Phishing in the Healthcare ‘Pond’: Going Beyond the Baseline of Social Engineering -By Sara Heath on August 21, 2015Coalfire/HealthIT Security
August 08, 2015
Employees are often your weakest link in your security risk management and it is important to have those Security protocols to manage employees to assure you are securing your client data and thus protecting their privacy! You can't have privacy laws without proper security in place!HealthIT Security By Sara Heath on August 21, 2015
No matter the many safeguards against hacking and cyberattacks are put into place in hospital records, sometimes hospitals need to protect against their own employees’ nosiness as well.
Such was the case for the Carilion Clinic, a not-for-profit clinic located in Roanoke, VA. According to a Roanoke Times report, Carilion has disciplined or fired 14 employees for looking at a high-profile patient file that they had not been given access to.
Although Chris Turnbull, a clinic spokesperson, did not identify the employees or the patient whose information was breached, he did explain that patient files tend to be handled by many people in the clinic and that the clinic has compliance officers who monitor the file activity. Whenever an employee accesses the file, the filing system documents the activity and tracks whether the employee had viable cause to access the file. Compliance officers are in charge of tracking privacy concerns by accepting complaints or monitoring high-profile patients.
Carilion Clinic is a HIPAA-covered entity and adhered to appropriate disciplinary standards in properly punishing employees or terminating their employment. The Roanoke Times report did not disclose which, or how many, employees were fired. Under HIPAA, these employees may also face criminal prosecution, a $50,000 fine, or a one-year prison sentence.
Also in accordance with HIPAA, Carilion prohibits employees from accessing information for patients with whom they are not directly working. Clinic employees are also required to receive annual security training.
“Carilion takes its obligation to protect patient privacy very seriously,” said Vicki Clevenger, Chief Compliance Officer at Carilion. “When Carilion discovers potential issues, an immediate investigation is launched. Aspects of an investigation vary, but may include a review of the electronic medical record(s) in question and interviews with individuals involved.”
This is not the first time a high-profile patient has had his/her information breached in a healthcare facility. As reported by HealthITSecurity.com, reality television star Kim Kardashian fell victim to an internal data breach at Cedars-Sinai Medical Center in Los Angeles after giving birth to her child in June 2013. Although it was suspected that Kardashian’s information was the target, a total of 14 patient files were accessed in the breach. A total of six employees were fired for the breach, including four community physicians, one researcher, and one volunteer.
Other California hospitals have faced these challenges, as well. UCLA Health System reached an $865,500 settlement in 2011 for the internal breaches of high-profile patient files, according to the Los Angeles Times. These files reportedly belonged to Britney Spears, Maria Shriver, and Farrah Fawcett, and the internal breaches resulted in the job termination of all employees involved. UCLA Health System was put under investigation for not responding to the breaches properly or retraining its employees in patient privacy.