- When a healthcare organization makes decisions on security audit strategies, some key considerations are the potential impact on daily workflow and the amount of time that elapses between catching an abnormality and resolving the issue. Mark Combs, West Virginia University Hospitals Chief Information Security Officer (CISO), explained to HealthITSecurity.com how his organization focuses on continuous monitoring that allows it to be proactive in finding internal security threats.
Combs and West Virginia University Hospitals use Iatric Systems’ Security Audit Manager (SAM) product as part of this strategy and he discussed how the organization uses the product. Though Iatric is mainly known as an IT integrator, Rob Rhodes, Senior Director of Patient Privacy Solutions for Iatric Systems, said that the integration work ties in well with SAM because it reaches out to any of an organization’s systems with PHI and allows us to pull the audit logs and aggregate them in the SAM. “Once it’s aggregated in SAM, we then run proactive reports and alerts,” he said. “Users can set those up so the algorithms we have go out and look for potential privacy violations. SAM has incident tracking as well.”
From Combs’s perspective, having an audit report even the next day to look at after an incident occurs can prevent a larger breach from occurring. He referenced a situation down in Florida where a healthcare organization was alerted by federal investigators that one of its employees was filing false tax claims. Combs would like to avoid that type of a failure where the organization doesn’t perform continuous monitoring. “Obviously, we’ve found instances where employees were doing inappropriate things, but we were able to catch them soon enough so that they didn’t grow into one of those larger issues,” Combs said. “Luckily, we haven’t had one yet where federal authorities alert us of an incident.”
A big part of West Virginia University Hospitals’ continuous monitoring efforts is the organization having a strong understanding of its policies and systems in terms of which users should have access to different systems, which can help them find aberrations in behavior. Combs said organizations set their policies as best practices and they need applications in place to enforce those policies. West Virginia recently instituted a policy change when it switched from a legacy system to Epic EHR and told employees that they could no longer use their production access to look at their own records.
Poll Finds Healthcare Cybersecurity Needs Managed In-House Practice Fusion Health Data Privacy Case Gets FTC Final Order Patient privacy questions pop up at health-screening kiosks Survey reveals healthcare data security priorities, concerns Healthcare M&A: IT security lessons, best practices Healthcare Data Breaches Can Push Patients Away, Says Survey Laptop stolen from N.M. Oncology and Hematology Consultants Medical Device Security Risk, IoT Vulnerabilities, Says FBI Indiana University Health notifies patients of data breach Creating New Healthcare Cloud End-User, Environment Policies Kromtech Security Discovers Health Data Breach of 150K Patients HIPAA omnibus rule redefines aspects of health information Protecting against Healthcare Data Breaches: Failed Physical Safeguards NY Can Still Improve Health Exchange Data Security Measures Why Healthcare Ransomware Attacks Can Be More Damaging How Rush Medical Stays HIPAA Compliant, Uses Cybersecurity Ransomware Attack Affects Servers at USC Hospitals Understanding, Preparing for Healthcare Ransomware Attacks Avoiding healthcare security breaches: Using a multi-tier approach Can Patient Privacy Violations Occur with EHR Tracking? IT Security Workers Expect IoT Cybersecurity Attack Increase Improve Healthcare Data Security with Stronger Authentication PHI Incidents Increased 123% in November, Says VA Report Patients file class suit v. Kaiser for data breach damages How PHRs are streamlining secure exchange better than HIEs Molina Healthcare PHI Data Breach May Cause Identity Theft RECNH Director talks privacy and security best practices Where do ACOs fit into the HIPAA compliance landscape? Medical Management Data Breach Impacting Multiple States Mobile-thinking providers must scrutinize security options Reminders for HIPAA Compliance with Business Associates VA Cybersecurity Woes Continue, 16 