Tom Olzak

Right response, wrong controls

In Data Security, HIPAA, Risk Management on April 6, 2009 at 12:40

The HIPAA security rule is clear about how application access controls should be configured.  A health care employee should only have access to information for patients for which he or she provides care.  This is a very clear requirement, but one which at least a few providers haven’t implemented years after the required HIPAA compliance deadline.

In the latest example of employee data-snooping, a Kaiser Permanente hospital located in a Los Angeles suburb has fired 15 workers and reprimanded eight others for improperly accessing the medical records of Nadya Suleman, the California woman who gave birth to octuplets in January.

The unauthorized accessing of Suleman’s electronic records at the facility in Bellflower, Calif., violated a California law designed to safeguard the privacy of health care data, according to Kaiser spokesman Jim Anderson. He said the improper activities were discovered through increased network-monitoring procedures put in place by the hospital in connection with the birth of the octuplets.


The snooping incidents highlight the lack of adequate data-security controls at hospitals and other health care organizations, said Deborah Peel, who heads the Patient Privacy Rights Foundation in Austin.

Peel claimed that such privacy breaches occur on a broad scale because of the health care industry’s continued reliance on “primitive” user-access controls. At large enterprises like Kaiser, she noted, thousands of workers may be able to access patient data, even if they don’t need to do so.

Source: Kaiser Hospital: Employees Peeked at ‘OctoMom’s’ Records, Jaikumar Vijayan, Computerworld, 6 April 2009

The hospital claims to have trained its employees on the proper use of ePHI.  Policies were apparently in place to support HIPAA requirements, and sanctions were quickly applied when a violation was detected.  These are all an excellent start, but  too much reliance was placed on human behavior.

While we have to rely to some extent on the honesty of our employees, we must also take steps to minimize impact when some of them slip.  The principle of need-to-know has been part of security best practice since before computers were invented.  It’s too bad some software developers and their customers didn’t get the word that application access controls must be granular enough to allow access only to information required to perform the functions of a specific role.  This goes far beyond ePHI, encompassing access to any data classified as sensitive.

  1. What’s this mean: “…continued reliance on “primitive” user-access controls.”

    Doesn’t it really just come down to the rule of least privilege using existing access controls? Or was something else required?

    • Least privilege isn’t enough, because it doesn’t address allowing access only to an approved subset of available data. This is a function of need to know.

      In a system which supports need to know, the access controls are granular enough to limit records a user can view. For example, limiting a nurse’s access to patients in her ward but blocking access to other patients in the hospital.


Comments are closed.

%d bloggers like this: