How access monitoring keeps providers at bay from data breaches
Health care data breaches affected almost 250 million people from 2005 to 2019. But there are ways your medical practice can prevent these breaches and protect your patients’ private health information. Access monitoring is one such way.
As its name indicates, access monitoring occurs when a person or system’s use (access) of a computer system is evaluated (monitored). It’s a process that observes and analyzes what happened when a user accessed a system during a session.
A session could be a single instance when a person or system used its access rights. Or a session could be defined as a time period when a user was logged into the system in question, such as a period when that individual is performing work.
Of course, that’s the ideal scenario, that a session occurs because someone has legally accessed a system for a specified amount of time to conduct work-related tasks.
But because it’s the real world, these ideal situations don’t always occur. Sometimes, unauthorized users hack into systems because they want to steal information and use it for nefarious purposes.
Hackers could be stealing electronic health records and other private medical information, selling this valuable data for profit. They could be looking for, finding, and stealing Social Security numbers and using them to commit identity theft.
What are some specifics about access monitoring?
Exploring a few key concepts could help explain access monitoring better:
Proactive monitoring occurs when you’re observing or analyzing a user’s session when you don’t have a defined reason to review it.
Generally, this observation and analysis happens in real time, as the session is happening, or very shortly after a set of sessions. This type of monitoring has been compared to security cameras that capture and help fight crime before conditions become worse.
On the other hand, reactive monitoring occurs after user sessions. People authorize this type of observation and analysis for specific reasons. Reactive monitoring has been likened to firefighters who arrive on the scene to handle problems.
When health care offices observe access sessions, they’re reviewing what happened (or is happening) during these times. Different types of observation might include:
- Collection of data obtained during sessions.
- Text audits of sessions.
- Video recordings of sessions.
After health care offices finish observing sessions, they can analyze them.
How does access monitoring relate to HIPAA?
Like other aspects of health care information, access monitoring relates to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This regulation has developed national U.S. standards that protect against the disclosure of private health information without patients’ knowledge or consent.
Some organizations use an app (computer application) to
- Check the activity reports of electronic health records systems.
- Link these activity reports with the systems’ human resources data.
- Generate audit reports that could discover if the system has experienced any authorized user access.
Medical practices could use such information reports to determine what to do next.
How does access monitoring work?
Audit reports might find suspicious activity, such as someone who logs onto a health system and looks at the electronic health records of family members, friends, or neighbors, even though they’re not authorized to view such files. Or such analysis might create an audit alert because someone without any access to retrieve a medical practice’s records just viewed these records.
For example, an electronic access monitoring system might report that an employee accessed the record of a particular patient at a particular time. Since this system also has the human resources information of the employee on file, it can flag whether the employee and the patient share the same last name, contact information, or other similarities. In short, the employee may be trying to obtain information for personal reasons, even if they’re not authorized to do so.
Once suspicious activity has been found and reported, it can be discussed with the system’s HIPAA officers. If the unauthorized user is an employee, their supervisors, human resources workers, and union representatives might also discuss this suspicious behavior.
Other people also need to be notified. If a data breach has occurred, medical practices are obligated to notify every person who has been affected, the United States Federal Trade Commission (FTC) by using a particular form, and if the breach was particularly large, the media.
How could practices create access monitoring procedures?
Individual medical practices use and access electronic health records in slightly different ways. But if you’re creating your own access monitoring procedures, you might want to make some general considerations. You might want to:
Determine who and what you’re monitoring
Are you looking for people who have incorrectly accessed the system before? Patient information that’s being accessed. When you extract information, which systems will you use?
It’s also important to determine what’s appropriate and what’s inappropriate in your medical practice. Are you allowing people to access their own records?
Inform employees why you’re monitoring
HIPAA requires medical providers to create and implement plans "to record and examine access and other activity in information systems that contain or use e-PHI" (electronic protected health information). Make sure your practice has such a plan.
Also, make sure your staff members know about this plan. Write it down so you can refresh the memories of current employees as well as teach new ones.
Establish when you’re monitoring
When you’re establishing your monitoring plan, indicate the frequency at which you’ll be monitoring. Again, it’s a good idea to formalize this information and communicate with your staff members.
Notifications are especially important because this frequency might change if the subjects change, if the size of your practice changes, or other factors occur. You could also create schedules that discuss times and team members’ assignments to help you track and communicate tasks.
Discuss how you’re reporting your monitoring
Communication is also important during reporting. You’ll need to determine the information you want to share, how you’ll want to share it, and who’s going to receive it.
You might also need to send information in different ways. Some people might prefer raw data, and others might prefer more analysis. Also make sure you’re following any rules and regulations and discuss and record any changes in the process.
Access monitoring takes effort, but it could save you from even harder work in the future.
Peter Davidson works as a senior business associate helping brands and start ups to make efficient business decisions and plan proper business strategies. He is a big gadget freak who loves to share his views on latest technologies and applications.