Replacing a Home Grown Auditing Solution with FairWarning

Weill Cornell Medical College recognized that FairWarning would be able to accomplish their proactive privacy monitoring needs more thoroughly and at a lower cost than their own in-house auditing solution.

Founded in 1898, Weill Cornell Medical College is among the top-ranked clinical research centers in the United States. When ARRA HITECH became law in February 2009 it included a requirement to report privacy breaches, as well as to provide an Accounting of Disclosures, requirements that the Privacy and Security Officers at Weill Cornell Medical College understood were difficult to meet using their current technology.

“FairWarning is so much more proactive than our old method. It tells us if there are policy violations, so we can quickly respond. In the world of fines and penalties, any breach we can prevent is a beautiful thing.”

Frank Maurer
Privacy Officer


Under HIPAA, the Weill Cornell Privacy Office had already developed its own in-house privacy auditing solution, which allowed for searches based on medical record number or user ID. This tool would reveal who had viewed a given record, or what records were accessed but was entirely reactive. They had also developed basic scenario searches, such as self-examination, but the technology could not go further. Increasingly, Weill Cornell recognized they needed a full enterprise-class automated alerting and monitoring tool. They were looking for:

  • Ongoing detection of privacy breaches in EHR applications
  • Automated alerting of potential patient privacy incidents
  • Aggregation of audit logs across clinical applications
  • Simplified incident investigation and accounting of disclosures for compliance with HIPAA and the ARRA HITECH Act
  • Ongoing development of behavior-based scenarios for best-in-class privacy protection
  • Privacy breach detection to support preventive measures to keep breaches from occurring


Weill Cornell had attempted to locate a commercial solution, but hadn’t found anything to fit their needs until the FairWarning Patient Privacy Intelligence solution.

Weill Cornell quickly realized that FairWarning would be able to accomplish their proactive privacy monitoring needs more thoroughly and at a lower cost than trying to do it themselves. Another important factor in the selection of FairWarning was its ability to integrate with their existing SIEM solution from ArcSight. The top reasons the FairWarning solution was chosen? “We wanted something out-of the-box, an industry-standard which is being used by our peers – FairWarning had all of that,” says Ben Nathan. “There was no competitor, and we didn’t want to try to do it ourselves.”


With FairWarning, the Privacy Office at Weill Cornell is much more aware of who is accessing PHI. As a result, patient privacy has been strengthened as action can be taken to reduce improper access. Reports with automatic alerts are now integrated seamlessly with their existing investigation and resolution processes, improving compliance with:

  • Accounting of Disclosures requirements in the ARRA HITECH Act
  • Organizational audits and investigations required under HIPAA
  • PHI information system activity reviews required under HIPAA

Using FairWarning behavior-based scenarios, alerts to potential incidents are automatically sent to the FairWarning users at Weill Cornell, including to the Privacy Officer’s iPhone. As soon as an alert is received, the information is reviewed then can be sent to the employee’s supervisor for further review and validation.

Once more information is gathered, a determination can be made as to whether the access was improper. If so, the incident is escalated to Human Resources for sanctions or additional training. Even alerts which are determined not to be improper are used to refine training programs and processes.

Prior to implementing FairWarning, investigating an incident took days, several people, and multiple e-mails and phone calls. Now, Weill Cornell gets an alert automatically about potentially suspicious behavior, and can drill down into the data within the web-based user interface. Weill Cornell is now able to investigate a user taking even the briefest look at a record, and has the ability to proactively detect potential violations.

Implementation Experience

Weill Cornell was fully committed to the FairWarning implementation, assigning a Project Manager, Epic Database Administrator, and an Operations Director to the project team. The entire project had executive sponsorship from the CMIO. A security engineer and several people from the Information Technologies and Services department were also involved.

The biggest hurdle was an internal learning curve around clinical systems audit logs. Weill Cornell technical staff had to learn what logs were available and what could be produced from their clinical applications, primarily Epic. They were very pleased with their experience working in combination with Epic and FairWarning.

Overall, Weill Cornell was surprised at how little time and effort the FairWarning implementation required. The process took a total of 90 days, using around 20% of the Project Manager and Epic Database Administrator’s time, and less than 5% of the rest of the team’s time.


  • Founded in 1898
  • Affiliated with New York-Presbyterian Hospital since 1927
  • Among the top-ranked clinical research centers in the United States
  • Accredited by the Liaison Committee for Medical Education of the American Medical Association and the Association of American Medical Colleges
  • 1,000,000 Patient Visits per year • 800 Physicians
  • 1,000 Students

Health Information Systems

  • ArcSight Enterprise Security Manager
  • Epic Chronicles
  • GE Centricity Business
  • Symantec Vontu

FairWarning Products

Making Auditing Across Multiple Applications a Reality – Baptist Health Care

When Baptist Health Care became concerned about confidentiality among their EHR records, the McKesson-equipped facility needed FairWarning to ensure their records were safe.

Read the Case Study

Deployment of Patient Privacy Intelligence at Detroit Medical Center

With increasing regulatory requirements and a strong reputation to uphold, Detroit Medical Center recognized the need for more advanced auditing capabilities to protect their patients privacy.

Read the Case Study