Security experts emphasize that organizations have to limit access to databases with sensitive information. However, they also have to carefully design information systems themselves so sensitive data doesn’t appear on screens users have legitimate reasons to see.
That appears to have failed at a health authority in Canada’s far north, which confirmed Monday that employees inappropriately accessed patient health records through an online scheduling system in what appears to be a case of employee snooping.
CBC News reported that some staff the Beaufort-Delta Health and Social Services Authority, which serves 6,700 residents of the Beaufort Delta Region in the Northwest Territories including the Inuvik Regional Hospital have been disciplined for wrongly accessing records of 67 patients.
The information “had been inappropriately accessed by staff outside a legitimate scope of duties,” Arlene Jorgensen, CEO of the Inuvik Health Authority, was quoted as saying.
The institution’s scheduling system includes expected information such as appointment times and check-out dates. But it also lists the reason patients were at the hospital. Several staff members who had accessed this information did not need it to do their jobs, according to the health authority.
The authority emphasized that detailed information, such as diagnoses were not accessed during the breach.
Last month the federal privacy commissioner warned that “employee snooping poses a serious privacy risk that if left un-checked can cause significant and lasting financial and reputational damage to both your customers and your organization.”
Some staffers snoop out of curiosity; others, like those at a Toronto-area hospital, used data from its electronic patient system to sell Registered Education Savings Plans to new mothers, or sold data on new mothers to a firm that sold RESPs
In case you didn’t get the privacy commissioner’s report, here’s a link. He suggested 10 ways organizations can eliminate employee snooping including:
–Fostering a culture of privacy;
-Have periodic and/or “just-in-time” training and reminders of policies around snooping;
–Ensure employees know that consequences will be enforced. That includes having employees sign (upon hiring and at regular intervals) confidentiality agreements;
–Ensure access is restricted to information required to perform the job.