EMR Access Monitoring: Focusing On What’s Important

I recently attended the 23rd National HIPAA Summit in Washington, D.C., which, as its name suggests, is a prominent venue for regulators and privacy professionals to discuss the challenges associated with ensuring appropriate use of protected health information (PHI). From the speakers’ presentations and general floor discussions, numerous trends are becoming evident:

• Breaches of PHI are and will continue to occur
• Office for Civil Rights (OCR) audits are coming
• Organizations must work to mitigate breach potential (both from the perspective of limiting actual breaches and preventing OCR fines)

The Office for Civil Rights publishes statistics detailing past breaches including their type (e.g., hackers, lost laptops, improper document disposal) and the number of individuals impacted (see link). As reported by the OCR’s Director, the type of breach that occurs most often is theft (which can have multiple meanings, but I take as physical theft). In contrast, the number of electronic breaches reported is lower, but those breaches impact more people.

Figure 1 500+ Breaches by Type (as of 2/2015) – HHS Office for Civil Rights

Figure 2 Number of individuals impacted (71% Hacking/IT)

These breach statistics are expected. Electronic breaches have the greatest potential to impact the masses because of the aggregation of clinical data into large Electronic Medical Record (EMR) repositories (either from external hacking or employee snooping). However, it is easier to identify and report physical breaches (i.e., theft) because they are easier to detect. For example, it is readily apparent when a laptop has been stolen.

These statistics raise an important question for the health data privacy community. Are we doing enough to ensure the appropriate use of patient data?

In her presentation, the OCR Director discussed important organizational processes that should be put in place to secure PHI. These include:

1. Risk analysis and management
2. Security and control of portable electronic devices
3. Proper disposal and transfer of PHI
4. Physical access controls
5. HIPAA training and education
6. Effective breach remediation

While these processes are very important to ensure data privacy and security, they focus on the extremes of the data security continuum: preparing for a breach (i.e., risk assessments) and dealing with a breach (i.e., breach remediation). What is lacking is more discussion regarding what processes are necessary to monitor PHI usage during the course of health care.

In my discussions with numerous hospital compliance officers, two general types of monitoring processes are put in place today. The most basic type uses manual audits, in which a patient files a complaint or a VIP visits a hospital, and then the compliance officer manually reviews each access to ensure appropriate use. The second type uses rule-based flags, which alert compliance officers of potential inappropriate accesses based on specific rules. These rules typically encompass high-risk scenarios such as co-worker access (i.e., the patient and employee work in the same department), family access (i.e., the patient and employee have the same last name) or neighbor access.

There are three major weaknesses of these monitoring practices.

The investigations are often manual (once a flag is activated, a compliance officer must investigate), which can require extensive amounts of time to complete.

The previously described processes often result in high false positive rates in which most accesses reviewed are appropriate (i.e., occurring as part of payment, treatment or operations). These false positives waste compliance officers’ limited investigation time.

The percent of accesses monitored in most health systems (i.e., the access coverage) is small. This lack of coverage is particularly important, as a lack of a flag does not necessarily imply appropriate use. For example, if a hospital has not setup a flag to detect ex-girlfriend curious access, then this inappropriate use will be missed. It can be argued then that the coverage today on hospital access logs is less than 1% of all accesses to patient data.

Figure 2 Number of individuals impacted (71% Hacking/IT)

These breach statistics are expected. Electronic breaches have the greatest potential to impact the masses because of the aggregation of clinical data into large Electronic Medical Record (EMR) repositories (either from external hacking or employee snooping). However, it is easier to identify and report physical breaches (i.e., theft) because they are easier to detect. For example, it is readily apparent when a laptop has been stolen.

These statistics raise an important question for the health data privacy community. Are we doing enough to ensure the appropriate use of patient data?

In her presentation, the OCR Director discussed important organizational processes that should be put in place to secure PHI. These include:

1. Risk analysis and management
2. Security and control of portable electronic devices
3. Proper disposal and transfer of PHI
4. Physical access controls
5. HIPAA training and education
6. Effective breach remediation

While these processes are very important to ensure data privacy and security, they focus on the extremes of the data security continuum: preparing for a breach (i.e., risk assessments) and dealing with a breach (i.e., breach remediation). What is lacking is more discussion regarding what processes are necessary to monitor PHI usage during the course of health care.

