Healthcare institutions are working hard to map audit and compliance efforts throughout their organization–especially across critical applications and mainframe systems with legacy applications. All of this effort will result in more secure EHRs and improvements in patient privacy protections. But in a world of constrained resources, where should care providers focus the bulk of their improvements? Oftentimes, it comes down to priorities–the organizational objectives–that will drive the process.

As related in a recent whitepaper from Coalfire, Andrew Hicks shares the following distinctions:
“HIPAA and HITRUST assessments each share the common objective of safeguarding healthcare information, however the similarities end there. A HIPAA Security assessment will provide an organization reassurance that when all audit recommendations have been resolved, the organization will be compliant with the HIPAA requirements.

A HITRUST assessment and certification, on the other hand, takes a more risk-based approach, scaling the requirements to the risk characteristics of the organization and focusing on controls related to the leading causes of breaches in the healthcare industry. This approach also considers compliance with regulations such as HIPAA, allowing organizations to take a more holistic approach towards protecting sensitive information.”
(To access this whitepaper, look for “HIPAA versus HITRUST – FAQ” by Andrew Hicks, MBA, CISA, CCM, CRISC, HITRUST CSF Practitioner Director, Healthcare Practice Lead, Coalfire Systems, Inc. www.coalfire.com)

For leading healthcare institutions, checking the box for HIPAA compliance is often not enough. These organizations focus instead on addressing risks to patient information and potential security violations. In cases where the priority is protecting patient data and safeguarding access to EHRs (electronic health records) is paramount, the priority shifts to address risk across the organization.

In one of our recent engagements, a major care facility in the north east was seeking to understand access to patient records. Here are some of the things they wanted to be able to examine as part of their approach to risk:
• VIP record snooping
• Executive record snooping
• Patient / employee record snooping
• Family member and self -examination of records
• Neighbor record snooping
• Identity Theft
• Medical Identity Theft
• Areas of potential non-compliance with federal and state regulations

Monitoring for these indicators and correlating that data across multiple systems was well within Luminet’s capabilities. In addition to capturing EPIC, Kronos, Cerner, Meditech, and other log data, the Luminet solution was able to monitor the existing mainframe applications and correlate that information so that is alerted on suspicious activity in real-time.

Then, as part of a comprehensive risk approach, we were able to add visibility into the hospital’s accounting and payroll systems. Luminet’s ability to monitor Lawson and other accounting systems enabled a new level of visibility and added clarity to the financial operations side of the house. This benefit wasn’t available with other monitoring systems focused exclusively on EHR and patient data.
When considering whether to address HIPAA or HITRUST concerns, organizations would be well served to take a long view and invest in systems flexible enough to meet their present and future needs. A number of modern systems can address HIPAA, PCI-DSS, state regulations like SB 1386, Meaningful Use, and Accounting of Disclosure. But if it is time to make an investment, wouldn’t it be best to select a technology partner and a solution that can help address risk across all your critical systems?

The Meaningful Use program was first established by the U.S. Federal Government as part of the 2009 HITECH Act. The goal was to foster the creation of the infrastructure needed to support healthcare reform. As the 2014 deadline for Meaningful Use Stage 2 draws closer, organizations are planning now for improvements in the way they provide privacy protection and data security for PHI. While moving toward these goals is important, it might be good to take a step back and consider how we got here.

According to the CDC, the original concept of meaningful use rested on the ’5 pillars’ of health outcomes policy priorities. These are:

1. Improving quality, safety, efficiency, and reducing health disparities
2. Engage patients and families in their health
3. Improve care coordination
4. Improve population and public health
5. Ensure adequate privacy and security protection for personal health information

To encourage the transitions necessary to create greater efficiencies, improved information sharing, and better protections for patient privacy, an incentive program was established to support the “meaningful use” of a certified “Electronic Health Record” (EHR). This initiative was rolled out in stages:

Meaningful Use Stage 1:
The first stage of Meaningful Use emphasizes proper data capture and data sharing–primarily focusing on the transition from paper records to electronic records generally referred to as EHRs or EMRs.

