News & Insights  |  Media Mentions

Related Professionals

Practice Areas


Patricia O'Connell
Senior Communications Manager

Kirk Nahra Discusses Steps to Protect Medical Data from Insider Breaches

June 10, 2013

Kirk J. Nahra, chair of Wiley Rein’s Privacy Practice, was interviewed by HealthcareInfoSecurity for an article on steps health care organizations can take to prevent employees from mishandling or misusing patients’ confidential data.

“Incidents involving insiders are a significant problem, but they're not all the same,” Mr. Nahra said. Examples of insider breaches include snooping into the medical records of family, friends, co-workers or celebrities, according to the article. More serious abuses can involve the misuse of patient data to commit identity theft and fraud.

“Health care organizations must realize ... there are lots of workers at their companies that have access to lots of information in order to do their jobs,” Mr. Nahra added. Limiting the number of employees with access to vast amounts of patient data is one way to reduce potential vulnerabilities, he said. For example, access to medical records may help health insurers’ customer service representatives answer patient inquiries, but companies should decide whether that benefit is worth the risk.

Companies can  provide extra protection for particularly sensitive data, Mr. Nahra said. He said Social Security numbers, for example, are “very high risk,” and people only need to access them for “very limited reasons.”

A growing number of health care organizations are policing their employees’ use of confidential data and taking action against those who mishandle it. “In the best practices area, that's a mixture of audits, training, investigations, responding to complaints and sanction policies-making to ensure employees know this will not be tolerated, even if it's for an innocuous reason like checking on [the records of] Aunt Sally,” Mr. Nahra said.

Companies should recognize that insider breaches are “a real documented concern in health care,” he added. “Make sure you’ve developed a plan to restrict access on the front end as much as you can, but also build a back-end policing and enforcement process to keep an eye on what's going on with your employees.”