• E-mail
• Print
• RSS

Tip: Use 'honeypots' to catch snooping employees

HIPAA Weekly Advisor, December 8, 2008

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Some facilities use “honeypots” as bait to catch snooping staff members who are in violation of HIPAA. “Honeypots,” also referred to as “honeynuts,” are fictitious medical records that IT monitors to determine if anyone is accessing them.

If you already have strong security techniques in place, honeypots enhance your ability to monitor compliance.

“This is frosting on the security cupcake,” says Gary Nichols, CISM, information security officer for Blue Cross Blue Shield (BCBS) of Arizona. If you’re a privacy director pursuing this strategy, gaining executive sponsorship the first step, says Nichols.

You need to have executive sponsorship willing to back you in the event that the use of honeypots results in controversy. After you’ve earned administration’s support, you’ll next need to have the information security and HIM department set up and monitor the honeypot.

Human resources participation is necessary to ensure that they will and can take appropriate action if you catch someone accessing records inappropriately, John Christiansen, founder of Christiansen IT Law, in Seattle. says. “Legal counsel should vet the whole program to make sure legal risks are avoided,” he says.

Editor’s note: This tip is adapted from an article in the December issue of the HCPro, Inc., newsletter, Briefings on HIPAA. For more advice on using “honeypots,” please see the next edition of HIPAA Weekly Advisor.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• Comment
• E-mail to a Colleague
• Print
• RSS
• Archive

Comments