 I.T. Protects Users from Themselves
Michigan delivery system uses security analytics app to audit and investigate potential internal breaches.
By Bill Briggs, Senior Editor
While computer hackers and malignant viruses garner headlines and create numerous headaches for health care I.T. departments, experts say the biggest security threats reside within organizations. Examples include a disgruntled employee looking to sabotage data, a vengeful worker seeking to "amend" ex-spouse's medical records, or a staff member who's curious as to why the mayor visited the hospital's emergency department at 3 a.m. last Sunday.
At Spectrum Health, security analytics technology is helping employees stay on the right track and resist temptation, says Gary Lacher, system director for privacy and information security compliance.
"We have had instances of employees accessing a record inappropriately," Lacher says. He declines to offer information about specific internal security breaches or how often such breaches occur at Spectrum. But deploying the security analytics system from Cerner Corp., Kansas City, Mo., along with other Cerner tools, meant "our incident rate has dropped considerably, and it helps keep honest people honest," he adds.
The Cerner analytics software, P2Sentinel Enterprise, is built on security analytics technology from SenSage Inc., San Francisco.
Spectrum Health, a seven-hospital delivery system based in Grand Rapids, Mich., with 2,000 licensed beds, rolled out the monitoring technology in January after implementing multiple Cerner applications-including patient scheduling and registration, charting, lab, and pharmacy software-beginning in September 2001.
The analytics tool can aggregate and analyze data from multiple applications and sort through it with rules established by Spectrum . Rules can define what jobs and users can access patient information, for example.
Rules also can identify those information system administrators who have the capability of creating new user log-ins, based on Spectrum policy, but not necessarily the authority to do so. "The application helps us monitor these administrators," Lacher says. "Each time a user is created by one of them we get a message."
Cerner and other software vendors include file access monitoring in their systems. But access monitoring didn't exist in all its modules, Lacher says, and Spectrum Health wanted more.
Lacher's department provides compliance oversight for all I.T. privacy and security matters and conducts audits and investigations to identify incidents of possible unauthorized data access.
"We wanted to investigate complaints of privacy and security incidents and bring them to a satisfactory conclusion," he explains. "We recognized there was a big hole in our capabilities and we sought a means to not just meet our immediate need, but to lay the groundwork to better monitor platforms across all technologies."
Spectrum Health formerly relied on forensic technology on the back end of some Cerner applications. After SenSage and Cerner formed an alliance in mid-2005, the resulting product enabled monitoring of all Cerner applications.
Spectrum Health hopes the analytics tool can be applied to other applications, such as network equipment and Web servers, to monitor for internal and external threats. But first system administrators need to learn the ins and outs of the initial rollout to Cerner software, Lacher says.
The SenSage-based analytics tool monitors all data transactions within the Cerner environment. Each event is labeled and Lacher and other system administrators decide which events have security and HIPAA compliance implications.
John McFadden, Spectrum Health's enterprise clinical systems manager, explains how it works. "The P2Sentinel application has a middleware messaging piece between front- and back-end data. It monitors all requests for data between them. There are millions and millions of messages passing through this middleware. All of them are available, but we limit review to events we want to monitor."
Limits are established by rules based on organization policies that are built into the analytics system. Violating a rule triggers an alert, which includes sending e-mail to an analyst for an incident's review.
For example, an employee's baseline information system access might include opening a chart and accessing a patient record, McFadden says. "But at Spectrum Health, you're not allowed to access your own record, or the records of your ex-spouse."
Alerts can be set to compare the last name of the employee accessing a record with that of the patient, which can trigger follow up analysis.
Monitoring file access is critical in provider organizations, but data access is a double-edged sword.
Openness invites abuse
Broad access to multiple sources of data is necessary for proper patient care, but granting many users access to data doesn't authorize them to see everything. Analytics software enables provider organizations like Spectrum Health to wade through the ocean of electronic transactions to identify potential security or privacy breaches.
Lacher says that ensuring employees know the monitoring technology exists is a deterrent. "This tool prevents improper behavior as much as it helps us to investigate incidents," he says. "The more people are aware that this is done the more they are inclined to behave appropriately."
Security analytics technology can serve provider organizations in several ways, says Tom Walsh, president of Overland Park, Kan.-based Tom Walsh Consulting LLC, an I.T. security consulting firm specializing in health care.
Establishing a randomized audit of employees' file access activity, for example, can help even without turning up anything unusual, he says. "It might not tell a whole lot, but it does create a culture that says 'we hold people accountable.'"
Accountability is important, Walsh adds, because inappropriate access to electronic health records is a greater risk than that with paper-based records. With paper records, a hospital employee couldn't drop by the medical records department and ask to see her neighbor's file. "But if the record is electronic I can start tapping the keys and look here: it's my neighbor. Now we're giving people a lot of power, so if you give them access then you have to audit."
Security analytics technology such as that in place at Spectrum Health would be a welcome addition for any hospital, Walsh notes. "An audit log is a huge text file with lots of information, but you have to go in and manually pick out what you want. It's truly like looking for a needle in a haystack. The advantage of this type of tool is that you can collect all the data, but you put in the rules parameters so when they are exceeded the system can pull out the data you're looking for."
For Spectrum Health, managing all the transactions among its Cerner modules is the blessing-and challenge-of security analytics technology. "The tool provides us the potential to gather and analyze most conceivable audit needs but that presents the challenge of narrowing the scope of what we can reasonably use," Lacher says.
He advises that management from the top down must understand and expect that such tools will require more effort from-and resources for-compliance, I.T. and other related departments.
While the security analytics tool provides reports and can establish user activity baselines, analysis is up to Spectrum staff, says Lloyd Guyot, senior systems security engineer. "There's a distinction between analyzing and reporting," he notes. "The analyzing we do on our own."
Spectrum Health declined to disclose how much it spent on the technology. The vendor says it costs from $75,000 to $125,000 depending on an organization's size and the scope of the system.
Lacher cautions that such file access tools shouldn't be considered judge and jury when assessing user activities. "Once you set up baselines and trends, a spike in an activity does not prove there was an infraction, only the need for further investigation."
Source = http://www.healthdatamanagement.com/html/current/CurrentIssueStory.cfm?articleId=13489
|
