Today’s next generation of fraud detection technologies can go a long way to supporting a HIPAA HITECH compliance effort and prevent privacy violations, misuse and abuse. Simply put, these systems provide visibility across multiple data channels to offer a comprehensive view of what is going on in your environment. Leading solutions offer screen-by-screen replay of user activity which offers “context to keystrokes” and provides the ability to look at each screen viewed by a particular user. Through this method, organizations can understand and capture the “why” of data access. Monitoring and alerting on specific events is also available. These solutions can actively target violations and unauthorized access.

More and more, leading healthcare institutions are migrating to the new fraud monitoring technologies. This new approach moves far beyond the logging and monitoring solutions that may “check a box” for compliance, but do little to address advanced audit requirements or fill in the “gaps” inherent in traditional logging systems. The benefits of monitoring data across applications and extending visibility beyond healthcare applications are essential to leading organizations seeking to protect patient privacy and their brand.

Let’s explore some of the areas that this new approach can assist with:

Common Healthcare Monitoring Scenarios

• Is a given user is logged in at multiple locations or while on vacation or absent from work? Accessing systems after hours?
• Is a particular user is accessing areas not appropriate for their job or function?
• Are physicians are accessing records outside their specialty?
• Are employees accessing high profile or VIP accounts inappropriately? Are staff members inappropriately accessing PHI within the institution?
• Are users accessing accounts more than 30 days after the date of service? Has key information on the account changed (address, services rendered, etc.)?

In healthcare, one of the most pernicious issues is accidental access of PHI rather than outright fraud (although fraud is still an issue). Take for example, improper record access in healthcare. While certainly a HIPAA violation, few would consider the desire to “sneak a peek” at an admission file fraud. Even so, these violations cost hospitals hundreds of thousands of dollars in fines annually and the resulting personnel action results in loss of staff and productivity. Fortunately, there is a better way.

Developing A Rules Based Approach

Continuous monitoring of user activity provides a comprehensive view of who, did what, when, and often even provides insight into why a particular activity occurred. Capturing data in this manner and applying a rules based approach to identifying risks and possible abuse, misuse and error in data can significantly improve audit performance.

Auditing Needs We Commonly Encounter and Assist With

• Developing a baseline of activity across a healthcare organization and using that to uncover and target areas at higher risk for patient privacy violations.
• Monitoring third-party activities, including call centers and claims processors and service providers, for a higher than baseline occurrence of out of band activity.
• Monitoring access to medical record, specifically highly sensitive material such as HIV test results where the inappropriate disclosure of such information may cause a patient harm.
• Identifying employees or other providers who demonstrate patterns of unauthorized access. Providing visibility into record access of VIP, high profile or opt out patients.
• Examining employee or provider look ups along high risk patterns: same last name, same street address, same zip code, etc.
• Enabling review of physician access and review of employee as patient access (employees as patients create a potential for misuse and/or abuse often out of concern or curiosity).
• Reviewing and auditing access by remote users. Providing the ability to review external third-party record access as well as the ability to monitor third-party activity for fraud, out-of-band approvals or requests and access appropriate to role.

Monitoring and Data Capture During a “Break Glass” Emergency

In many healthcare provider settings, there is the potential for a “break-the-glass” emergency which refers to an instance where it becomes necessary for individuals to violate access protocols to provide lifesaving or critical care. In these scenarios, it is essential to capture, document and retain user activity and information access for future audit and review. With enterprise fraud management solutions in place, this special audit trail is automatically created, encrypted and digitally signed. The records are retained in a sealed repository preserving the records as required.

Possible scenarios where this data capture may be required include a) account problems such as a locked password due to failed entry attempts or lack of a user account (visiting clinician required to assist during an emergency), b) authentication problems such as an authentication system failure, or c) an emergency situation forces personnel to respond in a way that exceeds their authorization.

During such a situation, it is essential that the entire activity trail is captured and preserved for later review. With monitoring in place, no paper logging is required. Today’s enterprise fraud management technologies can even trigger alerts when such a scenario occurs. Having an automatic, comprehensive audit trail has the potential to limit any required disclosure to the actual event and activity rather than a “worst case” access scenario.

