When dating, people want to know who is sitting across from them. Some people turn to social media, the Internet and LinkedIn to find out about potential dates.Now some medical professionals are going a step further and snooping through potentially matching medical records, according to Austin, Texas safe link, a key access management company. SecureLink provides a patient privacy monitoring system that leverages artificial intelligence to flag instances of EHR abuse, such as frequent and irregular name searches. MedCity News spoke with SecureLink Chief Data Scientist Daniel Fabbri via email to learn more about this phenomenon.
MedCity News: Can you explain what EHR snooping is and what it means?
Daniel Fabry: We saw an example of EMR access go through Employees engaged in online dating use the EHR in the workplace to identify and collect dating information. Because EHR systems are used in medical emergencies, they are generally open systems accessible to all clinical staff. This quick and broad access is critical when dealing with medical emergencies, but it creates an easy source of data for snoopers.
These types of snoopers typically scan records using a series of first and last initial searches until they see something that appears to match their dating profile. Once they know an individual’s first and last name, they may conduct more traditional research, gathering information through search engines and social media.
MedCity News: Is this common in small hospitals or large hospitals? Are there certain types of hospitals that are more common?
Daniel Fabrei: Electronic health record (EHR) misuse has been detected in small and large hospitals, but online data snooping appears to be more common in larger hospitals (although it is too early to judge broader trends). That’s likely because larger hospitals see more patients each day, allowing snoopers to scour more records to find their potential matches.
MedCity News: How did the hospital find out about this?
Locksmith: Today, many healthcare organizations and hospitals have patient privacy monitoring (PPM) systems that monitor every click on medical records. These systems audit all access and leverage machine learning to identify and understand access patterns – automatically detecting and flagging suspicious behavior. These systems help ensure that organizations maintain HIPAA compliance while identifying EHR threats.
Over the years, SecureLink’s PPM has identified users who have accessed many patient records for no therapeutic or operational reason to do so. Interestingly, in some cases many of these unexplained visits were associated with patients with similar names (eg, Robert Aa, Robert Ab, Robert Ac, etc.). Upon further investigation, it was discovered that some users were snooping to learn more about online dating matches or other dating interests. Because online dating apps may only provide users with first and last initials (for example, Robert A), hospital staff may misuse their access to find the name, phone number, or address of someone they’re dating.
Once we studied this behavior more, we were able to hone the algorithm in our PPM system to more accurately capture this snooping behavior, which looks for multiple name searches with similar structures (e.g., Robert Aa , Robert Ab, Robert Ac, etc. with Robert Jones). In some cases, users search for hundreds of variations of names.
MedCity News: Are providers snooping on accessing their own patient data, or are they snooping on others within the network?
Locksmith: Often, providers/staff (remember, providers, nurses, lab technicians, medical students, etc. all have access to the EHR) snooping on patients in the EHR who are not their patients. Users will conduct a series of searches to browse records that match online dates, friends, neighbors, VIPs or colleagues.
MedCity News: What are they looking for when they snoop? What kind of prejudice/prejudice exists?
Locksmith: Snoopers may want to know the full names of online dating matches to identify them online through search engines and social media channels. They can also use the EHR directly to gather other information of interest, such as address, marital status, vaccination status or medical history. Medical records also contain financial-related information such as SSN, insurance information, and DOB.
MedCity News: What happens if someone gets caught?
Locksmith: When suspicious activity is flagged, it is the first to investigate. This helps determine whether access is legitimate or a breach of privacy. If the latter, the hospital will decide on the best corrective action, ranging from a warning or suspension to termination of employment.
MedCity News: What is being done to stop this?
Locksmith: The best way to protect patient data is to start monitoring access to the EHR and then leverage technology to identify high-risk access patterns, such as online dating snooping. Audits and employee training and education help prevent EHR abuse.
MedCity News: How Can Healthcare Providers Protect Victimized Patients and Systems?
Locksmith: Patient privacy monitoring systems are one way to detect and block online dating snooping. Unlike rule-based patient privacy monitoring solutions, they audit all visits and leverage machine learning to identify and analyze access patterns, resulting in fewer false positives and more effective incident investigations.
At SecureLink, our solutions use artificial intelligence to automatically detect abuse and flag instances of frequent and irregular name searches, such as first and last initials. This ensures that the organization remains HIPAA compliant.
We also recently partnered with MEDITECH, a web-based EHR used by a quarter of U.S. hospitals to ensure patient privacy by using algorithms that accurately identify and alert privacy officials of such abuses.
MCN: How common are these privacy violations?
Locksmith: Over 99% of medical record accesses are for legitimate and appropriate reasons, and nearly all clinical staff use EHRs appropriately.However, it is important to ensure that the patient’s health information is protected in these types of cases [though small in number].
Photo: roshi11, Getty Images
