Probably the biggest threat to an organization -- and one
that keeps CIOs awake at night -- is damage caused by unethical and disgruntled employees. The biggest security risk, causing the greatest potential damage, are people with legitimate access credentials who either unintentionally leak data, or willfully damage the company by accessing or disclosing sensitive information.
Today, with the enormous amount of extremely sensitive,
private, and confidential information stored in electronic health records (EHRs), this threat is now the biggest issue for healthcare providers, IT professionals, and government regulators.
This is creating some serious concerns in Europe, and in the UK, there's a campaign called "The Big Opt Out" that's asking the government to stop collecting private information on electronic health records without patients' consent.
The problem is not really about staff having a peek at some records
of family and/or friends, or being curious about a celebrity that they saw at the hospital. It's the potential damage of sharing this information with others, casually or deliberately, for financial gain.
To access a patient file in a hospital, it used to be necessary to go to a physical archive, usually locked and visible, in a place where people needed to show IDs. People could be questioned if they were looking at the wrong file, but even then, that did not stop some from trying. Today, accessing the information from inside can be done in total privacy, with the click of a mouse.
A new report from FairWarning, a provider of turn-key privacy auditing solutions, claims that “The greatest threat is not from lost or stolen laptops and mobile devices, but from staff abusing their legitimate access rights to read electronic records they have no right to see.”
The biggest problem for IT professionals in implementing security measures is that many healthcare professionals need to access the protected health information (PHI) of a patient. Generally, access to patient records is granted to all clinical personnel who may need it, increasing the potential danger of misuse. Limitation of access should not jeopardize the rendering of any care the patient needs.
However, because of the ease of accessing the information, improper access is increasing worldwide. The same report claims that, “On any given day a typical large hospital can expect inappropriate accessing of patient records by staff three to five times,” acts that, if discovered, could potentially destroy the institution’s reputation.
Perhaps the biggest deterrent for illegal access is an audit trail, which is now required by the UK government on all deployed EHR
software. If there is suspicion of confidential information being released, the trail could identify by whom, when, and where the patient’s record was accessed. However, according to "The Big Opt Out," software vendors such as EMIS and INPS do not implement the audit trail yet.
Education is the most important step, explains Debbie Terry, NHS Information Governance Lead in the FairWarning report. She goes on to say:
In order to be fully transparent and trusted, providers must make sure that staff are properly trained in privacy policies and practice. Providers also need to make sure their patient record systems are fully secure. In this way they can protect trust and work in partnership with patients to deliver the best possible care.
Healthcare professionals should learn not to let anyone
use their devices and/or credentials at any time. Using someone else’s credentials is the easiest way for a data thief to access the information and leave no trail behind.