Healthcare professionals and their staff must have access to health information of patients to provide medical care and perform healthcare operations.
However, sometimes these privileges become a threat when employees can abuse their power and gain unauthorized access to data they don’t need to use or see. It’s vital and good practice to make sure that controls are put in place to alert rapidly when improper access occurs. The faster you can respond to improper access can greatly reduce the harm caused.
Typically, improper access is discovered during routine audits of access and application logs. When those audits are conducted on an annual basis, employees may be found to have been improperly accessing patient data for many months, sometimes even years. This is why it is so important to have the proper controls in place to continually monitor activity on your network and systems that contain ePHI.
Sometimes these breaches occur out of simple human curiosity, other times it is viewed (and even copied and stolen) with malicious intent. Healthcare data on the black market is a big profit business. Employees that have access to ePHI can gather information that would otherwise not be available, and use that information for their own benefit which can put your whole business at risk.
Insider threats are a major concern for healthcare security and HIPAA security compliance. A recent Dimensional Research/Preempt survey showed that almost half of IT security professionals are more concerned about internal threats than external attacks and breaches. The network perimeter can be secured, but monitoring for improper access by employees can be more of a challenge.
HIPAA Rules require covered entities to maintain access logs and conduct periodic reviews of those logs to monitor for improper access, however it does not state how often this should occur. Although, it would be hard to challenge that regular, complete checks were conducted if an employee was able to avoid detection for a prolonged period of time. If an employee managed to evade unauthorized access detection for years, it would most certainly attract the attention of Office for Civil Rights’ investigators which could result in hefty fines which could be detrimental to your practices business health.