the violation
For readers interested in reviewing the complete study, a copy of the study, 011 Survey of Patient Privacy Breaches, may be downloaded from the study author. Registration is required. Extrapolation to environments different from those of the respondents may be done, but with caution.
