Collecting data and preparing reports for an auditor can seem burdensome and confusing. With so many regulations in place, the paperwork never seems to end.
But the regulatory process is actually good for your business. After all, regulations were put in place by industry groups and government agencies to protect the public and shareholder interests. Those protections have benefits for your organization:
• The public, aka your customers, will trust you to continually guard their confidential and financial information. These relationships are the heart and soul of your business.
• A compliance system reduces your risk. It protects you from the people who can access your sensitive information and operations in the course of doing business every day—your employees, consultants and partners.
• It safeguards your reputation by preventing security breaches that play out in the public’s eye.
• The process of meeting reporting requirements can present an opportunity for streamlining disparate business systems for collecting and reporting data.
The ABC’s of Corporate Compliance
You most likely need to comply with multiple regulations, but the good news is that all of them require the same basic data: a complete and accurate trail of user access to confidential information.
With Attachmate Luminet fraud management software, you can do that and much more. It enables you to track all user activity on an application-by-application basis, then store that information in a secure repository, allowing you to analyze and detect violations, and to efficiently generate specific reports for various regulatory bodies. Here are the details.
Observe and Capture Data of User Activity Across an Enterprise Network
Fraudulent behavior typically takes multiple steps and involves several applications. Capturing this data on an enterprise network is tricky. Every large organization has a mix of legacy and new applications and databases. For example, a user might access a sophisticated CRM database to update a user account, then share related information on an intranet via an ancient web-based app. Tracking all user activity in these conditions requires pulling log data (if an application even creates it) from numerous applications; then the data must be correlated with user authentications and behaviors— what a mind-boggling task.
Luminet erases the need to piece together data from multiple applications and databases. It captures data from user activity on an application level in real time, which allows fraud investigators to visually replay user actions, screen-by-screen and keystroke-by-keystroke.

Analyzing Data to Detect Fraud
Luminet stores user-activity data in a secure, digitally signed repository. Its powerful analytics engine lets you search its store of current on recorded activity to identify suspicious behavior based on business rules that you define. When Luminet uncovers potentially fraudulent activity, it generates an alert to warn you to immediately evaluate the behavior.

Generating Reports for Auditors
Two aspects of an audit are guaranteed. First, you won’t know the exact format a report will take until the auditors ask for it. And secondly, you will know auditors will also expect comprehensive, detailed information on how thousands of employees access sensitive customer information.
Since Luminet stores data from user activity on an application basis, you can easily provide auditors with the specific information they need. And, if an auditor asks for a different view into the data, there’s no need to pull more data from disparate application log files. You adjust your business rules and let Luminet’s reporting capabilities generate new charts, graphs, dashboards, and reports.
Creating a Culture of Integrity and Transparency
Instituting a corporate compliance program sends the message that you care about protecting your customers’ personal information. With Luminet fraud software, you can ensure all data stays private and your business realizes the benefits from putting a process in place. Luminet will help you better manage risk of exposing sensitive data; streamline systems and operations; and help compliance personnel be more efficient.
Yes, regulatory compliance takes work. But we believe the pain is mitigated by gain.

Meeting the Challenge of HIPAA Compliance

HIPAA, the Final Privacy rule and various state regulations governing patient privacy all have one thing in common. They all require organizations to demonstrate access to PHI on a minimum need-to-know basis. That places the burden of governing access on the institution. In an audit situation, that means the organization must be able to demonstrate “Who? Did what? When?” and present a comprehensive record of information access. In an ideal situation, this would be merely a matter of printing out some access logs and shoring up areas of weakness, right? Sounds simple enough, doesn’t it?

Mind the Gap—Insufficient data capture leads to incomplete audit trails

However, HIPAA compliance still proves to be illusive at a number of hospitals and healthcare institutions. The transition to electronic records and the sheer volume of data have made the situation challenging at best. Further complicating matters are the gaps that are present in current log files and systems. Traditional logging methods only capture about 25% of the data—leaving huge gaps in the PHI audit trail. Even worse, the Privacy Rule requires an explanation of “why” the data was accessed so audit information created with the Privacy rule in mind has to go beyond the login name, date/timestamp and action taken to provide context to the data access. This is data that is just plain missing from most traditional system logs—they were never designed to capture it. With HIPAA fines at some hospitals exceeding $1 million, solutions to the missing data problems must be found.

