Monthly Archives: October 2014

Transparency in Payments Sheds New Light on Medical Funding

Transparency in Payments Sheds New Light on Medical Funding

For the first time, the total of payments that doctors and teaching hospitals received from pharmaceutical companies and medical device makers was made public. The reported amount, $3.5 billion, reflects the final five months of 2013, and is the most extensive such data collection ever subjected to public scrutiny.

Breakdown on Payments

The payments not only included professional nods such as consulting and speaking fees with research grants, but also travel, meals, and entertainment, according to the Centers for Medicare and Medicaid Services (CMS). Although the names of the recipients of about 40 percent of payments were withheld due to data inconsistency concerns, approximately 546,000 providers and 1,360 teaching hospitals altogether received 4.4 million individual payments from healthcare companies amounting to $23 million per day.

Source: freedigitalphotos.net/FrameAngel

Why Transparency Matters

As part of federal healthcare reform law enacted in 2010, any payment of over $10 must now be disclosed to CMS, including those sent immediately to charity. This aspect of the Affordable Care Act, called the Physician Payments Sunshine provision, received bipartisan support from both Democrat and Republican lawmakers in an effort to increase transparency. Years of research indicate that the majority of physicians (83 percent) receive gifts from drug or medical service companies, and 28 percent of providers receive payments for research or consulting.

Despite requests from physician groups, including the American Medical Association (AMA), the CMS would not delay the release of payment data. Physician groups complained about over errors that had the potential to create an inaccurate representation of the medical industry particularly the impact that such payments have on individual doctors.

Patients’ awareness of potential conflicts of interest that are financially based can cause them to question the reasons behind prescriptions or treatment recommendations. With increased financial transparency, doctors can know whether experts who recommended guidelines were paid for their opinions by parent companies that stand to benefit. Health insurers have voiced concerns that extensive industry payments cause physicians to overprescribe expensive drugs and medical devices out of financial motives.

Misaligned Incentives

The tenet of “First do no harm” should trump kickbacks and incentive payments, yet the pharmaceutical and medical device industry boasts deep pockets that may tempt physicians into making care decisions based on the wrong motivations.

Brendan Buck, the spokesman for America’s Health Insurance Plans, describes the payments as the “perfect symbol for the misaligned incentives in our healthcare system.” Unlike other healthcare stakeholders who work to lower costs, drug makers are invested in inflation-based pricing that benefits their profit margin instead.

Research shows no correlation between patient trust and industry payments, as patients may view the request to—for example—consult in return for an all-expenses-paid trip as a compliment to their physician’s expertise rather than a symbol of his or her corruption.

The new emphasis on increased transparency in medical funding serves as a reminder that financial involvement with the medical industry, while it can be beneficial, also needs to be conducted above-board rather than behind locked doors.

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Has the ICD-10 Delay Caused a Loss in Momentum?

Has the ICD-10 Delay Caused a Loss in Momentum?

The deadline extension for the ICD-10 conversion was originally intended to give healthcare providers, payers and vendors the chance to improve readiness before the switchover date. Instead, the delay in implementation seems to have had the opposite effect of promoting procrastination; momentum has apparently slowed down instead of picking up speed.

The Workgroup for Electronic Data Interchange (WEDI) conducted a survey in August 2014 to better gauge the progress of those within the healthcare industry as the October 1, 2015 deadline inches closer. Survey data that initially sounds encouraging—like that half of providers state that they’ve completed impact assessments—ends up not so hopeful when that’s the same percentage of providers who claimed readiness last year. Instead of taking advantage of the extra time, the ICD-10 conversion has slowed to a snail’s pace, particularly among smaller providers.

freedigitalphotos.net/Stuart Miles

Providers vs. Payers vs. Vendors

When comparing states of conversion readiness among different segments within the healthcare industry, it’s clear that some are moving forward with a greater alacrity than others.

  • Among payers, nearly 75 percent say they’ve completed impact assessment while 17 percent more say they’re nearly there.
  • Compared to a similar 2013 survey, when only 25 percent of payers had begun external testing, the 2014 survey shows that over half of plans report that they’ve already started testing their ICD-10 tools.
  • Only 10 percent of vendors say that their development is less than halfway complete. One-third says they’re about 75 percent of the way there, and two-fifths say they’re ready to go.
  • About two-thirds of vendors report that their ICD-10 tools are already available, although about 25 percent say their products won’t be ready until 2015.

Essentially, when evaluating the state of overall readiness, payers and vendors are in much better shape than providers.

