Catch and Prevent Healthcare “Snooping”

March 2, 2021
While healthcare organizations are familiar with the importance of data privacy and security, vulnerabilities remain

Healthcare organizations have always been faced with protecting private health information from prying eyes. Not too long ago, health records were physical files that used to require healthcare professionals to walk into the department and manually pull out the printed record. Fast forward to electronic health records (EHRs) and access to private health information has skyrocketed. While this ease of access is beneficial in many ways it also increases privacy risk, as employees have a greater opportunity for snooping.

In the context of healthcare security, the term “snooping” refers to when private medical records are accessed by someone who is not considered authorized under HIPAA. Snooping is often used as a catch-all term that refers to any type of inappropriate record access. It ranges from an employee checking a family or friend’s record, to printing off too much information, to viewing another unit’s patient log. Snooping occurs for a variety of different reasons -- curiosity, boredom, desire to be “in the know” -- and it can be intentional or by accident. The sad truth is that some employees may not even be aware that they are in fact breaking HIPAA rules through their inappropriate data access. 

With private health information consistently at healthcare professionals’ fingertips, it’s up to healthcare organizations to train employees and implement monitoring solutions and policies to help mitigate the risk of snooping. Identifying and addressing this type of behavior over the long term requires creating a culture of privacy and compliance that permeates the entire organization. Here are four steps to help mitigate snooping:

Take stock of the data

Healthcare organizations are responsible for an enormous amount of personal data. This data is often dispersed across different systems and departments with various different security controls. Therefore, the first step to data security is understanding where the data lives within the organization and its purpose. In doing so, organizations gain a clear understanding of who should be accessing what. Identifying and evaluating all patient data will help ensure that all patient information is monitored and accessed appropriately.

Implement data monitoring software

With a clear picture of data security needs, healthcare organizations are then able to implement sufficient data monitoring technology. According to a recent survey, only 58% of healthcare organizations are using automation tools to monitor user activity. With the sheer amount of healthcare data and records handled by organizations, automation is a necessity.

Working proactively, this technology can identify unusual access behavior, taking into consideration factors such as time of access, login credentials, frequency of access, patterns of access, and other key details that might signal to snoop. Some of these factors are best identified over time. For example, a physician may check a patient’s record after the patient no longer is under their care. Knowing when and why a patient’s record is accessed is crucial in identifying snooping behavior. Controlling access to all data sources can help prevent a variety of security risks, including data breaches.

Communicate policies & train employees

Snoopers can be healthcare employees from any department (including non-clinical) and be at all management levels, from unit clerks to physicians. Informing employees about what monitoring technology and procedures are in place will reaffirm a culture of privacy but also reinforce the idea that privacy breaches are unacceptable, and offenders will be identified. In short, if employees think they’ll be caught, they won’t do it.

This level of transparency with employees goes hand in hand with educating them on what qualifies as snooping behavior and how to spot it. By understanding who should be accessing what data, employees can not only reorient their own behavior but also monitor their peers.

Until educated on privacy, staff may not even be aware that certain activities are considered a privacy breach. Establishing a well-known system for reporting suspicious behavior and ensuring appropriate non-punitive measures are in place, is key to making privacy and security organization-wide priorities.

Build a culture of privacy

Taking stock of the data, implementing the right technology, and informing employees all contribute to a culture of privacy. In order to instill this culture in the long term, appropriate follow-up measures for after a snooping incident is identified must be put in place. Clear responsibility and management of security systems must also be clearly established. This follow-through and oversight will help privacy programs mature and evolve to match shifting security risks. Organizations will be able to avoid data breaches but also be prepared to respond to the consequences of a snooping breach. Knowing how to remedy and repair the situation after a snooping incident is key to establishing long term security and strengthening the internal culture of privacy.

Many healthcare organizations think snooping is a small part of an overall security strategy, but the reality is it’s fundamental. With the COVID-19 pandemic limiting staff and therefore physical oversight, monitoring for internal snooping activity is more important now than ever. It may seem daunting to achieve the level of security that prevents snooping but by taking step by step action to implement the right tools, training, and policies, healthcare organizations can ensure that all patients’ privacy is protected.

About the author:
Lisa Counsell, RN, is Vice President of Healthcare for FairWarning, an Imprivata Company.