Amid the relentless wave of cyberattacks against health systems, a more discreet internal threat is also on the rise: unauthorized electronic health record (EHR) access.
Data analyzed by Fierce Healthcare from the U.S. Department of Health and Human Services' Office for Civil Rights (HHS OCR)—which includes only breaches affecting 500 or more individuals—showed unauthorized access involving a medical record doubled from 2020 to 2021 from nine to 18. More individuals were also affected by these breaches in 2021 (62,791) compared to the year before (56,166). Overall unauthorized access or disclosure jumped 267%, accounting for more than 20% of all 2021 breaches reported.
Among those that saw this type of breach in 2021 were UNC Health, Long Island Jewish Forest Hills Hospital and Montefiore Medical Center. Huntington Hospital in New York, where an employee improperly accessed records potentially involving up to 13,000 patients in 2018 and 2019, announced the breach in late 2021. The employee was reportedly fired and charged with a criminal HIPAA violation. An employee at Montefiore met a similar fate the same year.
Texas saw the most unauthorized access over the past two years, followed by Pennsylvania and New York.
According to the results (PDF) of two audits of HIPAA-covered entities conducted by the OCR published in late 2020, “entities lacked the necessary focus on technical safeguards (access controls, audit controls, etc.) needed to properly protect the confidentiality, integrity and availability of electronic patient health information.” This was largely driven by a failure to conduct appropriate risk analysis, it went on, and entities were either unable to monitor for risks or failed to respond to those it did identify.
Balancing privacy and risk of patient harm
EHRs function in what is called an “open-access environment,” said Dan Fabbri, chief data scientist of SecureLink, a critical access management company. Because healthcare is so dynamic, with both clinicians and patients continuously moving throughout the system, it’s typical to see any employee have access to any patient’s chart, Fabbri told Fierce Healthcare.
The problem is toeing the line between privacy and the risk of patient harm, Fabbri explained. In case of an emergency, any employee should be able to access any record. It would be highly unlikely for a hospital to completely block some employees’ access to patient records for that reason, Fabbri said.
“Everything in healthcare is a trade-off between the effectiveness of the system and the privacy of the system,” Fabbri said. Between 40 and 60 employees access a patient’s chart on a given day, according to Fabbri.
A new era of snooping
EHR snooping has been on the rise in part as the result of more healthcare professionals working from home since the start of the COVID-19 pandemic, said Andrew Mahler, vice president of privacy and compliance at CynergisTek, a cybersecurity and privacy consulting firm. Early in the pandemic, CynergisTek saw a significant drop in snooping, he said, likely as people transitioned from one work environment to another.
“As you started to get more in the routine of things,” Mahler said, “then we started to see things start to rise a bit,” he said. There may also be less oversight with remote systems, he suggested. And unauthorized access could be malicious or even accidental. (Unintentional unauthorized access might be a researcher, for instance, accessing masses of data for a study.)
Hospitals have reported to Fabbri’s company that they have seen a rise in employees accessing the health records of potential romantic interests, ushering in “essentially a new class of snooping behavior.”
Rita Bowen, vice president of privacy, compliance and health information management policy at MRO, a record disclosure management company, told Fierce Healthcare that hospital employees may hesitate to receive care there due to the threat of colleague snooping. One potential mitigation strategy is providing a list of all individuals who have accessed that employee’s record every time they sign onto the EHR system.
There can be grave consequences of EHR snooping, Mahler cautioned. Besides looking at records of potential romantic interests, there have also been incidents of stalking and even unauthorized access involving custody battles—things that are “pretty wildly inappropriate,” Mahler said. “It’s happening more and more frequently.”
CynergisTek works with all sizes of clients, he said, and no one is immune from this problem. But the more resources an organization can devote to staffing and privacy training, the less likely snooping is to occur. Smaller organizations, already strained by the pandemic, may struggle to devote more resources to these efforts, he noted.
Ways to mitigate
Though most systems are not likely to completely block access to medical records, they can include tools like break-the-glass, which offers a warning as a deterrent before allowing the record to be accessed. Sometimes, access management controls can be based on job roles or one’s shift or unit, said Gerry Blass, president and CEO of ComplyAssistant.
Companies like SecureLink use analytics to identify who is making unauthorized searches depending on certain parameters clients establish, like if the searching employee shares the patient’s last name or if they live on the same street. When such a search is then made, an organization’s privacy officer is alerted and can launch an investigation. Employees can be disciplined with corrective actions or termination.
Parameters can vary greatly depending on the needs of a particular organization. Early in the pandemic, one of CynergisTek’s clients determined they wanted to track all access around records not only of patients with a COVID-19 diagnosis but with symptoms. The organization suspected its workforce may be tempted to snoop on colleagues potentially sick with COVID-19, Mahler said.
Organizations should have a documented emergency management plan, Blass said, that lays out a backup process in cases of emergency to expand or assign new access temporarily. (When a system is down, like during a cyberattack, hospitals may transition to using manual records, which could require these sorts of temporary modifications.)
Catching people early is key to preventing the problem from escalating to a larger number of records or drawing on over a longer period of time, suggested Mahler. “Providing training and education, that can really help—it can help mitigate the risk,” he said.