- When a healthcare organization makes decisions on security audit strategies, some key considerations are the potential impact on daily workflow and the amount of time that elapses between catching an abnormality and resolving the issue. Mark Combs, West Virginia University Hospitals Chief Information Security Officer (CISO), explained to HealthITSecurity.com how his organization focuses on continuous monitoring that allows it to be proactive in finding internal security threats.
Combs and West Virginia University Hospitals use Iatric Systems’ Security Audit Manager (SAM) product as part of this strategy and he discussed how the organization uses the product. Though Iatric is mainly known as an IT integrator, Rob Rhodes, Senior Director of Patient Privacy Solutions for Iatric Systems, said that the integration work ties in well with SAM because it reaches out to any of an organization’s systems with PHI and allows us to pull the audit logs and aggregate them in the SAM. “Once it’s aggregated in SAM, we then run proactive reports and alerts,” he said. “Users can set those up so the algorithms we have go out and look for potential privacy violations. SAM has incident tracking as well.”
From Combs’s perspective, having an audit report even the next day to look at after an incident occurs can prevent a larger breach from occurring. He referenced a situation down in Florida where a healthcare organization was alerted by federal investigators that one of its employees was filing false tax claims. Combs would like to avoid that type of a failure where the organization doesn’t perform continuous monitoring. “Obviously, we’ve found instances where employees were doing inappropriate things, but we were able to catch them soon enough so that they didn’t grow into one of those larger issues,” Combs said. “Luckily, we haven’t had one yet where federal authorities alert us of an incident.”
A big part of West Virginia University Hospitals’ continuous monitoring efforts is the organization having a strong understanding of its policies and systems in terms of which users should have access to different systems, which can help them find aberrations in behavior. Combs said organizations set their policies as best practices and they need applications in place to enforce those policies. West Virginia recently instituted a policy change when it switched from a legacy system to Epic EHR and told employees that they could no longer use their production access to look at their own records.
EY Principal: Strong EHR Security Essential for Healthcare How to Keep a Secure Healthcare Environment in the Future New Bill Hopes to Improve Health IT, Ease Regulations Why Healthcare Cybersecurity Cannot Ease Up in 2015 EEOC Proposed Rule May Affect Health Data Security Data Breach in Texas Compromises Personal Information Preparing Healthcare Data Security for the IoT Revolution THSA, EHNAC partner for TX-HIE accreditation program Health Data Breaches Stem From Cyber Attack, Exposed Binders Healthcare BYOD security: Don’t block it, control it Preparing Healthcare Data Security for Hackers in 2016 ONC talks mobile EHR security for small practices HIE Security Underlined at Ohio HIT Event Bronx RHIO implements direct secure messaging How Important is Cybersecurity for Healthcare Organizations? Healthcare Top Target in Gatak Ransomware Attacks McAfee threat report cites mobile malware, social attacks Patient PHI Compromised by Florida Hospital Employees Data breach costs decline, malicious attacks increase in US PPN offers 6 tips to overcome PHI security obstacles Fight Healthcare Ransomware with National HIT Safety Center Horizon BCBS officials appear before NJ Senate panel Phishing Scam Leaks Employee Information at NJ Facility What Constitutes a HIPAA Violation? Hospital Data Security Top CIO Priority for Mobile Workflow ONC Privacy and Security panelists discuss security methods Accidental and Unauthorized Emails Create PHI Security Issues U.S. Senators: FDA healthcare regulation should be narrowed Health cloud-based database security concerns 71% of VA Patients Find Secure Direct Message Safe, Valuable HIMSS Analytics report cites mobile security as top concern Device configuration causes health network security disruption Understanding HIPAA