It doesn’t matter whether a staff member peeks at the medical record of Tiger Woods, John McCain, your mayor, or your next-door neighbor—inappropriate access to medical information is a HIPAA violation.
The seriousness of this problem has led some hospitals and other HIPAA-covered entities to enhance their investigations of security and privacy breaches. Instead of simply monitoring system access logs, they’re using honeypots as bait to catch snooping staff members.
Honeypots, also referred to as honeynuts, are fictitious medical records that information technology (IT) monitors to determine whether anyone is accessing them.
If you already have strong security measures in place, honeypots can enhance your ability to monitor compliance.
“This is frosting on the security cupcake,” says Gary Nichols, CISM, information security officer at Blue Cross Blue Shield (BCBS) of Arizona.
How it works
The terms “honeypots” and “honeynuts” derive from the notion that if you want to catch birds, you scatter birdseed.
“You put something so sweet out there that they can’t resist,” Nichols says.
Nichols first learned the strategy while serving in the military. He isn’t involved in the practice at BCBS, but his contacts in the healthcare industry tell him it is starting to catch on at HIPAA-covered entities, including hospitals.
IT security and privacy personnel previously used the strategy to catch external intruders accessing a system, but it works just as well for internal intruders, Nichols says.
“It has spectacular results,” he says. “If you have 500 users who have access to a system and you are aware of patient information system access requirements, you know something is wrong when people start searching for and accessing records for Barack Obama.”
But it’s not necessarily an approach for everyone, says John R. Christiansen, JD, founder and managing director of Christiansen IT Law in Seattle.
“I tend to doubt it’s being done in smaller hospitals at all,” Christiansen says. “It does require a certain sophistication and commitment of resources, and it isn’t clear to me that the costs are necessarily worth the benefits, compared to other commitments of compliance resources.”
But it may make more sense to commit to the strategy at academic medical centers, which often have difficulty controlling network access.
“Especially where the security team shares information with the security teams in other large enterprises, this can be a valuable approach to gathering intelligence about new types of attack and patterns of nefarious activity so defenses can be tightened,” says Christiansen.
How to get started
If you’re a privacy director pursuing this strategy, gaining executive sponsorship should be the first step, says Christiansen.
“Using a honeypot implicitly communicates ‘we don’t trust our staff,’ even though we know that insider snooping is by far the most common cause of privacy or security breaches,” Christiansen says. You need to have executive sponsorship willing to back you if the use of honeypots results in controversy.
After you’ve earned administration’s support, you’ll need to have the information security and HIM departments set up and monitor the honeypot.
HR participation is necessary to ensure that the HR staff will take appropriate action if you catch someone accessing records inappropriately, Christiansen says.
“Legal counsel should vet the whole program to make sure legal risks are avoided,” he adds.
This is one of those occasions when less is more; the fewer people involved, the better your plan will work. One particular healthcare company that Nichols has spoken with uses a honeypot with only 15 people involved in establishing and monitoring it.
“The great thing is once you do this in one system and have a positive response, you can then expand it into other critical systems seamlessly if you need to,” Nichols says.
Building the honeypot
Setup is only as difficult as you make it. Staff members should already understand what you expect of them regarding compliance through training and the employee agreement they should have read and signed upon hiring.
Conducting a risk assessment of your systems and equipment is the next step. Then, create records for five mediacentric personalities—and make them as real as possible.
Don’t be too obvious, Nichols says. It’s not likely that a rural hospital in Wyoming would admit Vladimir Putin.
“You also want to be careful that you don’t establish them in a way that might affect actuarial research,” says Nichols. “Create the records, but do [so] in a way that leaves a secure way to remove them as well.”
Most systems have counters that reveal who is viewing records. Take notice of activity in these records, but understand that false positives can occur. One example is an IT staff member entering the records to maintain them.
An employee terminated for snooping is likely to complain of entrapment, says Christiansen. Criminal defense attorneys rely on this legal doctrine when law enforcement officials create a situation or opportunity for someone to commit an offense. So, in a sense, honeypots are analogous to entrapment, but they’re bait that wouldn’t work if someone wasn’t predisposed to snooping, he says, recalling that W.C. Fields once said, “You can’t cheat an honest man.”
Organizations should be certain that staff members are knowledgeable with respect to policies that prohibit snooping and that system configuration prevents accidental access, Christiansen says.
Your goal in using honeypots is to identify and discipline individuals who act wrongly despite knowing better, not to punish those who are truly uninformed or simply made a good-faith mistake, Christiansen says.
Appropriate disciplinary actions
Establishing robust, granular logging and diligent log review procedures is the most efficient and effective method of monitoring and detecting snooping.
“Make sure people know that [audit procedures] are in place and investigate promptly if inappropriate access is indicated,” says Christiansen. “Take quick, decisive action to punish the offender if inappropriate access is confirmed, and make sure people know when that occurs.”
Christiansen recommends a zero-tolerance policy in which unauthorized record access results in termination, with no excuses or exceptions except a mistake truly made in good faith.
The frequency with which snooping occurs is evidence that many people still fail to comprehend the seriousness of this issue, and that’s why strong measures are necessary, says Christiansen.
“We are still trying to change the norms in the industry,” he says. “Paradoxically, maybe once we have shifted the balance so that the norm is a robust respect for the privacy and security of personal information, we can deal more leniently with offenders.”