Nationwide Children’s Hospital Case Study
Empowering privacy officers to protect patient data
Nationwide Children’s Hospital (NCH) is one of America’s largest children’s hospitals, with more than 1.4 million patient visits from all 50 states and 52 countries. With so many patients coming in each day, a large staff is a must, which results in a large number of patient record accesses each day. On top of that, being such a prestigious children’s hospital means that they are dealing with highly sensitive information, with some of the most at-risk patients coming to their facility for treatment. This is a big lift for a compliance team when it comes to auditing patient records, and it was a difficult task for them to manage. That’s why they decided to search for a technology solution that best fit their needs, leading them to the Patient Privacy Monitoring solution from Maize Analytics powered by SecureLink.
NCH started with a manual and labor intensive auditing process, a challenge many compliance and privacy officers face. With a manual process, they were only able to audit between 10-20 patient encounters per unit/month, and spend an average of 1.5 to 20 hours per month on auditing (depending on the area). That means they were only able to do about 4500 audits a year, less than 0.5% of patient visits annually. Their audit levels were significantly below the recommended levels. Not only that, but they were completely manual and reactive, labor-intensive, costly, and hard to track or trend user behavior. They knew the solution to better auditing was to automate their processes, so the hunt began for a solution, and for budget.
However, a roadblock came in full force…budget approval. For 3 years the NCH compliance teams were denied the budget for automating their auditing process,
due to the expansion of clinical services and research initiatives being top priority. This changed when there was a major inappropriate access to a patient record, which required executives to be involved in the case. The executives were able to see first-hand how difficult and time consuming it was to examine thousands of lines of audit trail data. While it was not ideal to have a major breach be the thing that tipped the scales, it did help prove the value of bringing on an auditing solution, so the hunt was on for a vendor.
When looking for an auditing solution, NCH tried to think of their needs and wants out of a system. NCH was looking for a vendor that would tell them specifically how that vendor solution could solve their issues, and how the technology worked. NCH would need to defend their system and how it worked to the OCR, so it only made sense for them to have a solution that was upfront and honest about how it determined appropriate vs. inappropriate access. NCH also utilized their recent snooper incident to further identify what they wanted out of a solution, and the most important thing to them was the need for a system that analyzed user behavior.
NCH ultimately decided on the Patient Privacy Monitoring Solution from Maize Analytics Powered by SecureLink, feeling that it best suited their needs. The Maize team was able to show that the system would have been able to alert them on the snooper’s behavior far sooner, by looking at every single access the snooper made, determining why the accesses occurred, and whether that reason was appropriate, inappropriate, or unexplained. It was exactly what they were looking for, a system that did the work for them, compiling all the data and showing the compliance officers what they needed to know. The machine learning technology used by the Patient Privacy Monitoring Solution is based on peer-reviewed and published research from top biomedical informatics and computer science journals. Unlike other unsupervised machine learning technologies that may “learn’’ bad or uninterpretable policies, the Patient Privacy Monitoring machine learning system keeps the privacy officer in the loop. The system generates “explanations,” that describe why accesses occur (e.g., the doctor had an appointment with the patient). Privacy officers supervise the auditing system and “turn on” their policy to control how the system automatically audits.
NCH transitioned from a manual and labor intensive auditing process, to an automated, machine learning-driven operation with Patient Privacy Monitoring from Maize Analytics Powered by SecureLink. While traditional approaches to access auditing first look for high-risk behavior, the Patient Privacy Monitoring solution flips the traditional auditing problem on its head by first filtering appropriate accesses from the audit log, and then identifying high-risk accesses for review. As a result, organizations experience fewer false positives compared to traditional or manual approaches. After the first year of implementation, NCH was able to audit 100% of user activity on average per month, and 96% of those accesses were deemed appropriate. 208 accesses were flagged as suspicious, and that was based on proactive flags that NCH customized within the solution based on their policies. NCH now has the tools they need to protect the millions of patients they see come through their doors with Patient Privacy Monitoring from Maize Analytics Powered by SecureLink.
* Note: Products referenced in this case study were under the Maize Analytics suite of products during the time this case study was written. Maize Analytics has been acquired by SecureLink as of May 11, 2021, and the Patient Privacy Monitoring Solution referenced in this study is now under the umbrella of SecureLink product offerings.
Access the Case Study
"Nationwide Children’s Hospital (NCH), one of America’s largest children’s hospitals, utilizes the Patient Privacy Monitoring Solution from Maize Analytics Powered by SecureLink to empower their privacy officers and accelerate their ability to perform patient privacy audits quickly and efficiently."