What are the Requirements of Stage 1 Meaningful Use?
• Reporting through attestation; Reporting period is 90 days for first year and 1 year subsequently
• To meet certain objectives/measures, 80% of patients must have records in the certified EHR technology

Eligible Professionals must complete:
• 15 core objectives, 5 objectives out of 10 from menu set
• 6 total Clinical Quality Measures (3 core or alternate core, and 3 out of 38 from additional set)

Hospitals must complete:
• 14 core objectives, 5 objectives out of 10 from menu set
• 15 Clinical Quality Measures

* For a complete listing of these objectives, refer to: http://www.healthit.gov/sites/default/files/pdf/FINAL_MU_RECOMMENDATIONS_TABLE.pdf

As hospitals increasingly move toward electronic records, it is assumed that the first four pillars of health outcomes policy will improve. However, the fifth pillar, ensuring adequate privacy and security protection for personal health information, may require additional actions by hospitals and care providers.
Specifically, organizations must take additional measures to safeguard patient records and guarantee privacy. Leading institutions and others must consider how to move beyond “checking the box for compliance” and move toward addressing risks to patient data. In our next post, we’ll discuss how that can be done and how it becomes increasingly more important as organizations address Meaningful Use Stages 2 and 3.

Health privacy violations are lethal. They can create reputation management nightmares and generate stiff fines. Even a single HIPAA violation has serious financial consequences. The minimum fine now stands at $50,000, with a maximum penalty per year of up to $1.5 million per each provision of the rules. Since many healthcare privacy breaches involve multiple violations, the cost of not protecting patient privacy can grow very quickly. We’ve even begun to see this demonstrated in the more recent HIPAA compliance enforcement actions. Care providers large and small are feeling the pressure. Even government agencies are not immune.

While headline-grabbing events like the HIPAA fine levied at the State of Alaska are being widely covered, there is another, hidden reality that is far more pervasive: Small-scale snooping is actually far more common than large scale theft or dramatic losses of equipment containing PHI. In fact, in the 2011 Survey of Patient Privacy Breaches*, about 70% of the survey respondents reported that they had experienced a HIPAA breach of some level—with the majority of those violations occurring as a result of snooping activity. Insiders were responsible for the majority of breaches, with 35 percent snooping into medical records of fellow employees and 27 percent accessing records of friends and relatives. More than half of the respondents stated that they lacked the appropriate tools for monitoring inappropriate access to PHI.

Organizations will continue to be held accountable for responding to audit and information requests. There are tools, like Attachmate Luminet, that support HIPAA compliance reporting requirements and Accounting of Disclosure requests are available today. These leading solutions exist to help stop misuse and curtail privacy violations by seeing, recording, and analyzing user activity across all applications. In this way, these solutions can help you address a wide variety of PHI access and policy scenarios. When examining technology of this kind, make sure it can help you answer the following questions:

• Is an employee logged in at multiple locations or accessing systems after hours while on vacation or absent from work?
• Is an employee accessing areas not appropriate for their job or function?
• Are physicians accessing records outside their specialty?
• Are employees accessing high profile or VIP accounts inappropriately?
• Are employees inappropriately accessing PHI within the institution?
• Are employees accessing accounts more than 30 days after the date of service? Has key account information—e.g., address or services rendered—changed?

When evaluating a solution provider, look for the ability to see beyond logs—to capture the query-only activity that happens when staff and care providers only want a “quick peek.” It may seem like harmless curiosity, but it represents a privacy violation that can land an institution into very hot water.

*The 2011 Survey of Patient Privacy Breaches was conducted by Veriphyr.

The statistics are startling: In April 2012 alone, three major security breaches that hit the Utah Department of Health (UDH), Emory Healthcare and South Carolina’s Department of Health and Human Services accounted for nearly 1.1 million records lost.

And it was the work of insiders.

According to an article entitled “Healthcare Unable to Keep Up with Insider Threats” by Ericka Chickowski on the Dark Reading website, the three incidents are typical of “the types of consequences healthcare organizations face when they fail to address insider threats through improved employee screening, monitoring, data controls, and security awareness training.”.

These insider threats were and are potentially malicious and at the very least inept. In the case of the UDH, records were exposed due to the misconfiguration of a server containing the files. At Emory, human error accounted for the loss of a significant number of patient records when 10 backup disks went missing. In South Carolina, a DHHS employee (who has since been fired and arrested) sent thousands of Medicaid patient records to himself in an email.

