The article below illustrates the typical problems that hospitals can have with insider threats.

In this case (click HERE), a clerk was caught stealing patient identity information and had actually gone as far as submitting credit applications for up to $10,000 in the name of patients.

The clerk was only caught after a routine call by the credit company to the victim, who had no knowledge of the credit application.

Apparently, email and computer records related to the application were traced back to the clerk. This illustrates how important it is to log as much information access activity as possible when you have people handling sensitive information.

You can't always prevent unauthorized access to sensitive information, especially by people who are supposed to be trusted. However, with enough log information, and well-understood policies about penalties for misuse, you can deter and detect this kind of criminal activity.