Securing Private Health Information


According to the HIPAA Privacy Rule, any healthcare provider who electronically transmits health information may only disclose protected health information (PHI)

  • for treatment, payment and operations,
  • for public interest,
  • as a limited data set,
  • to the individual or
  • as authorized by the individual.

Use and disclosure outside of these limitations constitutes a breach subject to civil money penalties (up to $1.5M per year) and potentially criminal prosecution (up to 10 years).

When privacy and security incidents occur, healthcare organizations suffer from lost business, reputation and profits. Already small margins shrink further as customers lose faith in your system and seek care elsewhere. While patient care is likely your number-one priority, successfully securing protected health information (PHI) and complying with regulations is critical, too.

37% increase in number of patient records breached from 2018 to 2019

%

increase in number of patient records breached from 2018 to 2019

93% of healthcare organizations experienced a breach since 2016

%

of healthcare organizations experienced a breach since 2016

$7.1 Million average cost of a healthcare breach

$ Million

average cost of a healthcare breach

7% of patients seek care elsewhere after a breach

%

of patients seek care elsewhere after a breach

How Do I Secure PHI?

To secure PHI, healthcare organizations need to deal with predictable and unanticipated risks.

Many risks to patient privacy are well known and can be concretely defined. Some access must be addressed every time impermissible access occurs to comply with HIPAA. Other access can be monitored for trends that signal an uptick or difference from peers and acted upon at a given threshold.

i2019 Healthcare Data Breach Report, HIPAA Journal

of Americans would switch to a company prioritizing data privacy[i]

Common Patient Privacy Use Cases

Despite being familiar, these threats are common and difficult to track, particularly when you lack the appropriate resources or rely on manual methods. Some key examples of known impermissible access that FairWarning has been helping health systems address for many years include:

Snooping

Snooping


Looking at records of coworkers, supervisors, household members, neighbors or VIP patients when not for treatment, payment or operations is not acceptable to HIPAA, patients or your organization. Unfortunately, it can be almost impossible to identify this impermissible access without a tool to help you mine log records.

FairWarning helps healthcare providers identify and stop snooping of all types. Patient Privacy Intelligence monitors record access logs and notifies you when impermissible access occurs. It can also notify you when patterns of snooping behavior are detected.

Inappropriate Record Modification

Inappropriate Record Modification


Most healthcare organizations have a policy that prohibits users from viewing, editing or canceling their own records. While this activity could be innocuous, “self-modification” poses a risk of fraud, drug diversion and financial loss to the organization.

Patient Privacy Intelligence cross references user profile information against patient information and triggers an alert when they match to identify noncompliance with this important policy. Awareness that this monitoring is in place also acts as a deterrent.

Data Exfiltration

Data Exfiltration


It’s not uncommon for a user to print records for a handful of patients for the day’s rounds or other purposes, but when a user exports a more significant number of patient records than usual, it’s may be a sign of patient poaching, fraud or identity theft and should be examined.

That’s why Patient Privacy Intelligence analyzes log records to identify users who are exporting unusually high amounts of data.

Access by Terminated Users

Access by Terminated Users


When former employees, inactive users or third-party contractors continue accessing clinical applications and records despite their change in status, it creates a significant risk. At best, their rights have been properly revoked and there’s simply the worry of why they were still attempting access. If a single login remains intact, that user could export data, steal identities or insert malware.

Patient Privacy Intelligence confirms that users are active in the HR system and triggers an alert for anyone who has been terminated or is on leave.

Compromised Credentials

Compromised Credentials


Unfortunately, stolen IDs and passwords can represent an even greater risk to an organization than a lost laptop or phone. Whoever has the credentials has unfettered access to your system to remove information or inject threats. Worse, the user typically doesn’t know that their credentials have been compromised until it’s too late.

Patient Privacy Intelligence monitors for abnormal behavior which can signal compromised credentials. Whether logging in from an unusual location, at a unique time or exhibiting other atypical patterns of behavior, Patient Privacy Intelligence can alert you to the threat early.

Anomalous Behavior

Anomalous Behavior


Unfortunately, you don’t always know what behavior to look for to avoid a breach. This unanticipated risk is often what keeps privacy, compliance and IT teams up at night.

Patient Privacy Intelligence uses behavioral-anomaly-detection AI to examine the data from multiple angles to determine if there is an issue that needs to be investigated. Our algorithms are built on the largest and most reliable healthcare application user activity dataset in the world, which drives the best predictive capability.

FIGHT BACK WITH FAIRWARNING

FIGHT BACK WITH FAIRWARNING


Known and unknown risks hinder your ability to secure private patient data – compromising your credibility. Find out how FairWarning helps protect you from incidents of exposed, improperly disclosed or stolen records by accurately detecting and reporting privacy violations – and acting quickly so they are less likely to reoccur.

LEARN MORE

DividerImage