In June, an insider (employee) accessed PHI records of patients of Orlando Health, a multi-hospital healthcare system in central Florida. This is the same hospital system that treated victims of the Orlando Pulse nightclub shootings at its Orlando Regional Medical Center. Local TV station, WFTV confirmed that the affected records belong to victims of the nightclub attack.
The hospital system has stated that there is no evidence the patient information left the hospital. Still, it is not beyond the realm of possibility that criminal actors could use insider access to gain PHI to leverage as part of a plan to prey on people, their identities, and their finances.
Hospitals should always limit PHI access, instruct employees about inappropriate access, and discipline insiders who are responsible for breaches.
The Data Breach Today story indicates that Orlando Health caught an employee in July who was guilty of a health records privacy violation in June and sanctioned the person. In a letter published by WFTV, Jamal Hakim, M.D., chief operating officer, Orlando Health, stated that he believes the employee was viewing the medical records to satisfy a personal curiosity about the high-profile nightclub tragedy. The employee did so despite the fact that such access was outside the job description.
According to a news report from local TV station WFTV, there is some confusion as to whether one or many employees viewed the patient records as part of the unauthorized access. While the hospital’s letter to patients and families said one employee was to blame, a hospital email said there was more than one guilty party.
The hospital confirmed that the exposed records did not relay any Social Security numbers or financial information belonging to the patients.
Preventing insider breaches
Due to the potential for harm, hospitals should always limit PHI access to the minimum required for the employee to fulfill the duties in their job description. It should not be possible for an employee with no reason to see the records to gain any access. Hospitals should trial identity and access management (IAM) tools that enforce access controls at the granular level the institution needs. There are other tools available to provide privacy protections, including some that obfuscate PHI data so that even those who need access get no more than is necessary.
Hospitals should record actual PHI records access events to ensure that no one has circumvented access controls and no access occurs outside policies and the privileges that the institution has granted to staff. Medical facilities should monitor and record failed attempts at unsanctioned access to identify questionable employee behavior before it escalates.
The Orlando Health system did not discover the breach for a month. Hospitals that monitor access should consider using tools that analyze access logs in real time. This could immediately alert IT security to unauthorized access. Hospitals should evaluate any tools that uncover suspicious activity surrounding PHI records in real time.
Educate employees about inappropriate access and fully explain access policies. Demonstrate appropriate access-related procedures. Test and confirm employee education to verify that the appropriate knowledge about unwarranted access and associated penalties for infractions have been communicated and are understood by the employee. Hospitals should reeducate employees regularly and retest them as well.
By setting specific sanctions in published policies for each type of mishandling of PHI, including these sanctions in employee education, and enforcing them to the letter, hospital systems can mitigate the potential for these types of privacy violations and security breaches.
Read more about avoiding data breaches by reassessing your security strategy