July 06, 2022//Isa JonesLast Updated: July 25, 2022
Protecting private patient data is critical for any healthcare organization. It’s important for HIPAA compliance, and for the safety and security of those patients. From securing systems from outside hackers to monitoring and controlling internal access, there are a multitude of steps any organization can take to better protect PHI and EMR data.
Access monitoring is exactly what it sounds like — monitoring user access to network resources, critical data, and high-risk access points. Access monitoring, which can include real-time monitoring, or retroactive monitoring or analysis, is especially important in healthcare, where the sheer volume of daily access to EMR systems and healthcare networks makes utilizing traditional access controls difficult. On average, there are millions of access attempts per healthcare organization per day. Many of those come during a time-sensitive, literally life-saving moment, so creating controls that may slow down that access becomes impossible. That’s why proper monitoring is so important, it’s one of the few ways an organization can protect their EMR data in real time.
Before looking at the development of machine learning, it’s important to look at traditional methods of access monitoring, and why they have fallen short.
The more common form of access monitoring is called a “rules-based” system. It’s an algorithm where the organization sets parameters for access, and any access attempt outside those parameters would be flagged. The most common one would be a job role. If a nurse works in the ER, that nurse can only access EMR data of patients currently in the ER. If they were to try to access other data, it would be flagged as suspicious.
That makes sense, and for smaller organizations it makes sense to run access monitoring that way. However, this kind of system can lead to a lot of false positives. In fact, false positives are a major issue across the industry, and it makes sense. Healthcare is complicated from both a practical and organizational standpoint. What if the ER nurse from the example above is spending her day in the ICU or pediatric clinic instead? What if an oncologist comes into the ER for a consult? Those are the problems machine learning is working to solve.
Machine learning, also referred to as artificial intelligence, is able to verify access through context and learning, instead of a solid “yes, no” rule. This kind of technology better understands why an asset was accessed and can identify and remember patterns in access points to reduce false positives and make access more efficient and secure.
Let’s look at the oncology example from above. If a patient, in the ER, has a scan that could be cancerous, the ER would call in for an oncology consult. Later, at his office, the oncologist accesses that patient’s information to look at it further. If the patient is still classified as an ER patient, that access might be flagged in a rules-based system. But, with machine learning, the system would be able to detect that the patient has cancer, and that oncologists treat cancer, therefore this access is appropriate.
As stated previously, machine learning: reduces false positives, applies context to access monitoring, and is able to learn as it goes, potentially flagging suspicious activity that had bypassed the rules-based system.
In addition, it is able to add a layer of access control to these systems, access points, and assets, in place of traditional fine-grained controls. This technology is determining appropriate or inappropriate access at the moment, allowing for that access to be denied if it’s deemed inappropriate, unlike access monitoring which is mostly reviewed and analyzed retroactively. As this technology is automated, it can also scan more accesses because a new rule doesn’t need to be created for each access. You can jump from a 1% audit rate to a 99% audit rate.
This post was originally published in Data Breach Today.