The three key phases to achieve a mature privacy monitoring program

Michele Drake, Regional Sales Manager for Emerging Solutions at Imprivata, and Zach Blunt, Vice President of Product Management at Imprivata

August 14, 2023

Best practices for a mature privacy monitoring program are based in three key phases that build upon one another, and quickly progress in scope and sophistication. Read our blog recapping the on-demand webinar: 3 key steps to achieve a mature monitoring program 

The varied and complex functions of healthcare delivery organizations (HDOs) require a powerful network, numerous connected devices, and a multitude of applications. Each technological tool is simultaneously an asset and a vulnerability, as they represent access points for cybercrime. Monitoring every application with sensitive data is a necessity, not just for the HDO, but for patient safety.

The good deeds our healthcare workers perform for patients each day require the use of an enormous amount of sensitive information that must be protected. However, sometimes this data is inappropriately accessed, either by accident or with intent for harm. This is where patient privacy monitoring and analytics enter in, to detect and combat internal threats to your most critical systems.

Data privacy and its required tools

Data is everything in healthcare. It’s needed for diagnosis, for treatment, and for keeping the whole organization running. Data must be properly handled so it is available, but only to those with a right to it. But data disclosures, data privacy and security, patient confidentiality, data integrity, and more, are omnipresent concerns in healthcare, due to the fact that access cannot be restricted to the point where it affects workflows for patient care. All this data that is crucial to clinicians and patients, is very valuable to bad actors' intent on fraud, and unfortunately, those bad actors sometimes reside within the organization.

Patient privacy monitoring begins with how you handle data. You must first identify your tools, solutions, and systems that contain sensitive health or personal information. And keep in mind that privacy monitoring concerns more than just the Electronic Medical Record (EMR) or Electronic Health Record (EHR). Sensitive data can be found in connected applications and tools like Microsoft and Salesforce, too. Clinicians work with sensitive data, but so do clinical application analysts and clinical data analysts.

Sensitive data living in all these places must be organized and brought into a central location for a privacy program to work. This centralized wealth of data allows HDOs to use artificial intelligence (AI) to create alerts and detect anomalies that protect against security risks.

Over time, AI analysis can help reveal the big picture and make predictions, or drill down and focus on specific users or departments. It can help you look back for investigative purposes, and helps ensure users have only the access they need, and terminated users have that access revoked.

An effective privacy program has data control and flexibility, with the ability to document everything along the way.

Best practices for data privacy

For a comprehensive and mature data monitoring program, best practices are followed in a phased approach. When an organization initiates a privacy program, they begin with policies and procedures, and the privacy tools to support them. At this point, you can show auditors that you have a program in place and are working on targeted areas.

In phase one, you’re finding out what snoopers are doing. Snoopers are like eavesdroppers listening in on information they aren’t authorized to know – only they aren’t just limited to discovering information while it’s being transmitted. They may actively seek out your data – wherever it hides. And so, a privacy program begins by looking at coworkers who are accessing coworkers’ data, employees accessing patient charts, individuals accessing information on family or household members, and so on.

As your privacy program matures into phase two, it gains more sophistication, as well as the ability to detect and address more complicated (and less obvious) problems. You’ll have enough baseline information to identify statistical variations, so you can see when the standard deviation is high, revealing specific risky behaviors, such as employees “surfing” charts, or accessing more patient records than their peers.

Phase three lets you apply complex AI analysis to workflow variation. User behavioral analysis automates the process of comparing users to their peer group counterparts. Peer analysis will show when a particular user doesn’t typically work in a certain department, or when they are accessing files differently than their peers. It can call attention to inappropriate behavior before it progresses into a serious security breach.

Privacy programs will invariably take a phased approach, from manually catching snoopers, to automations that can find statistically significant anomalies, to very complex workflow analyses that use all available data. This gives you insights beyond what any individual or group of individuals could recognize on their own.

EHR and beyond

In phase one of your privacy program, you focus primarily on the EMR/EHR, as that is your primary data source. But as your privacy program matures, you’ll start expanding to other data sources (and maybe other, smaller, systems that you’ve picked up with mergers and acquisition activity).

And of course, it isn’t just databases and applications you need to be concerned with. You must also monitor access to connected medical devices, such as imaging tools used in outpatient radiology. The ultimate goal is to monitor all transactions made by all applications and devices, so that your entire ecosystem of sensitive data is covered.

Privacy monitoring maintenance and homegrown tools

Some HDOs choose to develop their own privacy monitoring tools, but unfortunately, these tools can’t always progress through the three phases of growth fast enough, particularly when the build process requires resources that are limited.

If you do get a homegrown tool off the ground, you must then consider its capabilities for ongoing monitoring and maintenance. You need to maintain momentum, and as you periodically evaluate your program, you’ll want the ability to tweak the process and adjust for workflow changes or ideas that could improve efficiency. And when your program relies on the same talent bucket that everyone is using to push their objectives forward (read: your already overburdened IT team), you may not be able to attain the consistency needed for a complete picture of what’s happening to your data.

Manual monitoring that relies on a person or persons can introduce inconsistencies, burnout, gaps, and simple human error. An entire program can become ineffective because someone gets sick, goes on vacation, has an off day, gets headhunted, or decides to retire.

So, while a homegrown solution may be a viable option at the point it’s created, the real question you’ll need to ask is: is it scalable over time? Unfortunately, the answer is likely to be “no,” which makes the case for a purpose-built, automated patient privacy monitoring tool.

Accurately monitor risk

A comprehensive privacy program should use dedicated expertise, AI, and contextual behavioral analytics to accurately detect and prevent major security issues – today, and for years to come.

Learn about Imprivata’s user behavior monitoring and analytics solutions for protecting patient privacy and how they usher your privacy program through the three build phases and beyond.