The healthcare industry, by and large, “has been notoriously incapable of pinpointing risks in general, let alone those from insiders,” the article offers. Sourcing the problem is difficult because these security holes include loss or theft of portable devices such as laptops, smartphones, external drives and backup tapes; actual theft by data thieves; and simple staff ignorance in terms of security, protocol and training.

With solutions available today, those institutions could easily tell the difference between intentional and non-intentional privacy violations, achieve full regulatory compliance, and pass any audit with real-time user activity log files. As the “insider threat” continues to grow right along with the healthcare industry, major steps will need to be taken to stanch the flow of lost and misappropriated records that can and will lead to increased fraud and identity theft. The time to act is now.

To learn more about Attachmate’s Luminet enterprise fraud management software please visit http://www.attachmate.com/Products/efm/luminet/luminet.htm.

Today’s next generation of fraud detection technologies can go a long way to supporting a HIPAA HITECH compliance effort and prevent privacy violations, misuse and abuse. Simply put, these systems provide visibility across multiple data channels to offer a comprehensive view of what is going on in your environment. Leading solutions offer screen-by-screen replay of user activity which offers “context to keystrokes” and provides the ability to look at each screen viewed by a particular user. Through this method, organizations can understand and capture the “why” of data access. Monitoring and alerting on specific events is also available. These solutions can actively target violations and unauthorized access.

More and more, leading healthcare institutions are migrating to the new fraud monitoring technologies. This new approach moves far beyond the logging and monitoring solutions that may “check a box” for compliance, but do little to address advanced audit requirements or fill in the “gaps” inherent in traditional logging systems. The benefits of monitoring data across applications and extending visibility beyond healthcare applications are essential to leading organizations seeking to protect patient privacy and their brand.

Let’s explore some of the areas that this new approach can assist with:

Common Healthcare Monitoring Scenarios

• Is a given user is logged in at multiple locations or while on vacation or absent from work? Accessing systems after hours?
• Is a particular user is accessing areas not appropriate for their job or function?
• Are physicians are accessing records outside their specialty?
• Are employees accessing high profile or VIP accounts inappropriately? Are staff members inappropriately accessing PHI within the institution?
• Are users accessing accounts more than 30 days after the date of service? Has key information on the account changed (address, services rendered, etc.)?

In healthcare, one of the most pernicious issues is accidental access of PHI rather than outright fraud (although fraud is still an issue). Take for example, improper record access in healthcare. While certainly a HIPAA violation, few would consider the desire to “sneak a peek” at an admission file fraud. Even so, these violations cost hospitals hundreds of thousands of dollars in fines annually and the resulting personnel action results in loss of staff and productivity. Fortunately, there is a better way.

Developing A Rules Based Approach

Continuous monitoring of user activity provides a comprehensive view of who, did what, when, and often even provides insight into why a particular activity occurred. Capturing data in this manner and applying a rules based approach to identifying risks and possible abuse, misuse and error in data can significantly improve audit performance.

Auditing Needs We Commonly Encounter and Assist With

• Developing a baseline of activity across a healthcare organization and using that to uncover and target areas at higher risk for patient privacy violations.
• Monitoring third-party activities, including call centers and claims processors and service providers, for a higher than baseline occurrence of out of band activity.
• Monitoring access to medical record, specifically highly sensitive material such as HIV test results where the inappropriate disclosure of such information may cause a patient harm.
• Identifying employees or other providers who demonstrate patterns of unauthorized access. Providing visibility into record access of VIP, high profile or opt out patients.
• Examining employee or provider look ups along high risk patterns: same last name, same street address, same zip code, etc.
• Enabling review of physician access and review of employee as patient access (employees as patients create a potential for misuse and/or abuse often out of concern or curiosity).
• Reviewing and auditing access by remote users. Providing the ability to review external third-party record access as well as the ability to monitor third-party activity for fraud, out-of-band approvals or requests and access appropriate to role.

Monitoring and Data Capture During a “Break Glass” Emergency

In many healthcare provider settings, there is the potential for a “break-the-glass” emergency which refers to an instance where it becomes necessary for individuals to violate access protocols to provide lifesaving or critical care. In these scenarios, it is essential to capture, document and retain user activity and information access for future audit and review. With enterprise fraud management solutions in place, this special audit trail is automatically created, encrypted and digitally signed. The records are retained in a sealed repository preserving the records as required.

