It’s important to manage all personally identifiable information and sensitive documents with care. But some data is so at risk that additional safeguards or more careful auditing may be warranted — as evidenced by the alleged unauthorized access of medical records of George Floyd, whose death was ruled a homicide at the hands of the police.
"It is no surprise that the health system found employees accessing and viewing this data," said Taylor Lehmann, partner and founder at the cyber consultancy SideChannel, board of directors member with the Health Information Sharing and Analysis Center (H-ISAC), and former CISO at numerous health care organizations. "Medical record snooping occurs for many reasons – health care worker curiosity into the status of a given celebrity, their neighbors, their friends and family, and other reasons. And [it's] also easy to do."
According to a report Sept. 9 from NBC affiliate KARE 11, Floyd's family received a notification from Minneapolis-based Hennepin Healthcare disclosing multiple instances of unauthorized records access at Hennepin County Medical Center (HCMC). The next day 13 employees were fired for improperly accessing Floyd's records, including three nurses, a lab technician, a social worker and a paramedic, Fox affiliate KMSP reported the following day.
Indeed, abuse of privilege "has proven to be an easy pattern to execute and one that has driven many breaches historically," added Lehmann. And it's a particular problem in health care because "many health systems do not greatly restrict who can access what record due to the unpredictable number of staff or clinicians who may need the data to treat a patient in an emergency."
Hennepin Health, which represents HCMC, did not publicly confirm the breach, noting it doesn't comment on specific cases in order to preserve confidentiality. The center did confirm however that Hennepin Healthcare complies with federal information privacy regulations, which require notification to patients about a confirmed privacy breach, and that privacy access audits are conducted regularly and access by the workforce tracked and logged.
"Any breach of patient confidentiality is taken seriously and thoroughly investigated," HCMC said in a statement, and that violation of policy would result in disciplinary action up to and potentially including termination.
The statement also noted: “It is the practice of the Hennepin Healthcare Information Privacy Department to conduct privacy access audits. Access to the Hennepin Healthcare electronic medical record by our workforce is tracked and logged, which supports our auditing efforts.”
Experts told SC Media that the auditing and reporting process is an important component of a health care organization’s data privacy strategy in order to catch violations, and that particular focus should be paid to what Lehmann described as "records that would be of high interest or curiosity."
“Unfortunately, auditing processes vary in their rigor, depending on the privacy/compliance staff at a given organization, staff availability, and tools at their disposal,” said Drex DeFord, health care executive strategist for CI Security and president of Drexio Innovation Network, identified. “The auditing and training program at Hennepin will come under close scrutiny, including all documented process, procedures and policies.”
KMSP also reported that, in an effort to protect Floyd’s privacy, Floyd was admitted into the HCMC emergency room under the pseudonym “Bronze Tennessee,” after becoming unresponsive while in the custody of four Minneapolis police officers, one of whom faces multiple murder and manslaughter charges and three of whom are accused of aiding and abetting second-degree murder.
But could even more have been done in the first place to shield Floyd’s records, especially when considering the controversial and politically explosive circumstances surrounding the Floyd's high-profile death?
“Most electronic health record (EHR) systems allow for specific patient records to be flagged as ‘VIP,’" Deford said. "That sometimes means additional warnings are provided to EHR users that they are about to access a VIP record, and they should confirm they’re involved in that patient’s treatment.”
He recommended that health care organizations leverage this “flagging” capability as needed, to “provide an additional layer of warning that the EHR user is about to enter a VIP record, and remind them of the rules and responsibilities.” He also pointed to annual training of staff on responsibilities for protecting PHI as critical, while imposing “strict rules and clear penalties” for violations.
“Provide multiple examples of how EHR users might even accidentally access those records, and processes for self-reporting accidental access,” said DeFord. “Provide specific examples of past violations and associated disciplinary actions to reinforce the training.”
Restrictions on certain records may also be needed, he added, refusing access to unless explicit permissions are first granted, “particularly after a VIP is discharged.”
Some of these data privacy recommendations go well beyond health care, especially for other industries that store and manage highly sensitive or classified information.
But Armorblox CTO Rob Fry said he doesn't agree that certain individuals' data should be afforded more stringent privacy protections than others. "We must treat all patients with dignity and protect their data. No persons information is more important than another person’s," said Fry.
Nor does he think limiting employee access to records is the answer. "Adding in even more protocols, such as a request system where one person asks for access to a record and another approves it, would not be conducive in a health care scenario," he said.
Judging from the reported details that are currently available, Fry sees the HCMC incident as a mix of good and bad.
"It's a success story in that [the breaches were] discovered and handled in the manor set forth by HIPAA... Hennepin Healthcare staff was able to detect unusual activity, report it and follow protocols," Fry said. "On the flip side, the story is also a failure because people entrusted with protecting the sensitive nature of people's health records felt empowered to do so."
“The bottom line is that most health care organizations, and most providers, take their responsibilities for PHI very seriously, and never improperly access patient records,” DeFord stated. “They know and are trained that improper access can result in termination.”