Volunteers Could Pose Security Breaches for Hospitals

by on

In talking with CIOs and CMIOs at health systems around the country, HCE Exchange has often heard a similar refrain when it comes to new smartphone and cloud technology that can be summed up as follows: innovative with many possible applications, but rife with security gaps and potential breaches.

Here’s a case in point, courtesy of AISHealth.

The volunteer’s name was Loverson Gelmine, 21. The health system was Jackson Health System, one of the largest health systems in Florida. Gelmine had been a faithful and reliable Jackson North volunteer for an undisclosed period of time. With his cell-phone camera, however, he was really running a covert identity-theft operation, photographing the paper records of 556 patients and selling those records to con men. Police caught these men attempting to use the patient information to file fraudulent tax returns.

Although everyone involved was apprehended and Gelmine will be serving over three years in prison, Jackson has had to take drastic actions to protect itself from such a security breach in the future. This has led the system to ban cell –phone use by all hospital volunteers and to institute fresh leadership for its Jackson North volunteer program.

“Experts say hospitals and other covered entities (CEs) should have specific policies for volunteers and others who may be on campus but not a part of the regular workforce,” AIS writes.

Jackson has introduced several policy and procedure changes in the wake of this incident, according to its president Carlos Migoya. These changes include “a more robust orientation program” that will require volunteers to sign a form pledging “understanding of and adherence to Jackson’s privacy rules”; the aforementioned ban on volunteer use of “smartphones in patient-care areas”; “immediate dismissals for those who have phones in forbidden areas”; and a communication “process whereby ‘nursing leaders in every unit with a volunteer receive documentation regarding the responsibilities of the staff and the description of the volunteers’ permitted duties, which is signed by both the nurse leader and volunteer.’”

The smartphone ban does not apply to employees since many of them “use their cell phones for work.”

Elizabeth Litten, a partner with Princeton, N.J.’s Fox Rothschild LLP, advises that CEs should “reassess how volunteers are used on campus with an eye toward balancing their need vs. the risk to patients.” Should volunteers be used in information-sensitive areas of the hospital (i.e., behavioral-health units) or areas where supervision is spotty (i.e., the ED)?

They should also, Litten suggested, require background checks of volunteers and require them to carry “clear identification” while working, such as a name tag that designates them as a volunteer. Furthermore, the boundaries as to where a volunteer is permitted to be in the hospital should be clearly communicated to all members of the staff. Finally, if a volunteer must have a patient’s protected health information, then access should be restricted and supervised and sensitive information such as Social Security numbers should not be included on those documents.

Whatever measures are taken, the point here should not escape notice. One of the nation’s well-known health systems had an identity-theft security breach of its patient records by a volunteer who used nothing more than his smartphone camera. This is cause for alarm by any hospital or health system, no matter what their size may be.

-by Pete Fernbaugh

VN:F [1.9.7_1111]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.7_1111]
Rating: 0 (from 0 votes)

Leave a Comment

Previous post:

Next post: