When a healthcare organization makes decisions on security audit strategies, some key considerations are the potential impact on daily workflow and the amount of time that elapses between catching an abnormality and resolving the issue. Mark Combs, West Virginia University Hospitals Chief Information Security Officer (CISO), explained to HealthITSecurity.com how his organization focuses on continuous monitoring that allows it to be proactive in finding internal security threats.
Combs and West Virginia University Hospitals use Iatric Systems’ Security Audit Manager (SAM) product as part of this strategy and he discussed how the organization uses the product. Though Iatric is mainly known as an IT integrator, Rob Rhodes, Senior Director of Patient Privacy Solutions for Iatric Systems, said that the integration work ties in well with SAM because it reaches out to any of an organization’s systems with PHI and allows us to pull the audit logs and aggregate them in the SAM. “Once it’s aggregated in SAM, we then run proactive reports and alerts,” he said. “Users can set those up so the algorithms we have go out and look for potential privacy violations. SAM has incident tracking as well.”
From Combs’s perspective, having an audit report even the next day to look at after an incident occurs can prevent a larger breach from occurring. He referenced a situation down in Florida where a healthcare organization was alerted by federal investigators that one of its employees was filing false tax claims. Combs would like to avoid that type of a failure where the organization doesn’t perform continuous monitoring. “Obviously, we’ve found instances where employees were doing inappropriate things, but we were able to catch them soon enough so that they didn’t grow into one of those larger issues,” Combs said. “Luckily, we haven’t had one yet where federal authorities alert us of an incident.”
A big part of West Virginia University Hospitals’ continuous monitoring efforts is the organization having a strong understanding of its policies and systems in terms of which users should have access to different systems, which can help them find aberrations in behavior. Combs said organizations set their policies as best practices and they need applications in place to enforce those policies. West Virginia recently instituted a policy change when it switched from a legacy system to Epic EHR and told employees that they could no longer use their production access to look at their own records.
We did that to comply with the HIPAA Security Rule, as we were concerned that people would use their access to look at and potentially harm the integrity of their own record if they make mistake. We put “same last name” auditing in place, which is a report that’s native to SAM. Not only were we able to use that in Epic, but for our other half-dozen or so systems as well. As we contacted managers telling them they weren’t complying with the policy, we saw a huge reduction in people looking at their own accounts through work access.