Rising Insider Breaches Threaten Healthcare’s Fragile Workforce


Post By: Nick Culbertson, Protenus Co-founder and CEO

This time last year, healthcare workers were being celebrated with nightly tributes from windows and balconies across the country. In inspiring displays of solidarity, Americans showed appreciation for front-line workers’ sacrifices by cheering, clapping, and clanging pots and pans.

Now, as the public begins regaining some sense of normality, healthcare workers are no longer being recognized as heroes; instead, they’re losing their jobs en masse.

In the first three months of this year, the healthcare workforce declined by 44,000 jobs from what it was at the end of 2020, according to an analysis released April 16 by medical research center Altarum. Sadly, it doesn’t seem that the employment decline is over just yet. In May, the bad news kept coming, with some of the nation’s largest healthcare systems announcing that they would lay off hundreds.

Unsurprisingly, the prevailing cause for healthcare’s workforce decline is financial. The costs of acquiring necessary personal protective equipment, coordinating vaccine distribution, launching public health campaigns, and otherwise fighting the once-in-a-lifetime pandemic have squeezed hospitals’ operating margins, which are rarely large even under normal conditions. Alas, health systems are responding by eliminating mostly non-clinical positions, such as those in compliance and security.

This cost-cutting strategy isn’t new, but it is one health systems seem to be leaning on more than usual amid the pandemic. By scrapping certain non-clinical positions, organizations are inadvertently worsening one problem that ultimately leads to even more workforce reduction down the line: insider data breaches.

Compliance functions crumble

With widespread use of EHRs that provide healthcare workers easy access to all kinds of patient data, insiders have long been considered one of the biggest threats to the privacy of that information, according to the Verizon Data Breach Investigations Report. While doctors, nurses, and other clinical workers routinely interact with patient data to provide quality care, they do not always access it in accordance with HIPAA and organizational policy — whether intentionally or by accident.

This was true even before Covid-19 swept U.S. hospitals last year, drawing resources away from compliance monitoring and education processes. With doctors and nurses comprising one-fourth of the personnel devoted to regulatory compliance at an average-sized hospital, the focus on Covid-19 translated into significantly scaled-back oversight. Clinicians tabled compliance-related tasks to perform life-saving work on the front lines.

While clinicians typically involved in compliance shifted their attention, early restrictions on revenue-generating elective procedures led hospitals to trim employees less directly involved in patient care. Thus, in many organizations, compliance teams took yet another blow.

A year later, with non-clinical positions in the crosshairs yet again, the consequences of thinned-out compliance teams for patients, organizations, and their workforces are beginning to come to light.

Violation equals termination

As compliance functions took a backseat in 2020, the volume of insider-related healthcare breaches increased after a four-year decline, according to the 2021 Protenus Breach Barometer. The number of patient records that were compromised more than doubled, from roughly 3.8 million in 2019 to over 8.5 million in 2020.

Considering that all kinds of information surrounding Covid-19 garnered immense public interest — while the professionals tasked with keeping it private were sent home or laid off — it’s not hard to understand why snooping incidents crept upward. So, too, has the use of termination as a stopgap solution.

So far in 2021, a single New York City-based medical center has already terminated two employees who reportedly were discovered to have inappropriately accessed patient records during the pandemic and beyond. At a Florida health system, one worker was recently fired for alleged inappropriate system access that affected over 1,500 patients.

Curbing workforce erosion

Already contending with layoffs for financial reasons — and indebted to the same workers that are being let go — hospitals should aim to prevent privacy incidents from escalating to levels that warrant termination. Because there is limited staff to commit to compliance in the midst of a pandemic, the only way for hospitals to truly make a scalable impact is to equip those teams with sophisticated, automated monitoring solutions.

Prevention-focused technology presents a huge opportunity to combat a lack of privacy and security preparedness among healthcare employees with on-the-spot training. Specifically,

compliance analytics solutions built on artificial intelligence can provide complete, continuous monitoring of all auditable system accesses, then surface incidents that warrant refreshers on organizational policies and HIPAA requirements.

By ditching manual processes for solutions that enable rapid detection and investigation of potentially problematic activity, followed by targeted education, hospitals can avoid the years-long breaches that often culminate in termination, as we’ve seen in recent weeks. Ultimately, it is well within organizations’ power to prevent further erosion of the very workforce pulling us through the pandemic.