In my discussions with numerous hospital compliance officers, two general types of monitoring processes are put in place today. The most basic type uses manual audits, in which a patient files a complaint or a VIP visits a hospital, and then the compliance officer manually reviews each access to ensure appropriate use. The second type uses rule-based flags, which alert compliance officers of potential inappropriate accesses based on specific rules. These rules typically encompass high-risk scenarios such as co-worker access (i.e., the patient and employee work in the same department), family access (i.e., the patient and employee have the same last name) or neighbor access.

There are three major weaknesses of these monitoring practices.

The investigations are often manual (once a flag is activated, a compliance officer must investigate), which can require extensive amounts of time to complete.

The previously described processes often result in high false positive rates in which most accesses reviewed are appropriate (i.e., occurring as part of payment, treatment or operations). These false positives waste compliance officers’ limited investigation time.

The percent of accesses monitored in most health systems (i.e., the access coverage) is small. This lack of coverage is particularly important, as a lack of a flag does not necessarily imply appropriate use. For example, if a hospital has not setup a flag to detect ex-girlfriend curious access, then this inappropriate use will be missed. It can be argued then that the coverage today on hospital access logs is less than 1% of all accesses to patient data.

Figure 3 The costs of breaches.

Monitoring technologies can potentially assist with this security gap, but it is important to consider how these tools work and what threats they address. The simplest methods attempt to identify access outliers in which an employee accesses, for example, ten times the number of accesses as normal. These types of systems can detect large-scale abuse and data scraping, but miss the threat of individual curious accesses. Alternatively, access outlier systems attempt to detect accesses to patient records that deviate from normal behavior. These systems have the potential to find more fine-grained breaches, but often have difficulties defining what normal is. Given the dynamic nature of hospital care, cleanly capturing normal behavior and deviations from it can result in high false positive rates if not done with care. In particular, looking at the access log in isolation without looking at clinical context often results in erroneous conclusions.

As part of my doctoral studies at the University of Michigan, I worked to develop tools to differentiate appropriate and inappropriate accesses from access logs. This work was based on two assumptions:

Most accesses to EMRs are appropriate, and occur for valid clinical and operational reasons.
The EMR often stores data documenting who was involved in a patient’s care (i.e., appointments, labs, medications, etc.).

Therefore, I argued that if a system could use the EMR data to determine the reason for access, then that access was likely appropriate and could be filtered, so fewer accesses needed to be manually reviewed.

Figure 4 Overview of the Explanation-Based Auditing System

The question is then: How do you find the reason for an appropriate access? It turns out, this problem can be reduced to a large graph search in which the system tries to find connections between the patient and the employee accessing the patient’s record through EMR data. If a connection can be found, the connection and the EMR data can serve as the reason for access, or an explanation for access. Even more interesting is that because of an explanation’s definitive structure, explanations can be automatically mined (or discovered) from a hospital’s data, allowing each hospital and its compliance officers to determine its own valid reasons for access. It is important to note that the system recommends explanations, but the compliance officer has final approval. The full peer-reviewed publication on this work can be found here.

Figure 5 An explanation for access: The access occurred because the employee had an appointment with the patient.

These explanations have proven to be invaluable for numerous compliance officers. Manual audits that previously took weeks now take minutes as huge portions of the log can be confidently filtered away. Moreover, the system allows compliance officers to monitor a larger portion of EMR accesses. Systems are also being evaluated to identify the most suspicious accesses that cannot be explained, so compliance officers know which access to look at next when monitoring all accesses in a hospital.

Over the last two years, I spun out this Explanation-Based Auditing System and formed a company, Maize Analytics. With support from the National Science Foundation Innovation Corps and investors, the company now offers this technology to hospitals to enhance their EMR security. The results show that over 95% of accesses in the log can be filtered, drastically reducing the time it takes to complete an audit.

Daniel Fabbri, PhD, is the founder and CEO of Maize Analytics. He is also an Assistant Professor at Vanderbilt University in the Biomedical Informatics and Computer Science Departments. His research focuses on machine learning for health data, and he teaches Vanderbilt’s big data computer science course.