• E-mail
• Print
• RSS

TIP: How to set up your 'honeypots'

HIPAA Weekly Advisor, December 15, 2008

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Last week’s issue discussed the use of “honeypots,” fictitious medical records, to help monitor for snooping staff members.

Here are a few more tips on implementing them at your facility:

• If you’re a privacy director pursuing this strategy, gaining executive sponsorship is the first step. Their sponsorship is necessary to ensure that you have their support in the event that use of honeypots results in controversy.
• Involve necessary staff members. You’ll need to have the information security and HIM department set up and monitor the honeypot. Human resources’ participation is necessary to ensure that they will and can take appropriate action if you catch someone accessing records inappropriately. Legal counsel should vet the entire program to ensure that legal risks are avoided. But remember—less is more; the fewer people involved, the better your plan will work. Involve only those who are truly necessary.
• Setup is only as difficult as you make it. Staff members should already understand what you expect of them with respect to compliance, through training you provide, and the employee agreement that they should have read and signed upon hiring.
• To set the honeypots, create records for five media-centric personalities. And make them as real as possible. Then watch the pots and see if they boil. Take notice of activity in these records, but understand that false-positives can occur (e.g., an IT staff member may enter the records to maintain them).
• Remember, your goal in using honeypots is to identify and discipline individuals who act badly despite knowing better, not to punish those who are truly uninformed or simply made a good faith mistake. Be certain that staff members are knowledgeable with respect to policies that prohibit snooping, and that system configuration prevents accidental access.

Editor’s note: This tip is adapted from an article in the December issue of the HCPro, Inc., newsletter, Briefings on HIPAA.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• Comment
• E-mail to a Colleague
• Print
• RSS
• Archive

Comments