Monitoring Access to RecordsA Brooklyn Hospital Relies on New Technology to Ensure Privacy
But that's changed now that the teaching hospital is using new technology to monitor access to its more than 100 clinical applications that contain patient information, says Gabriel Sandu, senior director of technical services.
The hospital is using the PacketSentry application from PacketMotion to ease the monitoring process and help it comply with the HIPAA Security Rule.
Security consultant Kate Borten of The Marblehead Group explained in a recent blog that the HIPAA Security Rule's information system activity review specification requires organizations to "implement procedures to regularly review records of information system activity, such as audit logs, access reports and security incident tracking reports." The rule's audit controls standard requires organizations to "implement hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information."
Federal authorities recently introduced a proposed Accounting of Disclosures rule, mandated under the HITECH Act, that would require, among other things, providing patients, upon request, with a list of everyone who's accessed their records. Sandu believes the PacketSentry system will enable the hospital to efficiently prepare such reports, if they're required in the final rule.
New Approach to Access MonitoringUsing the new access monitoring technology, Maimonides Medical Center each month runs audits of who has accessed randomly selected patients' records; it also audits the records access activity of randomly selected staff members. Plus, the hospital conducts targeted access checks when VIPs are treated at the hospital. "And if a relative of someone who works at the hospital is treated here, we'll do an audit as well," Sandu says.
Before acquiring the new technology, the hospital would assign staff several times a year to complete the painstaking process of "sweeping through" activity logs for its dozens of clinical information systems to conduct random audits, Sandu says.
In contrast, the PacketSentry application "creates its own repository of stripped-down access information" based on network activity for all the clinical systems to make it easier to detect unauthorized access, he explains. "PacketSentry enables us to search in a meaningful way, rather than throwing resources against tremendous amounts of information," Sandu says.
If unauthorized access to a system is discovered using the new technology, Sandu's staff can then, if necessary, go into an individual clinical system's logs to pinpoint every screen that was viewed.
Since implementing the technology last September, the hospital has identified some records snoopers, Sandu acknowledges. The hospital imposes sanctions, up to firing, depending on the nature of the privacy violation.
The access monitoring technology helps the hospital identify "rights escalation" cases, where employees who are re-assigned to new departments accumulate authorizations to access more systems than they actually need to use, Sandu notes. By running random reports, Sandu's team can identify patterns that indicate a staff member has the rights to access inappropriate systems and then shut down access to those systems. In this way, for example, the hospital can help cut down on incidents involving curious workers looking up patient records in the emergency department's system when they no longer work in that department.
Lessons LearnedSandu advises other hospitals tackling the access monitoring challenge to first do all they can to limit the number of clinical information systems they use. Maimonides Medical Center accumulated numerous systems over the years because it took a "best of breed" approach to acquiring systems department by department. But to audit activity on multiple systems, "capturing 100 percent of stripped-down information rather than parsing through all the access log information" greatly eases the process, he stresses.
And for some organizations, taking that approach doesn't necessarily mean investing in new technology. For example, Fallon Clinic in Worcester, Mass., is aggregating log information in a home-grown central repository to support custom audit reports. The clinic takes this approach "so we can run extensive reporting without slowing down production," says Paul Nichols, director of IT infrastructure.
Like Maimonides, the Fallon Clinic uses the access log repository to conduct random monthly audits of employee access to patient information in multiple systems. "We identified some individuals accessing family members' records," says Cyndy Hatch, manager of IT security. The clinic reminded these staff members that only clinicians treating a patient can routinely access records.