On-the-Spot Intervention 95% Effective at Preventing Further Unauthorized Medical Record Access
Defenses need to be put in place to detect and block attempts by cybercriminals to access healthcare networks, but not all threats are external. Each year, many data breaches are reported by hospitals and medical practices that involve unauthorized access to medical records by employees. These data breaches include non-malicious snooping on the medical records of colleagues, friends, family members, and high-profile patients, and insider wrongdoing incidents where patient data is stolen for identity theft and fraud or to take to a new employer. The healthcare industry has historically had a far bigger problem with insider data breaches than other industry sectors.
The study, recently published in the JAMA Open Network, was conducted at a large academic medical center and explored the effectiveness of email warnings in preventing repeated unauthorized access to protected health information by employees. Over a 7-month period in July 2018, the medical center’s PHI access monitoring system flagged 444 instances where employees accessed the medical records of patients when they were not authorized to do so. 49% of those employees (219) were randomly selected and were sent an email warning on the night when the unauthorized access was detected, and the remaining employees received no warnings and served as the control group.
The emails explained that the automated system had detected unauthorized medical record access and advised the employees that this was a privacy violation, as the medical center has a strict policy in place that prohibits accessing the medical records of individuals such as friends, family members, colleagues, and acquaintances unless they have written authorization to do so. No disciplinary action was taken against the employees for the duration of the study, but all employees were later disciplined per the medical center’s sanctions policy.
The study found that only 4 of the 219 employees (2%) who received an email warning repeated the offense, compared to 90 employees in the control group (40%). In the email warning group, the 4 repeat offenses occurred between 20 and 70 days after the initial unauthorized access. 88% of repeat violations by the control group occurred within 10 days of the initial offense, and 17% occurred after 90 days. On-the-spot intervention was found to be 95% effective at preventing further unauthorized access, and email warnings continue to be used by the medical center as a critical access control measure.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The study – Effectiveness of Email Warning on Reducing Hospital Employees’ Unauthorized Access to Protected Health Information – was co-authored by Nick Culbertson, CEO and Co-Founder of Protenus; John Xuefeng Jiang, Ph.D., Professor, Plante Moran Faculty Fellow, Department of Accounting & Information Systems at Michigan State University; and Dr. Ge Bai, Ph.D., CPA, Professor of Accounting at Johns Hopkins Carey Business School.