The seven deadly sins of EHR snooping
Gossiping about acquaintances, Google searching celebrities, poking around on social media. We’ve all done it. Being curious about the lives of the people around us is part of being human.
However, this reality can become dangerous in certain contexts, like healthcare.
Consider the electronic health record (EHR). These systems contain some of our most sensitive information — social security numbers, addresses, medical histories, and test results. The nature of healthcare makes it so that an organization’s entire staff can access the health records of all patients in order to provide life-saving care. Unfortunately, this also means that anyone inside a health system can look at those records, even those that fall outside of their care responsibilities.
At Protenus, we spend a lot of time thinking about how and why people look at electronic patient data inappropriately. Our artificial intelligence-powered platform, which detects privacy violations in the EHR, analyzes every access to every medical record to detect inappropriate behavior by EHR users. As a result, we see some scary stuff. One thing is especially clear — the full range of human frailties is on display when it comes to snooping.
We’ve found seven common reasons that account for why healthcare workers inappropriately snoop in the EHR, and they map well to the seven deadly sins — habits or behaviors that give rise to manifestations of human immorality. Just as these sins can wreak havoc, privacy breaches have similar effects on the lives of affected patients, as well as on the healthcare organizations where they occur.
Wrath
Someone you work with has slighted you, thrown you under the proverbial bus, or received the promotion you deserved. If you have access to the EHR, you might not get mad, but get even. There’s a good chance that your co-worker has a medical record at the organization where you work, and you could really use some ammo. Nothing is stopping you, and how would anyone even know?
Greed
Fact: Medical records go for up to $1,000 on the black market. Fraud and identity theft are some of the most severe manifestations of greed. For external hackers and malicious actors, a medical record is an irresistible prize. However, hospital insiders can easily access information in the medical record, making them a potentially even more damaging threat. Out of thousands of employees with access to the medical record system, there are plenty of examples of how one bad egg hoping to make some quick cash lands a healthcare organization in hot water.
Lust
Ah, love. So beautiful in bloom, so terrible once in decline. While lovers’ quarrels have been playing out since the dawn of time, the more recent advent of the EHR has added an interesting twist. With emotions running high, love triangles, infidelity, break-ups, and divorces can tempt otherwise rational people to seek out their ex’s personal information from the medical record system to satisfy their curiosities, or gain potentially damaging information.
Gluttony
What is the EHR version of idle snacking in front of the TV? Sometimes people crave more information than they can possibly keep to themselves, often when they find themselves bored. Maybe you’re working a quiet night shift at the hospital and your fingers start to wander at your keyboard. Protenus’ analysis of privacy breach data has suggested that inappropriate access in the EHR system frequently occurs in conjunction with boredom, namely during lunchtime and the end of the workday.
Sloth
Sometimes you get lazy. You want to find someone’s address so that you can send them a birthday card, and you know you will be able to find it in the EHR system (yes, people still send cards in the mail!) It is all too easy to use the EHR system as a directory, and accidentally view private patient data in the process. Laziness can also take the form of sloppy search practices, leaving the John and Mary Smiths of the world subjected to having their medical records exposed more than anyone else.
Envy
The fantastical lives of the rich and famous can make us quickly forget that celebrities, athletes, and public figures are people too, who deserve to have their medical records protected. Unfortunately, we are often tempted to locate their weakness, no matter how perfect their lives may seem. These complex feelings can lead down the dark path towards VIP breaches.
Pride
Pride comes before the fall. Depending on your role and your own perceived value to the organization, you may think the rules don’t apply to you. Even worse, you may think you’re above the consequences of breaking those rules (they’re more “guidelines” anyway, right?) This mindset can translate into freedom to cruise the EHR system beyond the given boundaries of care, and compromise patient privacy in the process.
Clearly, human nature is a force to be reckoned with. The complexities and idiosyncrasies of human behavior are a powerful reminder that rules, policies and guidelines are only the first step to protecting patient data.
Just as every individual has their unique motivations for snooping, the ways they move through the EHR and its associated systems are unique. By understanding why snooping happens, and applying deep behavioral and workflow analytics to users’ actions in the EHR, we can gain the insight we need to identify and ultimately eliminate these types of threats in our healthcare institutions.
As long as we’re human, we’ll always be tempted to snoop. To protect patient data from these seven deadly sins of EHR snooping and others, we need technology systems that are just as smart and nuanced as the people using them.
Protenus is devoted to diversity and inclusion in all we do, including but not limited to the right of all individuals to practice and express their religious beliefs (or lack thereof). We write this piece with all due respect to the rich and meaningful religious, philosophical and literary traditions that underlie the concepts we discuss.
