Health Information Management

Tip: Use 'honeypots' to catch snooping employees

HIM-HIPAA Insider, December 8, 2008

Some facilities use “honeypots” as bait to catch snooping staff members who are in violation of HIPAA. “Honeypots,” also referred to as “honeynuts,” are fictitious medical records that IT monitors to determine if anyone is accessing them.

If you already have strong security techniques in place, honeypots enhance your ability to monitor compliance.

“This is frosting on the security cupcake,” says Gary Nichols, CISM, information security officer for Blue Cross Blue Shield (BCBS) of Arizona. If you’re a privacy director pursuing this strategy, gaining executive sponsorship the first step, says Nichols.

You need to have executive sponsorship willing to back you in the event that the use of honeypots results in controversy. After you’ve earned administration’s support, you’ll next need to have the information security and HIM department set up and monitor the honeypot.

Human resources participation is necessary to ensure that they will and can take appropriate action if you catch someone accessing records inappropriately, John Christiansen, founder of Christiansen IT Law, in Seattle. says. “Legal counsel should vet the whole program to make sure legal risks are avoided,” he says.

Editor’s note: This tip is adapted from an article in the December issue of the HCPro, Inc., newsletter, Briefings on HIPAA. For more advice on using “honeypots,” please see the next edition of HIPAA Weekly Advisor.


0 comments on “Tip: Use 'honeypots' to catch snooping employees


Most Popular