Regulations and Their Applications Healthcare attorney highlights HIPAA Omnibus changes What Will the Upcoming OCR HIPAA Audits Entail? Six Ways to Stay HIPAA Compliant and Keep PHI Safe Mobile Health App Privacy Policies Not Easily Accessible Houston HealthConnect Talks Health Data Security at HIMSS Patients sue Dorn VA medical center for health data breach RI’s Landmark Medical Center reports laptop theft VA Senator Violates HIPAA in Sharing Patient Information Premera Health Data Breach May Affect 11M OIG Identifies IT Security Issues Following OPM Data Breach McLean Hospital Reports Health Data Breach, Affects 12,600 Healthcare privacy and security needs: Federal perspective Flowers Hospital data breach suit: Plaintiffs to amend complaint Vendor Webcast offers three health IT security measures Rise In Healthcare Data Breaches Cost Industry $6.2 Billion Potential Data Breaches From Break-in, Computer Glitch Physicians on social media must ensure patient privacy CMS officially taps new CIO, COO; replaces CGI with Accenture How External Threats May Impact Health Data Security Measures HIPAA Security Rule requirements: Technical safeguard review Boulder Community Health reviews paper PHI record exposure Phoenix Medical Group employee charged in tax fraud scheme Reviewing the HIPAA Risk Assessment Process Possible Health Data Breaches From Fraud, Online Exposure Internal Data Encryption Lagging, Says WEDI Survey Hospital CIO focuses on HIPAA compliance in 2013 Sen. John Thune responds to healthcare IT security questions ONC Releases Health IT Certification ‘Companion Guides’ Final Orders Approved in FTC Patient Privacy Case Interoperability Program Comes to Florida Health System Health Data Privacy Not a Concern for Health Tech Consumers Securing patient data at the file level to thwart hackers How Secure was National Cybersecurity Awareness Month? Industry Applauds HHS Cybersecurity Task Force Report Post healthcare data breach Dos and Don’ts MIE Health Data Breach Leads to Class Action Lawsuit Top Tips for Mobile Device Security Maintaining HIPAA compliance by tracking IT system changes Omnicell health data breach details emerge Dealing with a health data breach: Micky Tripathi’s roadmap Homeland Security Issues Ransomware Alert for Networked Systems How Administrative Safeguards Can Prevent Data Breaches Top 6 Health Data Breaches for 2015 Involve Hacking UMHS informs 4,000 patients of health data breach Are you being proactive against healthcare hackers? IT Security Workers Expect IoT Cybersecurity Attack Increase State HIPAA Settlement Reached in URMC Data Breach Case HHS Information Security Programs Better, Can Still Improve Malware threats to BYOD vary by platform, says mobile study Medical Device Security Rarely Tested in Healthcare Orgs A look back at CDT HIPAA Omnibus Rule commentary DDoS attack considerations for healthcare organizations HIPAA Compliance, Data Breaches Are Top 2015 Stories How Do HIPAA Regulations Affect Judicial Proceedings? Will OCR leadership changes affect healthcare organizations? Study Shows OCR HIPAA Compliance, Breach Recovery Lacking Laptop stolen from Inspira Medical Center Vineland PHI Data Breach Announced Following Audit HHS investigating HIPAA violation at Pa. 911 dispatch center Cybersecurity Can be Improved with Info Sharing, Says NH-ISAC Using IAM Solutions for Stronger Cybersecurity Measures Avoiding health data breaches: A comprehensive security plan The ‘Human Factor’ and Healthcare Privacy and Security Letter to CMS Questions HealthCare.gov Privacy Measures GAO Finds DHS Cybersecurity Measures Have Room for Improvement FDA issues encryption, authentication rules for medical devices Pairing patient privacy with health big data analytics
We did that to comply with the HIPAA Security Rule, as we were concerned that people would use their access to look at and potentially harm the integrity of their own record if they make mistake. We put “same last name” auditing in place, which is a report that’s native to SAM. Not only were we able to use that in Epic, but for our other half-dozen or so systems as well. As we contacted managers telling them they weren’t complying with the policy, we saw a huge reduction in people looking at their own accounts through work access.