When going on dates, people want to know who is sitting across from them. Some turn to social media, the internet, and LinkedIn to learn about potential dates. And now some medical professionals are taking it a step further and snooping through potential matches’ medical records, according to Austin, Texas-based SecureLink, a critical access management company. SecureLink offers a patient privacy monitoring system that draws on artificial intelligence to flag instances of EHR misuse, such as frequent and irregular name searches. MedCity News interviewed Daniel Fabbri, the Chief Data Scientist at SecureLink, via email to find out more about this phenomena.
MedCity News: Can you explain what EHR snooping is and what it entails?
Daniel Fabbri: We are seeing instances of EMR accessing by employees who are engaged in online dating turning to the EHR within their workplace to identify and gather information on their dates. Because EHR systems are used in medical emergencies, they are generally open systems that all clinical staff have access to. This quick and broad access is of utmost importance when treating a medical emergency, but it creates an easy data source for snoopers.
These types of snoopers will typically conduct a series of searches with first name and last initial to browse records until they see what appears to be their dating profile match. Once they have the first and last name of the individual, they may do more traditional research to gather information via search engines and social media.
MedCity News: Is this common in smaller hospitals or larger ones? Are there certain types of hospitals where it is more prevalent?
Daniel Fabbri: Electronic health records (EHR) misuse has been identified across small and large hospitals, but online data snooping appears to be more common at larger hospitals (though it is still too early to tell the broader trends). This is likely because large hospitals see more patients on a daily basis, allowing for more records for snoopers to search through to find their potential match.
MedCity News: How did hospitals discover this was happening?
Fabbri: Many healthcare organizations and hospitals have patient privacy monitoring (PPM) systems in place today, which monitor every click to medical records. These systems audit all accesses and utilize machine learning to recognize and understand access patterns – automatically detecting and flagging suspicious behavior. These systems help to ensure organizations stay HIPAA-compliant while identifying threats to EHRs.
Over the years, SecureLink’s PPM has identified users that have accessed many patients’ records where the user had no treatment or operational reason to do so. Interestingly, in some cases, many of these unexplained accesses were associated with patients with similar names (e.g. Robert Aa, Robert Ab, Robert Ac, etc.) . Upon further investigation, it was discovered that some users were snooping to learn more about an online dating match or other dating interest. Because online dating apps may only provide users with a first name and last initial (e.g., Robert A), hospital employees can mis-purpose their access to find their date’s name, phone number, or address.
Once we looked into this behavior more, we were able to hone the algorithms within our PPM system to more accurately catch this snooping behavior, which looks for multiple name searches with similar structure (e.g., Robert Aa, Robert Ab, Robert Ac, etc. vs Robert Jones). In some cases, a user will search for hundreds of variations of a name.
MedCity News: Is the provider doing the snooping accessing their own patient’s data, or snooping on others within the network?
Fabbri: Typically the provider / staff (remember, providers, nurses, lab techs, med students, etc. all have EHR access) will snoop for patients in the EHR that are not their patients. The user will conduct a series of searches to browse for records that match an online date, friend, neighbor, VIP, or colleague.
MedCity News: What are they looking for when snooping? What kind of prejudice/biases are there?
Fabbri: Snoopers may be looking to learn the full name of an online dating match to identify them online via search engines and social media channels. They may also utilize the EHR directly to collect additional information of interest such as address, marital status, vaccination status, or medical history. Medical records also contain financial-related information, such as SSN, insurance information, and DOBs.
MedCity News: What are the ramifications if someone is caught?
Fabbri: When suspicious activity is flagged, first there is an investigation. This helps determine whether the access was legitimate or a breach of privacy. If the latter, the hospital will then decide on the best course of corrective action, which can range from a warning or suspension to termination of employment.
MedCity News: What steps are being taken to stop this?
Fabbri: The best way to protect patient data is to start monitoring access to EHRs and then leverage technology to identify high-risk access patterns, such as online dating snooping. Auditing, along with employee training and education, helps prevent EHR misuse.
MedCity News: How can healthcare providers protect patients and systems that fall victim?
Fabbri: Patient privacy monitoring systems are one method to detect and deter online dating snooping. Unlike rules-based patient privacy monitor solutions, they audit all access and utilize machine learning to recognize and analyze access patterns, resulting in fewer false positives and more efficient incident investigations.
At SecureLink, our solution uses artificial intelligence to automatically detect misuse and flag instances of frequent and irregular name searches, such as a first name and last initial. This ensures organizations remain HIPAA-compliant.
We also recently partnered with MEDITECH, a web-based EHR used by a quarter of all hospitals in the U.S., to ensure patient privacy by using algorithms that accurately identify and alert privacy officers to this type of misuse.
MCN: How prevalent are these breaches of privacy?
Fabbri: Over 99% of access to medical records are for legitimate and appropriate reasons, and almost all clinical staff use an EHR appropriately. However, it’s important to ensure the protection of patient health information in these types of cases [though small in number].
Photo: roshi11, Getty Images