Over the past year, I’ve had the opportunity to talk to a number of people in different organizations who are concerned with insider breaches in the health care sector. One of those people is Kurt Long, CEO and Founder of FairWarning, a firm that provides patient privacy monitoring (privacy breach detection) systems.
So, here’s a little pop quiz to start this post:
- What percent of insider breaches are reduced by employee training on HIPAA and review of access policies?
- What percent of insider breaches can be reduced by installing monitoring software?
- What percent of insider breaches can be reduced if you actually enforce policies and discipline employees?
Ready for his answers?
According to data compiled by FairWarning using before-and-after data on their clients:
- Employee training can reduce insider breaches by 58%
- Monitoring the network for improper access is crucial, but may not significantly change the culture until combined with
- Disciplining or sanctioning employees, which effectively communicates that employee access is being monitored and inappropriate access will have serious consequences.
Monitoring and enforcement can reduce insider breaches by another 40%.
Overall, within a 6-month period, FairWarning’s clients experience an 85- 98% reduction in insider breaches, Long says.
That’s good advertising for them, and I’m sure readers will point out that their statistics, based on a non-random sample, may be somewhat self-serving. But their findings should also be food for thought for your practice or organization.
This past year, I blogged a lot about insider breaches in the healthcare sector. While strengthening firewalls against external threats is critical, as is training employees not to fall for phishing schemes and not to leave PII on unencrypted devices in unattended vehicles, some of the standard security precautions – like encrypting PHI – really do nothing to reduce breaches by those who are authorized to access patient data. FairWarning’s data suggest that a strong employee training program combined with monitoring access and making a point of enforcing discipline so that everyone gets the message might reduce the vast majority of insider privacy breaches.
But while creating a culture in which employees understand that they might or will lose their jobs for inappropriate access is important, I think it’s also crucial that those in the health care sector see more examples of employees being criminally prosecuted for snooping or other inappropriate access. California has been in the forefront of pursuing cases of snooping, while the federal government has been in the forefront of prosecuting cases involving patient data used for Medicare fraud and tax refund fraud. Unfortunately, many prosecutions for fraud do not name the hospital or health care provider whose employee(s) engaged in illegal conduct. Perhaps if they did, organizations of all sizes would be more concerned about potential reputation harm and would take more aggressive steps to prevent insider breaches. Even if an entity is not named, however, such breaches can incur significant breach costs and affect patients’ confidence or trust in the entity to protect their sensitive information.
So what will your organization be doing in 2013 to reduce insider breaches? And if your organization has implemented some effective strategies to reduce insider breaches, what are those strategies?