Raising the Bar—HITECH adds new challenges to compliance efforts

As of February 2010, the Health Information Technology for Economic and Clinical Health (HITECH) Act made significant changes to the Health Information Portability and Accountability Act (HIPAA) of 1996. These changes include: strengthening of the data breach notification laws with specific guidance on breach disclosure, specifications surrounding PHI access disclosure, and the ability to impose larger fines. The HITECH Act also extends the data protection requirements beyond the individual organization to include business associates as well. Organizations seeking to demonstrate compliance with the new guidelines must be able to specify the details of any given access event to limit fines and ensure that any breach disclosure accurately reflects the size of the occurrence.  For example, in the absence of data to quantify the actual PHI access, organizations must report on the highest possible number of records. Knowing precisely who accessed what can permit an organization to disclose what actually happened (the viewing of a handful of records versus accessing a database with thousands of patient accounts) thereby limiting fines and potential brand damage. Inadequate logs that leave auditors and investigators guessing can’t do that. Only the next generation of detection technologies, Enterprise Fraud Management and Misuse solutions, can do that.

Enterprise Fraud and Misuse Management: Using next generation fraud technologies

Today’s next generation of fraud detection technologies can go a long way to supporting a HIPAA HITECH compliance effort. Simply put, these systems provide 100% visibility across multiple data channels to offer a comprehensive view of what is going on in your environment. A few even offer screen-by-screen replay of user activity which offers “context to keystrokes” and provides the ability to look at each screen viewed by a particular user. Through this method, organizations can understand and capture the “why” of data access. Monitoring and alerting on specific events is also available. These solutions can actively target violations and unauthorized access. Here are a few of the common monitoring scenarios:

• Is a given user is logged in at multiple locations or while on vacation or absent from work? Accessing systems after hours?
• Is a particular user is accessing areas not appropriate for their job or function?
• Are physicians are accessing records outside their specialty?
• Are employees accessing high profile or VIP accounts inappropriately? Are staff members inappropriately accessing PHI within the institution?
• Are users accessing accounts more than 30 days after the date of service? Has key information on the account changed (address, services rendered, etc.)?

In healthcare, one of the most pernicious issues is accidental access of PHI rather than outright fraud (although fraud is still an issue). Take for example, VIP snooping in healthcare. While certainly a HIPAA violation, few would consider the desire to “sneak a peek” at an admission file fraud. Even so, these violations cost hospitals hundreds of thousands of dollars in fines annually and the resulting personnel action results in loss of staff and productivity. Fortunately, there is a better way.

Lastly, an additional area to consider is responding to patient requests for information surrounding PHI access. Current proposed Federal legislation would require that healthcare providers and their affiliates respond to requests for information with a detailed accounting of all access to a patient’s PHI going back three years. Many forward looking institutions are seeking a way to respond to this new proposed requirement as well as state disclosure laws governing PHI. Many Enterprise Fraud Management systems are designed to handle these information requests at the press of a button and can capture the history of information access across multiple systems. Having these systems in place can mean countless saved hours in responding to these requests.

Gartner Report on EFM

The financial services sector has been an early adopter of EFM systems, since fraudsters often target financial accounts (because that’s where the money is); however, other sectors, such as healthcare, insurance and government, are increasingly purchasing fraud and misuse management systems, often to respond to government regulations.*

If your organization is interested in learning more about how these systems can support t your tactical fraud and misuse prevention objectives (i.e., for a specific product or channel), I encourage you to download the current Gartner MarketScope on Enterprise Fraud Management and Misuse. This independent report, authored by leading analyst Avivah Litan, provides overview information about how organizations are using these technologies today as well as reviews of solutions and providers in the category. Download your complimentary copy now: Get the Gartner report