Under the HIPAA Radar: Small-Scale Violations of Medical Privacy

A recent ProPublica article highlighted how small-scale medical data privacy breaches are causing harm across the nation. The impact of small-scale breaches is immense, but seems to garner comparatively little coverage as most breach headlines focus on large-scale breaches involving hundreds if not thousands of medical records. Often a result of lost laptops, network intrusion, or theft, these large-scale breaches must be reported to the Health and Human Services Office for Civil Rights. While necessary to report, it can be argued these breaches are easier to detect (e.g., where did your laptop go?). In contrast, small-scale breaches, in which an employee may snoop on a single record out of curiosity, equally can cause harm, but often go undetected.

The most well-known small-scale breaches involve celebrities and dignitaries. Congresswoman Gabrielle Giffords, Britney Spears and Jason Pierre-Paul all had their data compromised. Curious employees, eager to see why a celebrity is in the hospital, can search Electronic Medical Records Systems to quickly retrieve patient data. While some hospitals may dedicate a privacy officer to review accesses to a VIP’s record, this does not happen for the general public. However, like a VIP, inappropriate access to any individual’s patient data can similarly result in disastrous consequences for both the organization and the person whose medical record has been inappropriately accessed.

This situation raises many questions about small-scale breaches:

  1.   What are some common small-scale privacy breaches?
  2.   Why are small-scale breaches hard to detect?
  3.   What can be done to catch small-scale breaches?
  4.   Why should healthcare providers increase their effort to detect small-scale breaches?

What are some common small-scale privacy breaches?

Small-scale breaches have been known to involve family members snooping on other family members, nosey neighbors or curious co-workers. These high-risk cases are some of the basic things hospitals should be checking for. However, many additional possible small-scale breaches are likely occurring daily, but are much more difficult to detect such as snooping on ex-boyfriends or ex-girlfriends’ records, looking at business associates’ patient data, or hospital employees being paid to extract data for non-employees.

While the aforementioned scenarios might seem common, and even might cause some to think twice about their healthcare friends, it is important to realize that NONE of these scenarios are currently monitored for, and most healthcare providers have NO WAY of effectively detecting them.

Why are small-scale breaches hard to detect?

There are several reasons why small breaches are harder to find, but most notably: there are not enough privacy officers working to find these breaches, and currently deployed technologies are not effectively able to detect a range of threats.

First, patients receiving their treatment at a medium to large hospital in a metropolitan area are one of thousands if not millions of medical records accessed daily. A team of privacy analysts manually looking for inappropriate activity has a better chance of winning the lottery than finding a single breach.

Second, technology used today relies on very basic sets of rules to try and catch breaches. If a healthcare employee inappropriately accessing a record does not have the same last name, does not live on the same street, and is not a co-worker with the patient, then there is an extremely small chance they will be caught.

To put this into context, imagine that the greater New York city area had 10 police officers whose only job was to look for criminals that fit the general criteria: black coat and carrying an IPhone. Moreover, the criteria are set before crimes occur. These broad search criteria would result in many unnecessary stops (a high false positive rate), and wasted effort. If a criminal didn’t meet these criteria, or was intrinsically able to avoid them (i.e., never wears black coats), there is no chance of getting caught.

What can be done to catch these small breaches?

It may seem that there is nothing that can be reasonably done to limit, detect or deter small-scale breaches. However, new technology is beginning to address these challenges.

Imagine trying to list all the ways people may behave inappropriately; it is impossible. There will always be different reasons breaches occur. Therefore, a key to identifying inappropriate access is to flip the problem and attempt to better understand appropriate access. Newer technologies such as User Behavior Analytics (UBA) offer a next step in small-scale breach detection. Beyond simply identifying outliers, the technology learns why an employee accesses a patient’s record (i.e., its clinical or operational reasons) using clinical context, and filters away these appropriate accesses, leaving a much smaller number for manual review.

Why healthcare providers should increase their effort to detect small-scale breaches?

Current auditing methods review less than 1% of accesses to an Electronic Medical Record System. Even worse, most small-scale threats are likely to never be detected. Unfortunately, investing in security and privacy tools often does not provide immediate financial incentives – initial capital expenses are only valued later when problems are detected – thus executives may not be willing to commit limited funds.

However, many are starting to see the value of investing in technologies to detect and deter small-scale breaches today. Deploying these technologies allows hospitals to mitigate the risk of government fines and maintain their privacy brand. These tools also allow privacy officers to more efficiently review suspicious accesses given the new technology’s low false positive rates.

Based on market interviews, it appears that less than half of hospitals have tools to proactively audit for small-scale breaches, and many more are still doing audits manually. In the next one to three years, the industry will see a transformation to more automated methods, making manual approaches insufficient when government inspectors come knocking.