Consecutive Audit Fails Data breaches of EHRs underscore need to upgrade systems and adapt to changing times How MyHealthDirect Achieved HITRUST Certification How Wireless Controls Can Impact Health Data Security 2014 Cyber Security Forecast: Significant healthcare trends Reps Push for Stronger Healthcare Ransomware Guidance Secure Messaging Still Concern for Healthcare Data Security AHIMA Breach Management Toolkit: Small provider uses Why It’s Important to Define Business Associate Agreements VA accused of using HIPAA to block waiting list disclosures What the HIPAA Omnibus Rule meant for healthcare in 2013 CAHIE to Head NATE’s Secure Direct Messaging and HIE Program Is Healthcare Cloud Data Security Strong Enough? New Image Sharing Program Keeps PHI Safe Illinois Governor Vetoes Data Breach Notification Bill New Jersey explores health big data potential, privacy risks Healthcare security password changes: LinkedIn user comments One month until HIPAA omnibus compliance: Current trends How Do HIPAA Regulations Apply to Wearable Devices? CIO perspective on mHealth device security decisions CMS proposes 1-hour HIX data breach reporting period Effective and secure internal communication key for hospitals Upstate University Hospital alerts patients of data breach Medical Device Cybersecurity Key Focus in NIST Partnership Calif. AG offers medical identity theft prevention tips mHealth bills on Capitol Hill may impact privacy, security IT security survey finds data location, monitoring concerns ONC rural HIE toolkit includes privacy and security tenets Lost Flash Drive Potentially Exposes Patient Information Top Healthcare Data Security Issues for the C-Suite Healthcare CISOs Gaining Importance To The Industry HIE organizations discuss non-targeted query practices Healthcare security consultant group aims at small providers VA’s Roger Baker updates EHR security strategy NIST Cybersecurity Framework Updates, Clarification Underway HIPAA Privacy Rule: Authorized patient data disclosures N.C. DHHS secretary apologizes for Medicaid data breach A healthcare CISO’s primary customer: The clinician HHS OIG Phone Scam Raises Patient Data Privacy Concerns Does HIPAA restrict mental health data reporting? Hacking Continues to Cause Majority of Reported Data Breaches How a large health provider employs GRC technologies Microsoft, Google talk cloud security trust at RSA 2014 HIPAA requires providers using Skype to have BAAs Healthcare user privacy, security training themes, methods Update: Dermatology practice pays HHS $150,000 in HIPAA fines ONC Releases Final 2015 Health IT Certification Criteria Coordinated Health data breach may impact 700 patients Telemedicine privacy, security considerations for providers Utilizing Secure Messaging in Disaster Recovery Planning Healthcare BYOD: Choosing the right mobile security vendor Top 10 HIPAA security myths Are Secure Patient Portals a Necessary Step for Providers? Seattle Children’s Hospital CISO discusses internal collaboration How to Create Efficient, Compliant Healthcare Virtualization Small health providers using audit logs for HIPAA compliance ONC Interoperability Roadmap Debated by Workgroup Boston Medical Center transcription service exposes PHI Data Breach Response Best Practices Guide Released by DOJ How to Successfully Integrate Secure Texting, Messaging Essentia Health acknowledges patient privacy breach Are Existing Issues a Key Healthcare Data Breach Cause? Researchers Question Previous Health Data Breach Study Winchester Hospital IS Director talks IT security evolution What Are Critical Considerations in Risk Management? How FDA Medical Device Cybersecurity Draft Affects Healthcare OCR and WEDI assess HIPAA Omnibus changes for BAs Using Disaster Recovery Planning for Healthcare Data Security NIST releases final voluntary cybersecurity framework
We did that to comply with the HIPAA Security Rule, as we were concerned that people would use their access to look at and potentially harm the integrity of their own record if they make mistake. We put “same last name” auditing in place, which is a report that’s native to SAM. Not only were we able to use that in Epic, but for our other half-dozen or so systems as well. As we contacted managers telling them they weren’t complying with the policy, we saw a huge reduction in people looking at their own accounts through work access.