Insider threats are dangerous for any organization, not just healthcare. As a result, healthcare organizations need to be extra vigilant when it comes to protecting patient data. Today, we talk with Ray Ribble, CEO of SPHER, to hear some stories about why it’s important to review EHR logs and how his company can help you identify potential insider threats.
In this episode:
Do you audit your EHR logs? – Ep 329
Today’s Episode is brought to you by:
Kardon
and HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
The HIPAA Boot Camp
Virtual Edition Feb 22-24, 2022
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Great idea! Share Help Me With HIPAA with one person this week!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Do you audit your EHR logs?
[03:55] Ray Ribble, CEO of SPHER, joins us today to talk about auditing your EHR logs. Everyone’s privacy and security and compliance program should include auditing logs. It is a HIPAA requirement, after all. Doing so can also keep you from making a very expensive mistake, as we’ll discuss later with a few recent news articles about breaches that could have potentially been avoided if the practice had done so.SPHER is in the compliance analytics business. They have a cloud base solution where they work closely with your EHR systems, practice management systems and other applications that store PHI. Their software allows you to address the insider threat, which is often difficult to catch.
Insider threats can come in the form of current employees, a consultant you gave access to the EHR for a particular purpose or even ex-employees that you forgot to terminate from the EHR system. It’s important to understand that your typical IT vendor might be monitoring network logs, but likely is not monitoring what’s going on in the EHR.
Many practices today manually do their EHR log reviews by selecting a few VIP accounts to see if any staff has inappropriately accessed the records. Or they might take one or two of the staff members and see if they have inappropriately accessed or altered patient records. That’s not nearly enough. And it takes a lot of time to do this if it’s done fairly often. SPHER’s application looks at every access, not just random ones. It’s a more thorough review of log data.
[19:47] Data breaches that involve insiders accessing data inappropriately happen all the time. These kinds of breaches are hard to detect, especially without a system to review all the data these logs contain. They aren’t usually the big splashy data breaches either.Former Executive Accessed PHI of Nearly 38,000 Individuals
Premier Patient Healthcare Discovered Data Security Incident
The file contained information such as full names, age, date of birth, sex, race, county, and state of residence, and ZIP Codes of individuals. The file also included Medicare beneficiary information such as Medicare eligibility period, spend information, and hierarchical condition category risk score.
It took 8 or so months before the organization became aware of this breach. If these logs were reviewed by a program such as SPHER, the practice would have been alerted to this access within 24 hours and they could have started taking action then.
According to Ray, snooping took over the #1 slot of the things their log reviews captured last year during the pandemic. People were looking at patient records that they had no business looking at. Prior to that, time of access was at the top of the list, meaning people were caught accessing records at odd times of the day which was out of the norm from their normal work hours.
Implementing a solution like SPHER can impact your organization in many ways. It can give you the ability to automate the review of application logs. It can review all of the audit logs generated within the application. It can help you identify anomalies quickly so that you can investigate a user’s actions. It can also be a deterrent for your staff and keep them from accessing records inappropriately. By telling your employees that you are using a tool such as SPHER to do EHR log reviews and that they are being monitored, they will likely think twice before accessing patient records for those that they are not actively involved with for TPO.
[39:39] NJ: University Hospital recently learned of long-running insider-wrongdoing breachThis breach affected 9,329 patients.
[50:56] ISACA published a report called A Holistic Approach to Mitigating Harm from Insider Threats. They have a whole section on MICE—What Turns a Good Insider Bad. Every practice has staff who make mistakes, but it’s the malicious ones and the ones that create problems that you are trying to catch. Here is an example from the report:- Money is the need or desire for financial gain. Employees might have a critical need for money or perhaps a strong desire for more money than they are making. They may rationalize that an enterprise is not paying them enough.
- Ideology refers to a political or ethical reason for employees betraying their enterprise. Some people become disillusioned. Some become whistleblowers when they find corrupt practices. In some cases, people involved with foreign intelligence operations may realize that their efforts are not actually supporting their country but are furthering the goals of predatory individuals running the operation. Their disillusionment may turn into a willingness to support another country.
- Coercion is essentially blackmail. A person may be compromised because of a situation that may cause embarrassment or other harm. For example, when someone gives a spy compromising information, the spy can then use that information as a threat, by saying, “Unless you continue to give me information, I will disclose that you gave me information in the past.” For a target who wants to escape exposure, this is a point of no return.
- Ego refers to a person becoming a malicious insider due to perceived unfair treatment. The individual may be upset over not getting a promotion or not getting sufficient respect. The person may feel held back from advancement. Any potential slight can be justification to harm the enterprise.
Conclusion in the report:
The goal of protecting your patients’ privacy and, by extension the organization, is to identify issues and take action before something bad happens. Know what is going on in your organization. The cost of not doing this could greatly impact your patients’ privacy as well as the organization’s reputation and bottom line.
If you are interested in learning more about SPHER and their solution and even get a demo, check out their website or contact Ray Ribble at rayribble@sperinc.com or find him on LinkedIn. Or let Donna or David know you are interested and they will connect you with Ray and SPHER.
Organizations today are recognizing privacy and security as a business risk. Audit log reviews can be done manually, but more and more organizations are coming to the conclusion that manual is not good enough. We often mention that implementing technology cannot make all your problems go away. But SPHER is a good example of the value of a technological solution to a problem in a way that really does change the way organizations are able to run their business.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.