Possible scenarios where this data capture may be required include a) account problems such as a locked password due to failed entry attempts or lack of a user account (visiting clinician required to assist during an emergency), b) authentication problems such as an authentication system failure, or c) an emergency situation forces personnel to respond in a way that exceeds their authorization.

During such a situation, it is essential that the entire activity trail is captured and preserved for later review. With monitoring in place, no paper logging is required. Today’s enterprise fraud management technologies can even trigger alerts when such a scenario occurs. Having an automatic, comprehensive audit trail has the potential to limit any required disclosure to the actual event and activity rather than a “worst case” access scenario.

Responding to Emerging “Accounting of Disclosure Requirements”

Lastly, an additional area to consider is responding to patient requests for information surrounding PHI access. Current proposed Federal legislation would require that healthcare providers and their affiliates respond to requests for information with a detailed accounting of all access to a patient’s PHI going back three years. Many forward looking institutions are seeking a way to respond to this new proposed requirement as well as state disclosure laws governing PHI. Many Enterprise Fraud Management systems are designed to handle these information requests at the press of a button and can capture the history of information access across multiple systems. Having these systems in place can mean countless saved hours in responding to these requests.

In Conclusion:

Leading healthcare institutions seeking to get more out of their audit and compliance efforts should be exploring next generation solutions and not relying exclusively on incomplete or inadequate logs.

I was speaking with a friend the other day about Medical Identity Theft, HIPAA compliance and enterprise fraud management. We were discussing a survey report published in March by the Ponemon Institute that found roughly 1.5 million Americans are victims of medical ID theft. In the survey, fourteen percent of respondents said the breach occurred at a health care office, and 10% said employees at a health care organization’s office had stolen the data.

 It occurred to me that medical identity theft is one of those “wild west” opportunities for identity thieves at the moment. While everyone is pretty familiar with the concept of financial fraud and what happens when your credit card information is stolen, what happens when someone pretends to be you to access medical care can have far more devastating consequences.

According to the Federal Bureau of Consumer Protection, here are some indications that might indicate that someone has been a victim of medical identity theft. Victims may:

• get a bill for medical services they didn’t receive;
• be contacted by a debt collector about medical debt they don’t owe;
• see medical collection notices on their credit report that they don’t recognize;
• be told by their health plan that they’ve reached their limit on benefits; or
• be denied insurance because their medical records show a condition they don’t have.

Source: http://business.ftc.gov/documents/bus75-medical-identity-theft-faq-health-care-health-plan

Whoa—think about that for a moment. Those are significant impacts. Then, spin the scenario out a bit further. What happens if medical records become co-mingled at the provider level? Can you get to a point where the records of the thief are entered into the medical history of the victim? According to the experts, you can. Back in 2006, Pam Dixon, founder of the World Privacy Forum, referenced the challenges that medical identity theft can create and cited examples of misinformation appearing in patient files. She also stated that changes to patient records could remain in the files for many years.

Providers Protecting Privacy as Part of Their Healthcare Brand

Leading healthcare organizations are increasingly seeing ways to protect their brand while safeguarding patient privacy. Moving the privacy discussion beyond the HIPAA disclosure form that all of us sign when accessing care and making ePHI protection a differentiator demonstrates a commitment on the part of the provider. When given a choice, my healthcare dollars are spent with those institutions that care enough about me to protect my personal information. It just makes sense to require the same level of accountability from my doctor as I do from my bank—the risks are just as real and the opportunity for damage may even be greater.

Meeting the Challenge of HIPAA Compliance

HIPAA, the Final Privacy rule and various state regulations governing patient privacy all have one thing in common. They all require organizations to demonstrate access to PHI on a minimum need-to-know basis. That places the burden of governing access on the institution. In an audit situation, that means the organization must be able to demonstrate “Who? Did what? When?” and present a comprehensive record of information access. In an ideal situation, this would be merely a matter of printing out some access logs and shoring up areas of weakness, right? Sounds simple enough, doesn’t it?