While roughly a third of providers report that they’ve begun external testing, responses from the 2013 survey indicated that a far greater percentage—approximately three-fifths—had expected to reach that stage of development by this time. In the most recent survey, over half of respondents said they’re not sure when testing will start, or won’t be able to begin until early 2015.

Evaluating the Next 12 Months

In a Sept. 24 letter to Burwell, WEDI Chair Jim Daley wrote that the survey results indicate “the delay has negatively impacted provider progress, causing two-thirds of provider respondents to slow down efforts or place them on hold.”

What does this imply for healthcare organizations to meet the ICD-10 conversion deadline? As Daley warns, “Unless all industry segments make a dedicated effort to continue to move forward with their implementation efforts, there will be significant disruption on October 1, 2015.”

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Cybercrime Law & Order: HR Edition

Cybercrime Law & Order: HR Edition

Yes, you read that headline correctly: the same data security threats that occupy the attention of the IT department may now require those in HR to stand on guard. While we’re more accustomed to thinking about the HR department as the folks who develop an organization’s human capital and get excited when they hear about demographics, diversity and generational differences within the workforce, do they now also need to become cybersecurity watchdogs?

Security Is Everyone’s Responsibility

Noticing a trend? It seems many of the stories we pick up and experts we tune into have similar takes on the growing threats toward data security: this is an all hands on deck type of problem, not a minor issue that can be farmed out to the geeks in IT. So where exactly does HR come in?

In a recent blog post titled “56 Million Reasons Why Your HR Department Needs Better Data Security,”Shipman & Goodman partner Daniel Schwartz says human resources pros need to take a more serious look at the security of HR files in order to protect sensitive consumer data that can be linked with stolen credit card and banking information that can form complete profiles of unwitting Americans. With new stories of breaches at major retailers nationwide popping up nearly every day, we already know our personal financial data is targeted, lined up squarely in the sights of cyber criminals. So what’s the new angle? Schwartz puts it thusly: “So, why does this matter to human resources professionals and companies? Because if hackers can access credit card information, they are going to try to hack into your work files.”

Source: freedigitalphotos.net/Stuart Miles

Sheesh.

Taking Orders from the Top Brass

It’s not just employment law experts like Schwartz who are tapping into this major threat to HR data and encouraging greater vigilance on the parts of those holding the keys to your work history. Schwartz takes his call to action directly from some of the US military’s top brass. Admiral Mike Rogers, head of the military’s cybersecurity division, has already been sounding the alarm about HR threats for companies of many sizes. He encourages America’s business leaders to take a more militaristic tact against the real danger of compromised data security:

“You have to consider [cybersecurity threats] every bit as foundational as we do in our ability to maneuver forces as a military construct… When I look at the problem set, I’m struck by a couple things that I highlight with my business counterparts. Traditionally, we’ve largely been focused on attempts to prevent intrusions. I’ve increasingly come to the opinion that we must spend more time focused on detection.”

The Road Ahead

Admiral Rogers’ words leave little to the imagination: the thieves are already inside. It’s time to focus on detection of existing breaches in addition to working on finding a way to prevent future security failures. It’s not enough to sit back and relax, trusting that the IT guys and gals have got us covered. Cybersecurity is big business, and that means beating the ne’er-do-wells will require the HR department to step up the plate.

Written by Ashok Kumar, Manager, Information Security

Mr. Ashok Kumar brings over 14 years of Information Technology and Information Security experience to iBridge. He has worked in Healthcare, BPO, Telemedicine, Remote IT Infrastructure Monitoring and Management, Software development and Information Security Management. He has an understanding and knowledge network routers, L2 & L3 switches, virtual Cloud infrastructure, Firewalls, UTMs, Server architectures and Server OS platforms including Novell NetWare, UNIX, Windows, Linux, and Solaris.

Ashok has played key roles in system designing and capacity planning for enterprise class data intensive applications for distance learning and diagnostics in healthcare. Recently, he was the lead architect for design and deployment of a failover solution in healthcare for Patient Health Information (PHI) and demographics. He brings a well-balanced approach between budgets, requirements, and maintanance.

He leads the company in ISO 27001 process implementations, threat and risk assessment. He is responsible for all aspects of security at iBridge and maintaining a best-in-class environment for internal users and clients.

3 Must-Haves in eDiscovery Trends

3 Must-Haves in eDiscovery Trends

Struggling to reconcile the complexity of discovery with the primary goal of the Federal Rules of Civil Procedure (“construed and administered to secure the just, speedy and inexpensive determination of every action and proceeding”) is enough to make any litigator’s head spin. “Inexpensive” is a word that’s not combined with “eDiscovery” often. Yet, reconciliation between the concept of electronic discovery efforts and more streamlined court proceedings is not impossible, as long as counsel is willing and able to keep up with a few absolute must-haves in eDiscovery trends.

