|
When they can't sneak a few photos of unsuspecting celebrities in compromising positions, today's paparazzi are busy trying to get the next best thing: their medical records. The public's perpetual interest in entertainment news, paired with an increasingly well-funded paparazzi, has resulted in a dramatic spike in the number of medical record privacy invasions. The going rate for such information is said to be a few thousand dollars per record.1
It looks as if financial gain proved too tempting for employees at UCLA Medical Center. More than 60 employees have been accused of illegally viewing and/or leaking electronic medical records of celebrities.2 This heightened awareness of the latest social phenomenon has many people questioning just how secure their individual records within health care organizations really are.
In terms of security this is--at its base--an access control problem. There are many approaches to this issue, some technical, some process and some human resources related, but viable solutions involve authenticating access and implementing controls to monitor and audit what is occurring. People will always be curious. In fact, some will actually exhibit nefarious behavior in some form or another in the workplace. Those that deliberately take records do so primarily because they don't believe they'll be caught. These individuals don't even consider the possibility that one incident could cost them their job. Many others will download or copy files unaware that they're not authorized to be in possession of the files. The key in both cases is to use technology wisely and educate employees so policies are understood and their perception of getting caught is changed for the better.
Health care organizations can start by establishing a chain of custody for their privacy-protected records. A chain of custody tracks access to critical content throughout its lifecycle in order to establish control and accountability. This is essential for a strong security implementation because employees will know that all of their actions will be tracked and improper use of content will not go without consequence. This policy also helps ferret out unauthorized access and ensure privacy protection.
It goes without saying that an organization must have a complete and accurate inventory of all privacy-protected information, including paper and digital records including office systems and processing facilities that touch such content. They must have role-based access control policies in place to make sure that only employees with a legitimate purpose have access to records and that control processes are set up to monitor and audit each system.
Health care facilities should take a second look at the multifunction devices sitting on each floor of their buildings. Aside from aiding employees with basic functions like scanning, copying, printing and faxing, these machines can act as a first line of defense against medical record mishandling. These devices can be set up to work off of a card-based user identification system, requiring employees to swipe a valid ID badge and enter a PIN number before gaining access to the machine. A machine with an archival system can also track each scan, fax, copy and print made by an employee through this process and can be retrieved should that employee's actions ever come into question surrounding a medical records breach.
With digital and hard copy patient information routinely flowing through a health care organization's operations, the activity that goes beyond the multifunction devices must also be carefully monitored. The solution? Enterprise content management (ECM). Health care facilities with an ECM system that turns hard copy records into digital files and then tracks the deletion and manipulation of each document within the enterprise will have the ability to trace back missteps taken in the lead up to a security breach. Such a comprehensive system will not only help systems identify how a breach occurred, but will prevent future intentional incidents from happening, as employees will know that their every action can be traced. This audit trail and content repository is crucial to be compliant with regulatory requirements such as HIPAA.
Establishing a chain-of-custody by utilizing security functions on multifunction devices and setting up ECM solutions is the logical approach in enterprise environments where security is a mandate. Good employee awareness training and the deployment of the right technologies will improve workflow and yield greater efficiency and more secure operations. Good security is good business. The time to act is now.
References
1. Los Angeles Times, Digging into Celebrity Medical Records Has a Long History, May 20, 2008.
2. ibid.
David F. Drab, principal and security thought leader for Xerox Global Services, is a security consultant providing services and solutions for a wide range of customers. He is a Certified Information System Security Professional (CISSP). Prior to joining Xerox in 2002, Drab was a 32-year law enforcement veteran, including 27 years with the Federal Bureau of Investigation.
|