October 22, 2021//Isa JonesLast Updated: June 13, 2022
It’s hard to know what’s happening with critical access and assets if no one is watching. Access governance can create a secure system, and access controls can add friction, but you don’t know who is actually accessing what unless there are eyes on it. Those eyes come in the form of access monitoring.
Access monitoring is proactively or reactively observing and analyzing what happened while a user was in a session. A session is defined as a single event where a user exercised their access rights, or the period of time a user was “logged in” to an asset, presumably performing work.
It’s the security camera watching bank employees access the vault. Or the footage that’s viewed by police after a bank robbery. In short, access monitoring is the double check process to ensure that an organization’s access policy and controls are working like they should.
As stated above, you can have observation without analysis, but you can’t have analysis without observation. As a best practice, a strong access monitoring strategy uses both, and both can work together to create a full picture of what’s happening within a system. Consider the example of a nurse snooping on patient files. A proactive analysis of EHR records may flag a suspicious event, but a reactive observation of a session can provide additional context, and highlight the details of what happened — whether the nurse was snooping or accidentally clicked on the wrong patient name.
Because it often occurs in real time, proactive observation is the most time-consuming, and often ineffective, form of access monitoring. Without parameters in place, a user could be real-time observing too much for too long without understanding what they are observing. However, it does have benefits if used sparingly and strategically. For high-risk, low-frequency access points and assets, employing another set of eyes can protect what’s most critical for an organization.
High-frequency and high-risk accesses, like those to patient files, should have proactive access monitoring utilized as a best practice. By using proactive analysis of the session data, cases of anomalies, threats, or misuse can be quickly identified. In addition, subsequent reactive observation can confirm or deny the suspicion and provide more critical context as part of an investigation.
Healthcare might as well be synonymous with high frequency, high-risk access points. A single hospital could contain thousands of patient files and other data that falls under HIPAA, and all of it is accessed regularly by doctors, nurses, technicians, and more. In fact, there’s over 2.5 million EMR access per health organization per day. That’s a whole new level of high frequency.
Access monitoring is crucial in these instances, because access control — often an extra layer of security — becomes impractical in this situation. No one can be expected to wait for approval or only have a limited number of logins a day or other access control measures in place when those accesses total in millions. If a doctor needs approval from an IT department before accessing an EMR record on a patient’s allergies before administering medicine, the result could be deadly.
Proactive analysis and monitoring, as well as reactive access monitoring, like not going through all the accesses that happened over a 24-hour period, would allow an organization to apply granular control without interrupting operations or creating an impractical situation for users. In fact, HIPAA regulations requires that an organization have an access control and access monitoring plan, and must be able to explain every access that occurs to EMRs.
While access monitoring itself can be overwhelming, there’s patient privacy monitoring solutions, like SecureLink Privacy Monitor, that offer ease and efficiency, while helping organizations stay compliant with various regulations. SecureLink can help an organization filter through access points and assets that are most critical, provide real-time updates on suspicious activity, and relieve IT burden.
While each organization may have different needs, employing some form of access monitoring is crucial to critical access management and strong access safeguards. For more information on access monitoring, see our Critical Access Management eBook, and for more information on software solutions, see SecureLink Privacy Monitor.