Source: freedigitalphotos.net/ddpavumba

1. Refining Rules through Local Courts

Even courts that deal heavily in intellectual property litigation have turned toward local jurisdictions to develop more refined eDiscovery guidelines and enact new rules. Examples of these orders include putting reasonable limits on email discovery, calling for phased discovery of electronically stored information (ESI), and mandating increased cooperation among all parties involved during litigation regarding eDiscovery issues. Active discouragement of eDiscovery overreaching to limit unnecessary (and all-too-often exorbitant) costs has led to enhanced cost-shifting provisions.

Takeaway Tip: Don’t shy away from checking federal case law against local jurisdictions to shed more light on eDiscovery expectations.

2. Awareness of Potential Consequences for Mismanagement

Although there’s no denying that the costs of eDiscovery can be considerable, recent data shows that mismanaging eDiscovery can cost far more. Formerly reluctant courts are these days more willing to issue sanctions and impose monetary fines for eDiscovery misconduct at a steadily increasing amount. While some research suggests the rates of sanctions may level off of late, don’t forget the nearly $1 million sanction imposed by a federal judge in Re: Pradaxa Products Liability Litigation due to eDiscovery mismanagement late in 2013 that shows eDiscovery sanctions are not going away soon.

Takeaway Tip: Adopt a solid strategy before beginning discovery to keep efforts and costs at a reasonable and justifiable level.

3. An Expansion of Options

Finally, the recent explosion of available eDiscovery tools, like predictive coding, has been a complete game-changer. Any attorney responsible for managing complex litigation must look around at the options available for reducing the time-consuming process of human-based manual review before beginning the discovery process to keep costs down. Take this suggestion with a grain of salt, remembering that laws governing the use of these tools are still in their formative stages.

Takeaway Tip: Take the time to develop a foundational plan before jumping into a new workflow armed with the latest and latest gadgetry, but make the most of what’s out there.

The Future of eDiscovery

Even the most vocal naysayers have reached a place of grudging acknowledgement when discussing that eDiscovery is here to stay. Despite the tendency to feel overwhelmed at the lack of existing parameters combined with the rapid-fire advancement of technology and methodology, adopting the strategies listed above can make it possible to break the eDiscovery learning curve down into much more manageable chunks.

Written by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

The Biggest Heartbleed Hack in History?

The Biggest Heartbleed Hack in History?

The buzz surrounding the Heartbleed vulnerability may have mostly died down, but does that mean the vulnerability itself is no longer a concern? Unfortunately not, judging from the recent cyber-attack on Community Health Systems Professional Services Corporation’s (CHSPSC) network. One of the largest disclosed data breaches with a reported 4.5 million personal patient records accessed, this incident serves as an excellent reminder for healthcare providers to take extra precautions for digital security.

Source: blogs.zoho.com

Breach Details

The Heartbleed vulnerability was first revealed last spring, and involves a serious flaw in OpenSSL that can steal OpenSSL private and secondary keys, plus retrieve memory from the affected server. This results in a decryption of traffic between server and client.

CHSPSC issued a statement in August stating that they had been attacked at some point between April and June, although the breach was not discovered until July. The company, based in Tennessee, provides IT services (including management and consulting) to clinics and physicians. As for the breach itself, an unpatched network device was determined to be the exploited access point. Although CHSPSC has not publicly confirmed that the Heartbleed vulnerability specifically was responsible for the breach, some of the ports compromised are the same as those that have been accessed for other hacks by Heartbleed.

The company said that, while payment and billing information remain secure, personal data stolen included specifics like patient names, addresses, phone numbers, birth dates, and social security numbers. This information may be used directly by the hackers, or sold to the highest bidder on the black market. In some cases, personal data can be even more valuable to hackers, as these types of files contain clues which can be used to break passwords and guess verifications required for primary banking or credit card accounts, abetting identity theft and insurance fraud.

Protecting Against Future Hacks

In this instance, CHSPSC determined that highly sophisticated malware technology was responsible for launching the attack, bypassing security measures to copy and transfer protected data. Moreover, CHSPSC isn’t the only victim; the FBI has warned that the same group has targeted other organizations within the healthcare industry to steal intellectual property related to medical research and development.

To protect your own company, take the extra time to go over security measures with a fine-toothed comb and address any potential weaknesses immediately. Although new hacks are constantly being developed, that doesn’t mean that older vulnerabilities like Heartbleed can’t still be just as easily exploited.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Is New Focus Needed for EMRs?

