Patient Privacy Intelligence, the Intersection of Compliance, Information Security and Legal
FairWarning is releasing a new version of our Patient Privacy Intelligence platform which is our most powerful and proven yet. Instead of hyping ‘features’, I want to provide the context for how our latest release was developed, and it starts with our production customers and being the market-leader.
The FairWarning philosophy is that our solutions serve our customers’ business-critical needs to protect patient information, manage associated risks and maintain operating certifications that support our customers’ enterprises. We do this through three key areas: compliance, information security and legal. Healthcare is a dynamic industry, so we continually strive to meet our customers in their future through collaboration and common vision.
Patient Privacy Intelligence is business-critical today , and being the market leader comes with a lot of responsibility for the Team at FairWarning. Our care provider customers are the biggest and most sophisticated in the United States and the world. For example, our customers include 53 % of the “Most Wired Advanced”, the entirety of NHS Scotland and many of the very largest care providers in the United States. In fact, our production deployments documented through case studies are by far the very largest, and most numerous in our industry. These advanced and large production customers have always driven innovation and lots of pragmatic lessons learned.
FairWarning continually combines our overall vision together with our customers’ pragmatic vision to drive innovation in areas such as; continual compliance readiness, multi-layer security support, extreme scale, higher availability, greater data integrity, rich analytics and visualization, more efficient work-flows and filtering, increased integration with our customers’ key systems and other innovative features proven in demanding production environments. For example, in recent years we released audit controls for cloud applications like Salesforce, Office 365, Box, Google Docs as well as support for big data platforms like Hadoop. These were all driven with leading care providers who use these capabilities today.
In Spring 2017 we will hold a series of FairWarning Customer Councils for which we have received enthusiastic support from dozens of our customers. We fully expect our combined visions to result in even better solutions for our customers’ information security, risk & legal and compliance challenges. We will always be improving through authentic listening, innovation and hard work.
The responsibilities of being the leader go further. There is a good chance that if you are reading a headline in the media regarding an information security breach involving patient data, an enforcement action by HHS, Office for Civil Rights on Audit Controls, and increasingly lawsuits, then FairWarning’s Patient Privacy Intelligence platform is involved behind the scenes. Our customers count on us for discretion, so we don’t talk or write about specifics of these incidents publicly.
FairWarning is frequently used in forensic investigations in cooperation with law enforcement, eDiscovery in lawsuits, detection of compromised user credentials as a result of an information security attack, fraud, identity theft, general misuse of access to ePHI (snooping) and demonstrating going forward compliance for Audit Controls as a result of a care provider being subject to a OCR Resolution Agreement. There were a record thirteen (13) actions issued in 2016 by the Office of Civil Rights, and four (4) to date already by mid-February 2017. These are all very serious incidents and FairWarning takes them very serious in continual cooperation with our customers. In fact another element of the FairWarning philosophy is that every customer has to be prepared for the unexpected at all times.
FairWarning is often called-in to pick up the pieces after a major information security incident or public compliance failure, it almost always starts with executive support. Due to a lack of executive support, care provider personnel over-emphasize saving on expense, fail to conduct thorough references on their vendors or don’t prioritize the roll-up-the-sleeves compliance and security work that needs to be done. As a result, they do one of:
- Ignore audit controls and security completely until there is a law enforcement or OCR audit crisis, now the care provider is trying to do years of work in 30 days, or
- Deploy a monitoring solution with known limitations but was cheap, hyped-up by the vendor sales person or was just convenient to purchase, and the solution systemically breaks down. Now responsible personnel are afraid to go to executives and tell them, “the originally budgeted money was wasted”, so compliance and security live with a big exposure until a major crisis. Ouch.
The solution failures we pick up after fall into the same categories every time:
- The monitoring solution became unavailable, the care provider just couldn’t keep it running and the vendor was not responsive or had no idea of how to help once the data volumes grew over time. Even small care providers have to think about scale because of data retention requirements,
- The monitoring solution failed to perform for all of the care provider’s business critical EHRs and applications so there is a compliance and security exposure,
- Data integrity issues in the solution so reports produce different results each time they run and now can’t be used in eDiscovery, patient complaint investigations, forensics investigations, etc
- The monitoring vendor has no actual experience with OCR audits, or forensic investigations with law enforcement or legal eDiscovery
- Lack of trained personnel for an internally developed solution, and the solution has devolved over time
These are all common failures unless the solution vendor has invested significantly in proactively addressing the issues. I am not going to give you the typical vendor speech of “we are not the cheapest”, but if your monitoring solution seems like a super-great deal, and the sales person hyped it up, you have to stop and wonder how much they can spend on Research, Development and production support ?
What is going on here, why so much attention on patient information ? Crucial to modern healthcare is the Electronic Health Record (EHR) as well as a wide-range of healthcare applications used in the course of patient care. Since these systems hold vast amounts of patient information, they are a focal point of regulatory enforcement. HIPAA in the United States is just one example. Patient information is also a target of internal and external information security adversaries with a growing list of motivations that include identity theft, tax fraud, medical identity theft, ransom, espionage, and political hacktivism. According to CIO Magazine, the forecast for healthcare security in 2017 is that nation-state attacks will move from espionage to cyberwar. And, healthcare will be the most targeted industry.
Overall there are six (6) healthcare industry trends that have driven significant innovations into the latest version of FairWarning’s Patient Privacy Intelligence.
- Mergers and Acquisitions, Care Provider Competition.
- HIPAA Enforcement, HITECH, State Laws.
- Escalating Information Security Threats.
- Cloud and Big Data for Improved, Affordable Outcomes.
- Skills Shortages.
- Reimbursements Uncertainty.
Previous generation monitoring solutions focused on basic automation and batch analysis of EHR and application audit logs and have fallen badly behind in modern care providers’ needs, failing to keep up with these trends. Many solutions are also architecturally closed systems, lacking the ability to collaborate with third-party products in multilayer information security strategies. They leave care providers vulnerable to OCR compliance enforcement, and internal as well as external threats targeting EHRs and applications.
Together with our customers, FairWarning has thrived within the above industry trends to release our latest Patient Privacy Intelligence platform. We are the lead sponsor of Cybersecurity Command Center at HIMSS Orlando, and you can stop by and have a conversation. Or you can request our new White Paper on Patient Privacy Intelligence by sending a request to solutions@FairWarning.com. A small excerpt on our latest capabilities is below.
FairWarning Patient Privacy Intelligence. Patient Privacy Intelligence is the industry’s next-generation compliance and information security platform. It is front-and-center in multi-layer strategies to secure patient data held in EHRs, clinical applications, and increasingly in cloud and big data applications. Compliance offices use Patient Privacy Intelligence as a foundation for satisfying key provisions of the OCR’s HIPAA Audit protocol, Meaningful Use attestations, and EPCS certification. The OCR has dramatically escalated HIPAA enforcement in recent years. Information security offices use Patient Privacy Intelligence to detect and prevent threats such as compromised user credentials, rogue insider attacks, and collaborative insider attacks. They also use Patient Privacy Intelligence to conduct forensic investigations. Information security adversaries recognize applications on premise and in the cloud as a weak link in the information security chain. These and other factors have driven Patient Privacy Intelligence into an identity-aware, business critical, real-time capable, predictive, compliance and information security platform complete with dashboards and governance, forensics, visualization, behavioral analysis and advanced filtering that is open and collaborative with third-party security solutions.
Kurt J. Long