One dissatisfied or dishonest employee within your healthcare facility can cause serious problems. An unhappy staff member may intentionally hinder the work of other employees or even compromise sensitive patient information in order to pad their own bank accounts or simply to make things harder for your hospital.
Since patient data is worth up to $150 per person, this information is more susceptible to theft. The financial and reputational impact to your hospital is not something to scoff at. A hospital’s success depends on the goodwill of the surrounding community. Plus, HIPAA violations could cost your hospital thousands of dollars in fines.In one such case of patient data theft, two employees in Queens, NY, stole patient data and then sold it to other individuals who used it to solicit outpatient care, legal advisory services and even transportation assistance—sometimes while the patient (whose information they were using) was still in the hospital. “These defendants are accused of blatantly violating their HIPAA obligations and illegally trolling through confidential patient records. Their alleged actions led to patients who were seeking treatment for injuries unwittingly being victimized again with the illegal release of their personal information and medical records,” said DA Richard Brown, in a statement.
This stolen patient identity information can be used not only to obtain fraudulent medical assistance, it can be used to file and claim tax returns illegally. This happened recently in Miami and Tallahassee, when employees deliberately stole patient information and sold it to individuals who used it to claim the money from false tax returns. In addition to the monetary lawsuit damages, the Tallahassee hospital had to provide identity protection services to more than 100 patients.
None of these examples are meant to disparage the affected hospitals. After all, they were victims too. However, the stories should be used to remind hospital administration that they must take every precaution to protect sensitive patient data, not only from outside hackers and criminals, but also from unscrupulous employees.
Prevention
Healthcare facilities must pay special attention to their unhappy employees, and everyone must be involved, not just direct managers. Human resources, colleagues and the IT department must all be on high alert for the telltale signs of employees looking to steal data. Organizations must also work hard to keep their employees actively engaged. According to the Gallup Global Workplace Report 2013, engaged employees “work with passion and feel a profound connection to their company. They drive innovation and move the organization forward.” However, employees who are actively disengaged are unhappy with their jobs and “are more or less out to damage their company,” including stealing from the organization.
IT Safeguards
Healthcare IT departments have carefully designed their infrastructure to keep outside attackers from accessing information. But what happens when the person stealing information was given access to the system, or worse, designed it? To effectively secure patient data, IT departments must only allow the minimum patient data access needed to complete current tasks, then revoke that access when each task is complete. Additionally, IT departments must be sure that each employee only has access to the patient data he or she needs to complete their duties—not to the patient data from the department across the hall.
Managers/Human Resources
While IT bears the brunt of the workload in securing patient information, managers must play a direct role as well. Raising awareness of medical identity theft can help, especially if it is addressed as a quality-of-care issue. Through training, employees can be made aware of the signs of medical identity theft as well as its consequences. Human resources can also implement, with the help of managers, an identity theft response program in the event that it does happen.
Credentialing and Verifying
To protect your patients from medical identity theft, you must know who is in your facility. Every person within your hospital with access to patient records should go through a comprehensive, but relevant, screening and verification process. Just as you would never allow a doctor to practice medicine in your facility without being credentialed and vetted, all other types of personnel should also earn the “privilege” of working in your facility. IntelliCentrics SEC3URE allows you to credential and privilege everyone who enters your hospital to ensure they are compliant.
Stay on Your Guard
If you think patient data theft by employees can’t happen at your facility, then think again. Stolen patient data information is the most valuable type of identity information, making it more irresistible to thieves, especially from within. Every day, you put patient data (and your trust) in your employees’ hands; and, with 85% of workers across all organizations reporting that they are unsatisfied in their job, every dissatisfied employee increases the likelihood that the data they have access to will be stolen and sold.  


hbspt.cta.load(343129, ‘8ecc5a38-b574-429f-8a26-9c9e3fb67220’, {});

Share This