Executive Summary
A surgery center employee who was about to be fired sent about 170 emails from her work computer to her personal email. Those emails included some highly sensitive files for in vitro fertilization patients.
-
Before employees are given access to your IT systems, and preferably at least annually, go over acceptable access and use of data. Ensure your policies say that transferring electronic protected health data outside of the organization’s network should be done only if specifically authorized.
-
When firing employees, disable the access credentials, obtain any keys or equipment, and escort them while they obtain their belongings and leave the building.
-
Examine new technology that can prevent electronic information from being transferred or downloaded.
By Joy Daughtery Dickinson
An employee figured out that she was about to be fired by her surgery center. She responded by sending about 170 emails from her work computer to her personal email account. Those emails included personal information for 317 patients, including some highly sensitive files for in vitro fertilization patients.
“If you get mad when you get fired, you can’t bust up the equipment. You can’t steal a generator from the warehouse. You can’t take money out of the register. You can’t bust out the window on the way out,” said Robert R. Short II, chief assistant district attorney, Office of the District Attorney, Wichita, KS, when talking to the jury. “All those things would be considered a crime. So what makes [an employee] think she can go in and data mine all this information and put it in her personal email?”1
The surgery center discovered the emails had been transferred when they conducted an audit after she was fired, according to media reports.1 The surgery center sent a letter to all of the patients affected by the email release.1
State law in that location prohibits employees from abusing their authority and taking confidential information from their employers’ computers, Short said in an interview with Same-Day Surgery. He said this type of law is relatively new.
The employee testified that she worked from home sometimes and that she had previously sent emails to her personal account. She also said that some of those previous emails had included confidential patient information. The employee testified that she feared repercussions from the surgery center about an incident of fraudulent insurance billing. She said her name was attached to the work, and she needed to be able to prove it was valid. The worker said she forwarded the emails to protect herself and that she had permission to send the emails.1
Her lawyer claimed that the emails were forwarded, rather than downloaded or printed, in order to be open and transparent. Her lawyer quoted excerpts from the employee handbook and said that only 4.2% of the emails sent contained patient health information. 1
Seven emails had attachments with confidential patient information, and those emails were the primary focus of the case against the employee. A reproductive endocrinologist at the center said that the in vitro fertilization records were highly sensitive because patients often don’t share such private information even with their family and friends, and it’s “a very emotionally sensitive area of medicine.”1
The jury found the employee guilty on all seven counts of computer fraud. At press time, she was scheduled to be sentenced Sept. 23.
5 steps to take
What can you do at your facility to avoid such an incident? Sources interviewed by SDS suggest the following:
-
Educate employees on their security responsibilities.
“Some employees can move from trusted team member to disgruntled ex-employee fairly quickly,” says Mark Fulford, CISA, CISSP, ABCP, partner at LBMC Information Security, an accounting and professional services firm with headquarters in Brentwood, TN.
Outpatient surgery managers must clearly communicate security responsibilities to employees, Fulford says. Before employees are given access to your IT systems, and preferably at least annually, go over acceptable access and use of data, he says. “Reminding them of potential sanctions, which should be part of your written policies and procedures, is just as important,” he says. Include training in HIPAA federal regulations regarding privacy and protection of patient information, experts emphasize.
-
Carefully handle employees who are to be terminated.
When firing an employee is necessary or imminent, monitor and restrict the employee’s ability to cause damage to your organization through removing assets, including health information, Fulford says.
“In the case of a ‘hostile’ termination, the employee’s access credentials should be disabled, any keys or equipment obtained, and the person should be escorted while they obtain their belongings and leave the building,” he says. “This sounds harsh, but it has become the world we live in.”
-
Examine use of protective technology.
Begin to evaluate Data Leak Prevention, or DLP, systems to protect your electronic patient health information, Fulford advises. “Technologies that can prohibit health data from being downloaded to removable media or transferred out via email are becoming more commonplace and will soon be seen as the standard of care for protecting against these types of insider threats,” he says.
His views on using technology are echoed by Marc Voses, Esq., partner and co-chair of the Data Privacy Liability and Technology Services Practice Group, Kaufman Dolowich & Voluck in New York City. “The lessons from this case are that no matter what your employment policies are concerning the maintenance of confidential client information, unless you employ active electronic security measures that prevent the unauthorized emailing of information outside of the business’ servers, you are at risk that confidential information can be accessed by an unauthorized individual either intentionally or negligently,” Voses says.
He says “active electronic security measures” refers to computer software programs that allow office administrators to prevent information from leaving secured servers unless the employee has the appropriate credentials. “However, permitting an employee to move confidential patient information, or any proprietary business information for that matter, to servers that are not under the control of the business is unacceptable in this day and age due to the risk of unauthorized disclosure,” Voses says.
Certain programs can be customized so that, for example, information can’t be copied to portable storage devices, or it is automatically encrypted so that the information can’t be accessed without a password, he says.
In the case mentioned earlier, the center was located in a state in which it was unlawful for employees to go beyond the authority they have to access and remove information from a computer. However, the deterrent effect of criminal laws is not enough to stop employees from improperly accessing or downloading confidential patient information, Voses says.
-
Ensure your policies and procedures address the issue.
Have clear policies in place to prohibit removal of patient data, including physical records or electronic records, for anything except an approved business purpose, Fulford says. “There should also be evidence that employees have read and agreed to these policies as a condition of employment,” he says.
Fulford says policies should spell it out: Transferring electronic protected health data outside of the organization’s network should be done only if specifically authorized. “When authorized, there should be several controls considered in the policy,” he says. Fulford says those controls should include the following:
— Encrypt data before it is sent.
— If sending to a third party, put appropriate business associate agreements in place before any data transfers occur.
— Maintain a list of parties, internal and external, that receive data transfers along with the nature, purpose, and frequency of the transfers, along with who authorized the transfers.
-
Address work-at-home arrangements.
Fulford acknowledges that most organizations have remote workers. “However, there are ways to greatly reduce or eliminate the need for a home-based or remote worker to have electronic records stored or processed on their home computers,” he says.
Provide access to clinical and billing systems through remote technologies, Fulford suggests. (See Resources at end of this article.) These technologies “leverage Internet technology such that an employee’s home computer is actually displaying a computing session on a remote machine with the appropriate security controls,” Fulford says.
Put controls in place that restrict the ability of the remote worker to store or print records to their local home office, he advises. “As a general security precaution, health records should not be stored on personal computers that are not maintained in a secure fashion by the facilities’ IT or security teams,” Fulford says. “Since home computers are often shared by multiple family members and lack the perimeter firewalls and security controls that are in place at most facilities, the chance for compromise of those machines, and hence potential undetected data breaches of ePHI [electronic protected health information] is high.” (For information on how to protect yourself from a breach, see story in this issue.)
-
Dunn G. Former surgery center employee found guilty of computer crime. Wichita Eagle. July 20, 2015. Accessed at http://bit.ly/1JdMG2U.
