Healthcare Insider Crime Cases Spotlight Challenges
Three recent criminal cases involving hospital insiders who allegedly committed a variety of fraud, identity theft or egregious privacy violations that victimized patients highlight just how difficult it is to mitigate insider threats.
“The insider threat is of great concern because they may have authorized access to a lot of confidential information,” notes Tom Walsh, founder of security consulting firm tw-Security. That includes patients’ protected health information, credit card data, financial records, as well as personally identifiable information of employees, including Social Security numbers, and bank accounts for direct deposits.
“The expression, ‘the more time you spend in the hiring and screening process, the less time you’ll spend on firing process,’ seems relevant to the three news stories,” Walsh says. “There is an addressable implementation specification within the HIPAA Security Rule – the ‘workforce clearance procedure’. [However], the rule does not provide a lot of guidance on what the ‘clearance’ process may look like.”
Many HR departments conduct one-time screenings of new hires and fail to take follow-up action, Walsh argues. “While a new employee’s background may be good at the time they were hired, over time people change and that could influence behaviors,” he says.
Privacy and security incidents involving the use of healthcare worker smartphones are particularly tricky to prevent and detect, Walsh says.
“Hospitals have had nursing policies on photography for a long time,” he says. “Back when these policies were created, photo and video technology involved some type of camera that was easily identified as such. With the integration of the camera into mobile phones, it becomes less obvious when someone is taking a photo, recording a conversation or creating a video clip.”
Requiring workers to “check their phones at the door” is a step most healthcare organizations aren’t willing to take, Walsh adds.
Sometimes workers bypass security and privacy controls that are put place by covered entities, says Kerry McConnell, partner and principal consultant at tw-Security.
“Any authorized user/insider has been granted enough access/power to do their jobs, and if they decide to become greedy or have moral character flaws, even repeated vetting of employees will only reveal repeat offenders,” McConnell says. “When one commits to doing bad things, the ability to carry out such acts is only limited by the fear of getting caught. Access to information that can be used for bad intent is made available by employers with the best of intentions.”