Responding to Emerging “Accounting of Disclosure Requirements”

Lastly, an additional area to consider is responding to patient requests for information surrounding PHI access. Current proposed Federal legislation would require that healthcare providers and their affiliates respond to requests for information with a detailed accounting of all access to a patient’s PHI going back three years. Many forward looking institutions are seeking a way to respond to this new proposed requirement as well as state disclosure laws governing PHI. Many Enterprise Fraud Management systems are designed to handle these information requests at the press of a button and can capture the history of information access across multiple systems. Having these systems in place can mean countless saved hours in responding to these requests.

In Conclusion:

Leading healthcare institutions seeking to get more out of their audit and compliance efforts should be exploring next generation solutions and not relying exclusively on incomplete or inadequate logs.

It’s easy to point fingers when another organization has an insider fraud incident. But information from the new Survey on the Risk of Insider Fraud by Attachmate Corporation and Ponemon Instituteshows that more organizations need to turn a scrutinizing eye toward their own risk.

The survey encompassed more than 700 organizations and revealed some alarming data security trends:

• More than 75 percent of the respondents indicated that privileged users within their own institutions had or were likely to turn off or alter application controls to change sensitive information – and then reset the controls to cover their tracks.
• Eighty-one percent replied that individuals at their institutions either had used or were likely to use someone else’s credentials to gain elevated rights or bypass separation of duty controls.
• On average, respondents noted that their organizations experienced more than one incident of employee-related fraud per week – about 53 in a year’s time(infographic available). Twenty-four percent of respondents indicated that their organizations experienced more than 100 incidents in the past 12 months.
• Once an incident has occurred, it takes organizations an average of 89 days to discover it and an additional 96 days to uncover the root cause and determine the consequences to the organization.
• A majority of respondents – or 62 percent – were unable or unsure of their ability to assess the financial impact and true costs of fraud.
• Approximately two-thirds of internal fraud investigations do not result in actionable evidence against the perpetrators, meaning a majority of the incidents go unpunished and leave organizations vulnerable to additional incidents.

“This data demonstrates that employee actions across an enterprise are not visible,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “While organizations may have policies in place that are meant to curtail insider fraud, what’s on paper doesn’t necessarily lead to compliance.”

In fact, 52 percent of respondents noted that they do not believe they have the appropriate technologies to prevent or quickly detect insider fraud, including employees’ misuse of IT resources. Traditionally, IT departments review log files to analyze employee activity. However, 78 percent of respondents believe the manual review of log files is an inadequate method for observing questionable or suspicious employee access and computing activities.

Use the next generation of fraud management software to detect and prevent fraud.

Financial losses from the recent data hacks on banks and online services are being revealed bit by bit. For example, last month Citigroup disclosed that its credit card customers suffered losses of around $2.7 million from their account details being stolen.

 While  the loss is serious it actually only applied to 1% of the cards affected by the breach. This, and the fact that this represents 0.01% of all Citigroup credit cards puts the financial damage done by the external hackers into perspective, especially against the estimated scale of financial losses from insider fraud and theft.

 When it comes to internal fraud, the ACFE report on occupational fraud and abuse estimates a typical organization loses five% of annual revenue to fraud committed by people inside the organization. This translates to a potential total global fraud loss for all organizations of more than $2.9 trillion in 2009.

Protect Your Data Against Fraud

This difference has been pointed out before, but it is worth repeating: organizations urgently need to review their data protection strategies. Protection from internal threats is key, especially given the reputational damage that can be caused. Real financial losses do arise but the greater losses arise from how online services have had to be taken offline to protect customers. Losses from external frauds are harder to quantify and when revealed their scale can be relatively low.

 Protection from internal threats by monitoring for internal frauds stems serious losses that may be systemic and longstanding. Typically fraudulent acts can run for 18 months and add up to around $160,000 on average. What’s more the opportunity for recovering losses is potentially substantial because currently occupational frauds are more likely to be detected by a tip off, according to the ACFE.

Through applying comprehensive anti-fraud controls internally, alongside implementing stronger data protection controls against external threats, organizations can manage these risks holistically with greater assurance and less likelihood of suffering serious financial losses.

By Dan Dunford, Security Product Specialist, Attachmate