Mind the Gap—Insufficient data capture leads to incomplete audit trails

However, HIPAA compliance still proves to be illusive at a number of hospitals and healthcare institutions. The transition to electronic records and the sheer volume of data have made the situation challenging at best. Further complicating matters are the gaps that are present in current log files and systems. Traditional logging methods only capture about 25% of the data—leaving huge gaps in the PHI audit trail. Even worse, the Privacy Rule requires an explanation of “why” the data was accessed so audit information created with the Privacy rule in mind has to go beyond the login name, date/timestamp and action taken to provide context to the data access. This is data that is just plain missing from most traditional system logs—they were never designed to capture it. With HIPAA fines at some hospitals exceeding $1 million, solutions to the missing data problems must be found.

Raising the Bar—HITECH adds new challenges to compliance efforts

As of February 2010, the Health Information Technology for Economic and Clinical Health (HITECH) Act made significant changes to the Health Information Portability and Accountability Act (HIPAA) of 1996. These changes include: strengthening of the data breach notification laws with specific guidance on breach disclosure, specifications surrounding PHI access disclosure, and the ability to impose larger fines. The HITECH Act also extends the data protection requirements beyond the individual organization to include business associates as well. Organizations seeking to demonstrate compliance with the new guidelines must be able to specify the details of any given access event to limit fines and ensure that any breach disclosure accurately reflects the size of the occurrence.  For example, in the absence of data to quantify the actual PHI access, organizations must report on the highest possible number of records. Knowing precisely who accessed what can permit an organization to disclose what actually happened (the viewing of a handful of records versus accessing a database with thousands of patient accounts) thereby limiting fines and potential brand damage. Inadequate logs that leave auditors and investigators guessing can’t do that. Only the next generation of detection technologies, Enterprise Fraud Management and Misuse solutions, can do that.

Enterprise Fraud and Misuse Management: Using next generation fraud technologies

Today’s next generation of fraud detection technologies can go a long way to supporting a HIPAA HITECH compliance effort. Simply put, these systems provide 100% visibility across multiple data channels to offer a comprehensive view of what is going on in your environment. A few even offer screen-by-screen replay of user activity which offers “context to keystrokes” and provides the ability to look at each screen viewed by a particular user. Through this method, organizations can understand and capture the “why” of data access. Monitoring and alerting on specific events is also available. These solutions can actively target violations and unauthorized access. Here are a few of the common monitoring scenarios:

• Is a given user is logged in at multiple locations or while on vacation or absent from work? Accessing systems after hours?
• Is a particular user is accessing areas not appropriate for their job or function?
• Are physicians are accessing records outside their specialty?
• Are employees accessing high profile or VIP accounts inappropriately? Are staff members inappropriately accessing PHI within the institution?
• Are users accessing accounts more than 30 days after the date of service? Has key information on the account changed (address, services rendered, etc.)?

In healthcare, one of the most pernicious issues is accidental access of PHI rather than outright fraud (although fraud is still an issue). Take for example, VIP snooping in healthcare. While certainly a HIPAA violation, few would consider the desire to “sneak a peek” at an admission file fraud. Even so, these violations cost hospitals hundreds of thousands of dollars in fines annually and the resulting personnel action results in loss of staff and productivity. Fortunately, there is a better way.

Lastly, an additional area to consider is responding to patient requests for information surrounding PHI access. Current proposed Federal legislation would require that healthcare providers and their affiliates respond to requests for information with a detailed accounting of all access to a patient’s PHI going back three years. Many forward looking institutions are seeking a way to respond to this new proposed requirement as well as state disclosure laws governing PHI. Many Enterprise Fraud Management systems are designed to handle these information requests at the press of a button and can capture the history of information access across multiple systems. Having these systems in place can mean countless saved hours in responding to these requests.

Gartner Report on EFM

The financial services sector has been an early adopter of EFM systems, since fraudsters often target financial accounts (because that’s where the money is); however, other sectors, such as healthcare, insurance and government, are increasingly purchasing fraud and misuse management systems, often to respond to government regulations.*

If your organization is interested in learning more about how these systems can support t your tactical fraud and misuse prevention objectives (i.e., for a specific product or channel), I encourage you to download the current Gartner MarketScope on Enterprise Fraud Management and Misuse. This independent report, authored by leading analyst Avivah Litan, provides overview information about how organizations are using these technologies today as well as reviews of solutions and providers in the category. Download your complimentary copy now: Get the Gartner report