Is New Focus Needed for EMRs?

The 2009 economic stimulus package, designed to help the US recover from a record financial downturn, included several smaller, targeted programs supporting projects in a variety of fields. In healthcare, federal grants for converting from paper medical records to electronic medical records (EMRs) provided clinic and office-based physicians with significant monetary incentives to accelerate their transition to a 21st century healthcare records system. While the shift to digital is a smart and necessary move for a planet struggling to stave off climate change by reducing waste, it doesn’t come without complications.

Source: freedigitalphotos.net/stockimages

EMRs and Incompatibility

One large issue with EMRs is that, like iPhones and Androids, their proprietary software makes them unable to “talk” to EMRs created on a competitor’s system. If a hospital system uses EMR software from Acme Corporation, but your records are from a hospital in a neighboring state that signed a contract with Beta Industries, you may be in trouble when you show up at the Acme Corporation hospital without identifying information.

Part of the goal of the Affordable Care Act (“Obamacare”) was to make healthcare more portable, preventing job changes or unexpected unemployment from costing Americans their healthcare insurance. What the ACA doesn’t make more portable, however, is EMRs.

At this point in the EMR revolution, it’s time for the US to have a serious conversation about data portability. Hospital administrators should be very selective when choosing an EMR vendor and verify that data is formatted in a way that is compatible with other popular systems:

  • EMR data should be easily exportable; ease of data export should be a built-in feature of any software solution.
  • Data must be formatted in a non-proprietary fashion recognized by other popular software.
  • Be sure that data and databases are organized in a logical fashion. A standard import/export language and the ability to transfer data in a standard table or Excel file format will be of great value should a healthcare organization must update or change EMR systems.

EMRs and Security: A Complex Proposition

Data breaches continue to stack up. As security experts come up with more creative ways to secure patients’ healthcare data, hackers, and digital miscreants are rising to each new challenge and finding novel ways to access and capture private health data. Harsh penalties have not been enough to slay the security beast and retroactive actions like offering identity theft insurance to affected patients isn’t enough.

Going digital shouldn’t mean danger. At this critical turning point in U.S. healthcare policy, as much or more attention should be focused on securing patient information and EMRs as is focused on insuring the uninsured and controlling rising costs.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Ripe for the Picking: Why Healthcare Security Needs a Partnered Approach

Ripe for the Picking: Why Healthcare Security Needs a Partnered Approach

Underestimating the threat of security and data breaches may leave patients more at peril after they’ve left the hospital than when they’re in the ICU. With the U.S. Department of Health and Human Services reporting in August that major breaches alone – that is, incidents affecting upwards of 500 people – now number nearly one thousand. That is 30.1 million Americans to date who have had their personal health information (PHI) severely compromised.

What’s being done to stop the flood of PHI being snatched, leaked or even willingly served to hackers and cybercriminals primed to do just about anything they want with it? Isn’t HIPAA privacy enough protection to prevent exactly these kinds of incidents?

Source: freedigitalphotos.net

HIPAA

It’s dangerous to underestimate the crucial importance of the HIPAA privacy law because it brought a new national awareness to the importance of protecting patient data. The legislation secured sensitive health information such as test results and to prevent unauthorized disclosures of pre-existing conditions and diagnoses. Now, patients see HIPAA-related paperwork at every office visit, at least they have investment in the privacy of their information.

For the medical community, HIPAA requires that practices and practitioners invest in reducing risk. They must think through some scary “what if” situations and create contingency plans to help reduce the impact of a breach. But is following HIPAA enough to keep PHI safe and secure?

Security Measures

It turns out just about any IT professional or security expert will say “No.” HIPAA is a good starting point, but it will not seal an already leaky dam. The onus is on hospitals and private practices to implement key security technologies designed to secure networks powered by the most personal details about every patient. Important steps include:

  • Firewalls
  • Spam and spyware protection
  • Improved sign-on requirements, including single sign-on authentication with stricter security standards
  • Encryption

In a recent article in the “New England Journal of Medicine,” the executive director of Harvard Medical School’s Center for Biomedical Informatics, Eric Perakslis, said healthcare is in the crosshairs and “is being aggressively and specifically targeted.”

