EMR Access Monitoring Checklist
Download our interactive EMR access monitoring checklist for the steps necessary to build out a successful EMR access review process.
July 04, 2015//Dan Fabbri
Last Updated: June 13, 2022At the 23rd National HIPAA Summit in Washington, D.C., regulators and privacy professionals met to discuss the challenges associated with ensuring the security of EMR data and the appropriate use of protected health information (PHI).
From the speakers’ presentations and general floor discussions, numerous trends became evident:
The Office for Civil Rights publishes statistics detailing past breaches including their type (e.g., hackers, lost laptops, improper document disposal) and the number of individuals impacted. As reported by the OCR’s Director, the type of breach that occurs most often is physical theft. In contrast, the number of electronic breaches reported is lower, but those breaches impact more people.
Electronic breaches have the greatest potential to impact the masses because of the aggregation of clinical data into large Electronic Medical Record (EMR) repositories (either from external hacking or employee snooping). However, it is easier to identify and report physical breaches (i.e., theft) because they are easier to detect. For example, it is readily apparent when a laptop has been stolen.
These statistics raise an important question for the health data privacy community. Are we doing enough to ensure the appropriate use of patient data?
In her presentation, the OCR Director discussed important organizational processes that should be put in place to secure PHI. These include:
1. Risk analysis and management
2. Security and control of portable electronic devices
3. Proper disposal and transfer of PHI
4. Physical access controls
5. HIPAA training and education
6. Effective breach remediation
While these processes are critical to ensuring data privacy and security, they focus on the extremes of the data security continuum: preparing for a breach (i.e., risk assessments) and dealing with a breach (i.e., breach remediation).
What is lacking is more discussion regarding what processes are necessary to monitor PHI usage during the course of health care.
There are two general types of EMR monitoring processes are put in place today:
There are three major weaknesses of these EMR monitoring practices:
Monitoring technologies can potentially assist with this security gap, but it is important to consider how these EMR auditing tools work and what threats they address.
The simplest methods attempt to identify access outliers in which an employee accesses, for example, ten times the number of accesses as normal. These types of EMR access auditing systems can detect large-scale abuse and data scraping, but miss the threat of individual curious accesses.
Alternatively, access outlier systems attempt to detect accesses to patient records that deviate from normal behavior. These systems have the potential to find more fine-grained breaches, but often have difficulties defining what normal is.
Given the dynamic nature of hospital care, cleanly capturing normal behavior and deviations from it can result in high false positive rates if not done with care. In particular, looking at the access log in isolation without looking at clinical context often results in erroneous conclusions.
SecureLink’s Access Intelligence product differentiates appropriate and inappropriate accesses from access logs. This is based on two assumptions:
Therefore, if a system could use the EMR data to determine the reason for access, then that access was likely appropriate and could be filtered, so fewer accesses needed to be manually reviewed.
The question is then: How do you find the reason for an appropriate access?
It turns out, this problem can be reduced to a large graph search in which the system tries to find connections between the patient and the employee accessing the patient’s record through EMR data.
If a connection can be found, the connection and the EMR data can serve as the reason for access, or an explanation for access. Even more interesting is that because of an explanation’s definitive structure, explanations can be automatically mined (or discovered) from a hospital’s data, allowing each hospital and its compliance officers to determine its own valid reasons for access.
It is important to note that the system recommends explanations, but the compliance officer has final approval. The full peer-reviewed publication on this work can be found here.
These explanations have proven to be invaluable for numerous compliance officers. Manual audits that previously took weeks now take minutes, as huge portions of the log can be confidently filtered away.
Moreover, the system allows compliance officers to monitor a larger portion of EMR accesses. Systems are also being evaluated to identify the most suspicious accesses that cannot be explained, so compliance officers know which access to look at next when monitoring all accesses in a hospital.
For more information on how to implement an access review process for increased EMR security, view our interactive EMR access monitoring checklist.