What happens when you search for your company online?
For Aventura Hospital in Florida, the specter of an insider attack that began in 2012 still looms ominously four years later. On the first page of search results is a news story that details how rogue employees spearheaded three separate data breach incidents in the span of two years.
It also helps to explain why an astonishing 9 out of 10 health care decision makers – 92 percent – believe they are vulnerable to insider threats. Even more troubling, nearly half – 49 percent – say they are “very” or “extremely” vulnerable. These disconcerting facts paint the picture of an industry that acknowledges a threat exists, but still seeking a solution.
A major reason for this feeling of vulnerability is the nature of work done by health care organizations, which must protect their clients, their drugs and their assets from harm. For example, health care employees treat people who need help and, sadly, can be easy targets for criminals. Similarly, healthcare information contains a treasure trove of personal information from patient records, which are even more valuable to criminals than credit card records and contributes another threat to the equation.
It adds up to an industry that must be constantly aware of potential risk and liability – one lawsuit or one rogue employee can cause irreparable harm and destroy a company. Do you want your hospital to end up on the news as a cautionary tale? Or would you rather ensure you’ve done everything possible to mitigate risk?
To keep tabs on potential risks posed by employees, the healthcare industry has relied for years on pre-hire background checks and periodic or occasional re-screens. In tandem with regulations, license requirements and cyber security protocols, many health care organizations feel they are doing everything possible to monitor employees. Except, they are not.
The current screening process for health care has led to a “liability gap” in between re-screens and license renewals. Let’s say an employee is screened upon hire and then a re-screen takes place every year thereafter. Upon first glance, a manager would feel secure that the employee’s risk status would be properly updated and assessed.
In reality, that manager – and by proxy, that entire organization – is opening itself up to untold damage by allowing employees to go months between screens. It should not be a surprise that much can change in an employee’s life in a matter of months. This is why hospitals and health care organizations need to move to a continuous risk monitoring approach to properly assess risk and identify threats in real-time, not after the fact.
One organization instituted continuous risk monitoring for more than 30,000 employees and contractors and the results after only three months were astounding. The organization uncovered 20 felony arrests, including a multiple sex offender. Could you possibly afford to employ a sex offender for any amount of time?
Shockingly, sex offenders have gained employment at hospitals. The Southend Hospital in the United Kingdom had to publicly admit they employed a sex offender who saw eight children during medical visits during his three-month employment. While thankfully there were no further incidents, it should never have happened.
The notion of screening every employee, every day, sounds daunting and time-consuming. However, advances in software means it is now efficient and cost-effective.
A cloud-based platform can instantly analyze mountains of public records data, such as arrest and financial records, and instantly alert leaders in changes to risk status. These changes could include a recent arrest, a property lien that signals financial troubles or a lawsuit that indicates personal issues.
Arguably, no industry faces greater liability than health care. One negligent lawsuit or data breach can cost a hospital millions upon millions of dollars, dramatically increase insurance costs and do untold damage to reputation.
West Virginia United Health’s Mark Combs shared a very interesting sentiment about the importance of fighting insider threats that resonated with me.
“We’ve tried to tell our employees that ensuring patient privacy and ensuring data security aren’t just about getting caught and having something bad happen,” he said. “It’s really about, this is the way we care for patients; this is the right way to care for the patient.”
By bringing external public records together with internal data such as personal reviews and network activity, health care organizations can drastically reduce their exposure to insider threats and prevent incidents that drive clients to rival facilities.
Periodic screens force managers to manually sift through outdated information, which fails to evolve. There have been too many examples of fraud, crimes and data breaches to believe the current screening process is working well.
Healthcare organizations need a screening process that’s as dynamic as their personnel. The answer lies in continuous risk monitoring and a real-time risk status for every employee.