The Outlook

The question of healthcare information security cannot be answered with only one tool. Taming this rather ferocious beast will require an entire platform of strategies for security success. Perhaps what will be most interesting is whether the public – the patients whose information is being so “aggressively targeted” – will rise to this challenge by demanding stronger action by both the government and industry. Without a singular commitment to this partnered approach, including both HIPAA provisions and purposed security actions, healthcare information will remain ripe for the hackers’ picking.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Guilty Until Proven Innocent: A Paradigm Shift for Healthcare IT Security

Guilty Until Proven Innocent: A Paradigm Shift for Healthcare IT Security

With sensitive patient information like diagnoses, test results and financial data on the line, healthcare administrators must take a different approach to protecting patient privacy. While our judiciary system guarantees us all the assumption of innocence until proven guilty beyond a reasonable doubt, the same philosophy may be a dangerous proposition for patients’ personal health information (PHI).

Source: freedigitalphotos.net

We Built It; They Came

To prepare for a presentation titled “The New Security Reality: Assume the Breach and Reduce Your Risk” at September’s Privacy and Security Forum, Seattle Children’s Hospital chief information security officer Cris Ewell spoke with Healthcare IT News about this important shift in the way healthcare organizations approach security and why assumption of guilt may be a necessary evil:

“In today’s world, security controls just are not enough to protect an organization against the cyber threats that are out there, both internal and external, and if you solely rely on the very prescriptive controls, whether you believe in NIST, ISO, HIPAA or any of those things, it’s the wrong philosophy to take from a very strategic point…You can’t put up larger walls, you can’t post more guards, you can’t do those things to keep people out, therefore change your philosophy to ‘they’re already inside.’ Now what would you do to protect that information?”

Wow. That sobering thought goes a long way to scare the pants off us and makes us wonder what might be gained from more organizations – and perhaps the largest organization of all, the federal government – making similar philosophical shifts. If most current efforts are focused on attempting to seal cracks in an already irreparably leaky dam, then why not abandon or reduce those efforts in favor of securing the waters from inside?

The Threat from Inside

We’ve examined how it’s healthcare employees themselves, not necessarily those foreign cybercriminals we might imagine, who may pose many of the largest threats to PHI. Greater efforts should be focused on reducing loss and theft of devices containing sensitive information. Performing regular, thorough audits of networks and systems is a good place to start. An even better jumping off point is good old fashioned encryption: not enough institutions are doing so, and unencrypted devices are like red carpets upon which ill-intended information poachers may glide swiftly and silently into healthcare systems.

Again, the threat of insider breaches is alarming. But Ewell makes a larger point with great clarity: other threats – foreign, domestic, organized, amateur or otherwise – are already inside the proverbial house. What remains to be seen and decided is how smart, responsible organizations will detect and remove those threats with surgical skill while protecting the best interests of both the patients and the hospitals.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Can Healthcare Employees Threaten Patient Privacy?

Can Healthcare Employees Threaten Patient Privacy?

First, do no harm. This most basic of healthcare tenets is second nature for most physicians, but what happens when healthcare staff has their own self-interests in mind while handling sensitive medical data? It turns out that while most people believe hackers and other professional ne’er-do-wells are the biggest threats to private patient information, medical practices’ own staffers may be also be likely to compromise patients’ personal health information (PHI).

Source: freedigitalphotos.net/phasinphoto

New Cases

New criminal cases centering on unscrupulous medical office staff going rogue with personal data happen all the time.  Just this week there is news of a Washington state woman employed at a physical therapy clinic who used her access to an elderly woman’s PHI unlawfully transferring more than $13,000 out of the victim’s bank account. This summer, a University of Cincinnati Medical Center employee posted a screen shot of a patient’s medical record—complete with syphilis diagnosis—to Facebook. There is a lawsuit pending.

Accidentally Doing Harm?

While ill-intended staffers are one threat to private patient data and PHI, there may be an even greater threat from uninformed employees who misunderstand or unwittingly ignore key privacy policies. Regardless of the motivation – benign or nefarious – employees, revealing patient information is a real threat.  According to a 2013 report from the Healthcare Information and Management Systems Society (HIMSS), nearly four fifths of healthcare IT security experts believe employee “snooping” on private patient information is a top threat motivating security breaches.

Assessing the Threat

Whether these inside operators are functioning as lone wolves or as part of larger organized crime syndicates, the healthcare sector definitely has an employee snooping problem. The 2014 Verizon Data Breach Investigations report found that 15 percent of healthcare privacy and security breaches result from insider prying or misuse.

Smart organizations are conducting regular security audits to keep careful tabs on which employees have access to data and use of the information. A clear chain of custody is vital for all PHI, and enterprise-level healthcare firms and small private practices must invest in careful auditing to eliminate the threat of insider abuse and misuse of private patient records.

With the numbers of these types of breaches on the rise and increasingly creative criminals prepared to do just about anything to steal money, healthcare information and identities, ethical organizations are battening down their collective hatches against further breaches while carefully monitoring their security procedures to minimize the threat.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.