Inappropriate Access to Records Continued for 8 YearsBreach Reported by Kaiser Permanente Spotlights Insider Threat Challenges
A radiology technician allegedly inappropriately accessed thousands of patient records for more than eight years, according to a newly filed breach report from Kaiser Permanente Health Plan of the Mid-Atlantic States. The incident is yet another example of the challenges healthcare organizations face in dealing with insider threats.
The technician inappropriately accessed electronic medical records of more than 2,700 individuals, according to a posting on the Department of Health and Human Services' HIPAA Breach Reporting Tool website. Commonly called the "wall of shame," the HHS Office for Civil Rights website lists health data breaches affecting 500 or more individuals.
The breach illustrates the persistent challenges healthcare organizations face in providing clinical employees with appropriate, limited access to patients' information.
"Detection and identification of unauthorized access of electronic health records by internal staff has long been problematic," says Rich Curtiss, director of healthcare and life sciences at the security consultancy Coalfire.
"Many factors contribute to this, but the primary one is a lack of real-time monitoring," he notes. "Auditing of EHR access is often done in a random fashion every quarter, which is unable to detect when records are being viewed by unauthorized staff. This can be compounded by having multiple, practice-specific EHR systems - for example, radiology, oncology, etc. - which have a different set of users and access mechanisms."
In a statement provided to Information Security Media Group, Kaiser Permanente says it recently learned that a former employee accessed radiology records "without business justification."
"Based on an investigation, we determined that the former employee's access was outside the scope of her job functions. To date, there is no evidence that the accessed information has been used or shared to commit fraud or any other criminal activities. The radiology records were inappropriately accessed between 2012 and 2020," the statement says.
"When we learned about the inappropriate access in late March, the former employee, a radiology department imaging technician, was immediately placed on administrative leave while an investigation was conducted," Kaiser Permanente says. "The employee has now been terminated. We began notifying potentially impacted members on May 22."
The managed care organization adds that it is "taking steps to ensure that this situation does not occur again. ... That includes employee education on the importance of properly safeguarding members' health information."
Kaiser Permanente did not immediately respond to ISMG's request for additional details about the incident.
Unfortunately, other incidents involving employees inappropriately accessing patient information for an extended period have been reported to HHS.
For instance, in 2014, UMass Memorial, the 781-bed flagship medical center of UMass Memorial Health Care, revealed that it learned a former employee may have inappropriately accessed patient information during her 12-year employment at the hospital. The hospital said information on at least four patients may have been misused, including for opening credit card and cell phone accounts.
A number of factors can contribute to the failure to detect long-term inappropriate access to patient information.
In situations like the Kaiser Permanent incident, "if the patients in question had any kind of imaging done, at first glance, seeing someone from radiology access a chart doesn't appear out of the ordinary," says Charles Ragland, a security engineer at vendor Digital Shadows.
Many charting systems rely on role-based access management at the departmental level because many employees within a department may be involved in patient care over time, he adds.
Access rules can be difficult to implement if they are not centrally managed and can add friction to providing critical care, notes Terence Jackson, CISO at Thycotic, a provider of privileged access management technology. "Granular access controls are even more difficult to manage. In this particular instance, it appears that the radiology tech had been granted improper access from the start," he says.
"Regular access reviews should be conducted to verify who has access to what. Anyone who does not have a need to know should have their access removed. At minimum these reviews should be performed semi-annually, but quarterly is more of a best practice."
Lots of Breaches
The HHS breach reporting website is littered with dozens of unauthorized access/disclosure incidents.
Such incidents have recently been reported by Detroit-based occupational therapy practice PsyGenics, Wilkes-Barre, Pennsylvania-based Geisinger Wyoming Valley Medical Center and the Phoenix-based practice Arizona Endocrinology Center (see Insider Threat: Lessons From 3 Incidents).
Also, while many insider breaches are committed by "nosy" workers who have access to patient information, malicious incidents involving criminal activities conducted by employees are also a risk.
For instance, a former administrative employee of a Florida medical marijuana clinic and several other clinics was recently sentenced to serve time in federal prison after pleading guilty to identity theft and wire fraud. (see Inside Job at Clinic: Mobile Phone Used for Fraud).
Prosecutors in that case alleged that the former employee used her personal cell phone's camera to take photos of dozens of patients' information that she then used to make fraudulent purchases and also sold to others for $100 per image.
Organizations should make sure their employees are aware that privacy and security violations can have serious consequences, says HIPAA attorney Helen Oscislawski of the law firm Attorneys at Oscislawski.
HIPAA enables the Department of Justice or state attorneys general to prosecute individuals for knowingly using, obtaining or disclosing individually identifiable health information, she notes.
"Many people do not realize that numerous individuals, including nurses, doctors and other employees of hospitals and healthcare organizations, have been criminally charged under these provisions," she adds.
In 2012, a physician at UCLA Health System was one of the first individuals to be prosecuted for accessing patients' medical information without a legitimate purpose, she notes.
"After an unsuccessful appeal ... he was sentenced to four months in prison, with one year supervised released and assessed a $2,000 fine," she says.
Healthcare entities need to be proactive in preventing unauthorized access to patient records, Curtiss says.
"Limiting access to PHI to the 'minimum necessary' is a hallmark of the HIPAA Privacy Rule," he notes.
"When access to patient information is not audited in an efficient and timely manner, it encourages 'bad actors.' If a robust auditing and surveillance program is known to exist with appropriate sanctions, it will discourage internal staff from even thinking about 'casually' viewing a patient record for which they don't have authorization," he says.
Healthcare organizations that are only conducting random, manual audits should consider implementing improved "detective" controls within the EHR to "alert and alarm" of unauthorized viewing of patient information, Curtiss adds.
"If the EHR does not have this capability or it requires substantive investment to reconfigure the EHR, consider real-time EHR auditing software and/or managed services," he suggests.
"These systems will detect when a record is viewed by someone who has not been authorized and will alert the compliance staff to the violation for further investigation. However, they must be uniformly applied to all EHR systems within the organization."