Securing EMR data with access monitoring

July 4, 2015

At the 23rd National HIPAA Summit in Washington, D.C., regulators and privacy professionals met to discuss the challenges associated with ensuring the security of EMR data and the appropriate use of protected health information (PHI). From the speakers’ presentations and general floor discussions, numerous trends became evident:

  • Breaches of PHI are and will continue to occur
  • Office for Civil Rights (OCR) audits are coming
  • Organizations must work to mitigate breach potential (both from the perspective of limiting actual breaches and preventing OCR fines)

The Office for Civil Rights publishes statistics detailing past breaches including their type (e.g., hackers, lost laptops, improper document disposal) and the number of individuals impacted. As reported by the OCR’s Director, the type of breach that occurs most often is physical theft. In contrast, the number of electronic breaches reported is lower, but those breaches impact more people. Electronic breaches have the greatest potential to impact the masses because of the aggregation of clinical data into large Electronic Medical Record (EMR) repositories (either from external hacking or employee snooping). However, it is easier to identify and report physical breaches (i.e., theft) because they are easier to detect. For example, it is readily apparent when a laptop has been stolen. These statistics raise an important question for the health data privacy community. Are we doing enough to ensure the appropriate use of patient data?

Secure EMR data with organizational processes

In her presentation, the OCR Director discussed important organizational processes that should be put in place to secure PHI. These include:

1. Risk analysis and management 2. Security and control of portable electronic devices 3. Proper disposal and transfer of PHI 4. Physical access controls 5. HIPAA training and education 6. Effective breach remediation

While these processes are critical to ensuring data privacy and security, they focus on the extremes of the data security continuum: preparing for a breach (i.e., risk assessments) and dealing with a breach (i.e., breach remediation). What is lacking is more discussion regarding what processes are necessary to monitor PHI usage during the course of health care.

Current EMR monitoring processes

There are two general types of EMR monitoring processes are put in place today:

  • The most basic type uses manual audits, in which a patient files a complaint or a VIP visits a hospital, and then the compliance officer manually reviews each access to ensure appropriate use.
  • The second type uses rule-based flags, which alert compliance officers of potential inappropriate accesses based on specific rules. These rules typically encompass high-risk scenarios such as co-worker access (i.e., the patient and employee work in the same department), family access (i.e., the patient and employee have the same last name) or neighbor access.

There are three major weaknesses of these EMR monitoring practices:

  • The investigations are often manual (once a flag is activated, a compliance officer must investigate), which can require extensive amounts of time to complete.
  • The previously described processes often result in high false positive rates in which most accesses reviewed are appropriate (i.e., occurring as part of payment, treatment or operations). These false positives waste compliance officers’ limited investigation time.
  • The percent of accesses monitored in most health systems (i.e., the access coverage) is small. This lack of coverage is particularly important, as a lack of a flag does not necessarily imply appropriate use. For example, if a hospital has not set up a flag to detect ex-girlfriend curious access, then this inappropriate use will be missed. It can be argued then that the coverage today on hospital access logs is less than 1% of all accesses to patient data.

Proper EMR monitoring closes the security gap

Monitoring technologies can potentially assist with this security gap, but it is important to consider how these EMR auditing tools work and what threats they address. The simplest methods attempt to identify access outliers in which an employee accesses, for example, ten times the number of accesses as normal. These types of EMR access auditing systems can detect large-scale abuse and data scraping, but miss the threat of individual curious accesses. Alternatively, access outlier systems attempt to detect accesses to patient records that deviate from normal behavior. These systems have the potential to find more fine-grained breaches, but often have difficulties defining what normal is. Given the dynamic nature of hospital care, cleanly capturing normal behavior and deviations from it can result in high false positive rates if not done with care. In particular, looking at the access log in isolation without looking at clinical context often results in erroneous conclusions.

Determining appropriate accesses to EMR data

The question is then: How do you find the reason for an appropriate access? It turns out, this problem can be reduced to a large graph search in which the system tries to find connections between the patient and the employee accessing the patient’s record through EMR data. If a connection can be found, the connection and the EMR data can serve as the reason for access, or an explanation for access. Even more interesting is that because of an explanation’s definitive structure, explanations can be automatically mined (or discovered) from a hospital’s data, allowing each hospital and its compliance officers to determine its own valid reasons for access. It is important to note that the system recommends explanations, but the compliance officer has final approval. The full peer-reviewed publication on this work can be found here.

Using explanations to enhance EMR security

These explanations have proven to be invaluable for numerous compliance officers. Manual audits that previously took weeks now take minutes, as huge portions of the log can be confidently filtered away. Moreover, the system allows compliance officers to monitor a larger portion of EMR accesses. Systems are also being evaluated to identify the most suspicious accesses that cannot be explained, so compliance officers know which access to look at next when monitoring all accesses in a hospital.