This opinion follows a report from the Office of the Inspector General of the Department of Health and Human Services, which recently examined hospitals in seven states and issued a report highlighting numerous severe vulnerabilities in systems responsible for safeguarding patient privacy. OIG auditing teams will expand their investigation to include eight more hospitals suspected of weaknesses in controls over security and privacy of protected health information.
Researchers at Carnegie Mellon University have shown that at least 30 people and organizations have access to the health data of a typical person with private insurance through an employer. - New York TimesThe administration's likely response will be in the form of increased enforcement activity and more stringent fines for health care organizations that have failed to fully implement controls required by the HIPAA privacy and security rules.
The problem is compounded by the nature of the information itself, which needs to be accessible in order to provide effective and timely health care. As a result, health care information systems are typically designed to “fail open," to allow medical personnel less restricted access to patient data and enable necessary treatment to proceed.
To mitigate access control weaknesses without impeding patient care, health care organizations are looking to review access to electronic medical records using technology based on identity and access intelligence (IAI). IAI analyzes patterns of medical records access via stores of user identities, application and system rights, and user activity. By comparing what information was accessed, when, and by whom, with user privileges, IAI systems indicate whether access to patient data was valid or whether a policy exception (such as medical records snooping) has occurred.
Learn how Veriphyr's Identity and Access Intelligence deters snooping into medical records and other violations of HIPAA security and privacy rules.Sources:
Breaches Lead to Push to Protect Medical Data - The New York Times, May 30, 2011