January 11, 2022//Isa JonesLast Updated: July 25, 2022
With the average healthcare organization going through over 2.5 million EMR accesses a day, it can be difficult for an organization to ensure those accesses are safe, all important data is secure, and that industry-specific compliance is reached. It’s a lot to keep track of, and it’s incredibly important. One strategy that works for the sheer volume of accesses and falls under compliance regulations is access monitoring.
Access monitoring is the act of proactively or reactively observing and analyzing what happened while a user was in a session. A session is defined as a single event where a user exercised their access rights, or the period of time a user was “logged in” to an asset, presumably performing work.
It’s the security camera watching bank employees access the vault. Or the footage that’s viewed by police after a bank robbery. In short, access monitoring is the double-checking process to ensure that an organization’s access policy and controls are working like they should.
There are multiple components of access monitoring, and combining different components is the best way to keep EMRs and other sensitive data safe. It’s impossible to monitor every access, but a robust sample size should provide insight into what’s happening within your organization’s system.
Proactive monitoring is the observation or analysis of a session with no pre-defined reason for review. This kind of monitoring is often conducted in real time, or as close to as possible, to a broad set of sessions. Think of the security guard watching real-time CCTV video across a property. This kind of monitoring is a real-time, multitude of angles perspective that offers a broad, thorough view of what’s happening in a system.
Reactive monitoring is the observation or analysis after a session due to a specific reason. Reactive monitoring requires systems and tools to be in place to record sessions. It’s generally applied to a single session or a small subset of sessions, and is most commonly used as part of an incident investigation. Think of the police watching security camera footage of one room of a bank after a robbery. It’s after the fact, and very targeted in what the monitoring is watching for.
Observation is the collection or passive review of session information. Observation is required for analysis (see below) but not vice versa. Strong access monitoring doesn’t exist without observation, which can take forms such as a video recording of a session, a text-based audit, or a collection of session data.
Analysis is the interrogation of the information or data collected. It can be used in both proactive and reactive use cases. Once an observation is complete, an analysis of a given session or data can occur.
Healthcare organizations are perfect targets for external hackers or insider threats. It’s a treasure trove of valuable information — patent data fetches $250 per record on the black market — and the severe consequences of a breach mean an organization is more likely to pay ransom, fast, in the case of a ransomware attack. Not to mention the sheer volume of access points, both from internal users and third parties, that leave an organization vulnerable to attack.
While placing fine-grained access controls can work in certain situations, healthcare providers need access fast to do their jobs, so it’s better to proactively or retroactively monitor than stop them in the moment. No one can be expected to wait for approval or only have a limited number of logins a day or other access control measures in place when those accesses total in millions. If a doctor needs approval from an IT department before accessing an EMR record on a patient’s allergies before administering medicine, the result could be deadly.
In addition, the number of internal users in a healthcare organization — nurses, doctors, techs, billing, etc. — leaves a system open to insider threats. Just adding a layer of control on access alone wouldn’t mitigate that threat, because those users should have access. It’s what they do with that access that is the risk. What assets are they accessing, and why?
But safety isn’t the only piece of the puzzle. Healthcare organizations must comply with various regulations, (e.g., HIPAA), and need to be able to show an explanation for every access to compliance officers, along with their access control and monitoring plans. Implementing access monitoring allows those organizations not only to develop a security-focused plan, but track every access to stay HIPAA compliant, saving both time and money.
Access Monitoring is more than just keeping a log of what users accessed. Best practices include:
By using proactive analysis of the session data, cases of anomalies, threats, or misuse can be quickly identified. In addition, subsequent reactive observation can confirm or deny the suspicion and provide more critical context as part of an investigation.
Manual monitoring can be tedious, and depending on the organization, near impossible. There are a variety of access control monitoring software solutions on the market that add ease and efficiency to the process, allowing an organization to monitor what matters most without losing time or risking compliance. If there are access controls in place, access monitoring software can often detect any violations of those controls as well. Investing in preventative measures now is the best way to avoid a costly cyber-attack in the future.
This article originally appeared in Health IT Security.