Whether large or small, healthcare organizations have dozens, hundreds, or even thousands of users with access to sensitive patient information. With such a high volume of activity comes with the risk of unauthorized record access. How can privacy and security officers protect PHI when patient privacy is at stake? By monitoring user access, you can keep your finger on the pulse of activities in your organization by identifying patterns and isolating suspicious access. The benefits of user activity monitoring are numerous and can be integral to preventing breaches and surviving OCR audits.
1. Identifying snooping
From family members to VIPs, snooping is an ever-present risk to users with access to patient health records. It’s natural for anyone to be curious when a celebrity patient or a coworker enters a hospital, but when an unauthorized user accesses a patient’s records, it’s still a HIPAA violation. Unfortunately, snooping happens all too frequently at medical centers – and it can be costly. HIPAA violation fines can cost organizations as much as $1,500,000. And 2018 was a record-breaking year for HIPAA enforcements after the OCR collected $28.7 million.
Implementing a proactive privacy monitoring solution can prevent and help mitigate incidents like these – with visibility into user activity and deviations in normal workflow, snooping can be detected and promptly acted upon. The foundation of a robust monitoring program begins by ensuring you have the right professionals available in-house or partnered with your organization, including:
- Staff certified in HIPAA Privacy and Security
- Experts in clinical application audit data
- Technology professionals such as a CTO, IT Director, and EMR administrator
- Personnel responsible for day-to-day accountability and audit readiness
By having a privacy monitoring program in place with a qualified team at the helm to investigate and remediate incidents, you can prevent hefty HIPAA violation fines while protecting the privacy of the patients you serve.
2. Rooting out insider threats
Healthcare is a constant target of cybersecurity attacks – in 2018, a new breach was reported every day. From phishing to malware to social engineering, the healthcare industry is one of the most vulnerable. Arguably, the most dangerous of these threats originate from the inside. According to the 2019 Verizon Insider Threat Report, 46% of healthcare organizations were affected by insider threats, which range from careless workers to disgruntled employees and malicious insiders.
Because inside actors have added privileges of security access, organizational trust, and knowledge of procedures, they can potentially access a wider breadth of sensitive information more readily than any outside attacker. What can user activity monitoring do to prevent and mitigate risks coming from the inside?
Monitoring can help you gain insight by spotting trends and deviations in behavior like inappropriate access, high volume of record views, and detecting the signs an employee is about to quit. Identifying and taking appropriate action early on can prevent cases like these from causing an expensive – and potentially catastrophic – breach.
3. Detecting potentially criminal behavior
Because health records contain personally identifiable data (PII) such as dates of birth, addresses, and social security numbers, the risk for potentially criminal behavior such as identity theft persists. According to the Federal Trade Commission, there were 87,765 cases of medical and insurance-related identity theft last year alone.
For detecting anomalous behavior such as identity theft, adopting a monitoring program with artificial intelligence (AI) capabilities is especially effective. The machine learning component of AI ingests massive quantities of data and derives patterns from it, as well as anomalous behavior, which helps to pinpoint potential security risks. Example of anomalies AI can uncover include:
- Identity theft
- Sale of medical information
- Workflow anomalies like accessing data from unexpected locations or at unusual hours
- Mass snooping
- Drug diversion
- Compromised credentials
- Suspicious patient activity/VIP access
4. Surviving an OCR audit
The OCR has the power to audit any healthcare organization. To prepare for that potential, you should have controls in place for a confident audit response. The compliance issues investigated most by the OCR include:
- Impermissible uses and disclosures of PHI
- Lack of PHI safeguards
- Lack of PHI patient access
- Lack of administrative safeguards of ePHI
- Use or disclosure of more than the minimum necessary PHI
Implementing an patient privacy intelligence platform with governance reporting features is essential to demonstrate regulatory adherence and for providing documentation of legally defensible action on your organization’s behalf. Using governance tools can not only save time by consolidating alerts and investigations into one place, it can also makes impending OCR audits less painful because it ensures that the documentation you need to pass is readily available when the time comes.
Healthcare organizations are trusted with not only patient care, but also maintaining the privacy of their information. With risks such as snooping, identity theft, and insider threats, it’s vital to monitor user activity. An organization that’s equipped to detect, investigate, and remediate unauthorized access is better prepared to not only prevent breaches, but also maintain patient trust.