Patient data is being accessed every day at healthcare
facilities to the point where an EMR system can experience over a million accesses in just one day. HIPAA requires that all of that patient data is audited to ensure each access attempt is appropriate, so it’s the job of compliance officers to make sure these audits happen.
Patient health data is highly sought after
What percentage of attacks involve lateral movement within a network?
AWe wish it was only 30%. However, being able to not only infiltrate a system but dive deep and move around it is the ultimate goal of a cyber criminal, and they succeed 60% of the time.
Learn more about how monitoring prevents attacks.
AWhile 50% is still 50% too many, it’s actually 60% of hacks that involve lateral movement within a system.
Better understand how hackers are able to move through critical access points and across systems.
AHackers don’t just want in, they want everything. Because of this, 60% of hacks involve lateral movement. Organizations aim for zero trust network access, but often only implement the “castle and moat” architecture, which allows hackers to move laterally in the network to find, compromise, and steal critical assets.
Learn more about ZTNA and access governance.
. It’s now common to see big news stories about outsider threats coming in and looking at or stealing patient information. But outsiders aren’t the only ones who should cause concern; sometimes the people doing the snooping or outright stealing are the employees right in the hospital. There are multiple departments who access this data – doctors, nurses, billing, claims, research – and most of them will appropriately access this private patient data because they have a treatment, payment, or operational reason for access
. If their access does not meet those standards, it is considered a HIPAA violation, subject to fines from the Office for Civil Rights (OCR). HIPAA also requires that policies and procedures must be put in place for monitoring access to patient data.
While the choice of how this is done is up to the compliance team, most have been turning to tools to help them conduct these audits, known as EMR auditing tools. There has been a steady increase in solutions available to choose from, but there are certain factors that need to be considered before implementing one of these solutions. Here are three things to look for in an EMR auditing tool.
1. Explanation of the EMR access
When utilizing a system that monitors EMR access logs, make sure that the system you choose provides an explanation tied to treatment, payment or operational reason for all appropriate accesses and provides reason for suspicion of accesses that it did not find appropriate.
It is important to be able to see why an access was deemed appropriate, but it is also important to see why it was flagged as suspicious. Full details around an access attempt can help compliance teams investigate an access and give reason behind why it was inappropriate.
An auditing system that does not work with compliance
, meaning it does not show explanations and how it came to a given solution on an access, can cause serious issues. Compliance officers need to be able to give explanation to the Office of Civil Rights behind an access that is being investigated. If they cannot explain the EMR auditing system and how it works, they could potentially suffer penalties.
2. Tailoring the EMR access auditing tool to your organization
Every hospital has different policies and procedures, and if your EMR auditing system does not enable applying these specifics to your instance, it could result in inaccurate auditing. For example, some organizations allow staff to access their own medical records (known as self-access), and a compliance officer needs to be able to manage if this is allowed within their EMR auditing system. It is also important to ensure the system you choose utilizes a machine learning algorithm
that only learns and adapts its auditing process based on your organization’s data. Alternatively, solutions will use algorithms that utilize other hospital data, and this can result in biases and inconsistencies in your access auditing.
3. Choose an all-in-one EMR access auditing solution
Compliance Officers are in charge of monitoring EMR access logs, and they’re also responsible for conducting investigations should an access be deemed inappropriate. There are a lot of moving pieces in that puzzle, and documentation is required if the EMR access event needs to be presented to the OCR. That’s why it is important to have an all-in-one solution that flags an access attempts and lets you manage, document, and report on an investigation all from one platform. Being able to document interactions with managers, the employee who made the access, and any other members involved in the investigation allows for compliance offers to review everything in one place and easily compile this information for governing bodies or upper management.
EMR access monitoring
is important to ensure patient data protection and to adhere to compliance guidelines. As technology solutions make a steady rise in this space, it is important to know what to look for when choosing a solution. Compliance officers should make sure that they find a system that provides explanations for accesses, is customizable to their organization, and provides capabilities such as an investigation portal to make it an all-in-one solution. The SecureLink Privacy Monitor tool checks the boxes in all these areas and can help your compliance team streamline EMR access auditing. If you would like to learn more about our solution, visit our Patient Privacy Monitoring