What is access monitoring?
It’s hard to know what’s happening with critical access and assets if no one is watching. Access governance can create a secure system, and access controls can add friction, but you don’t know who is actually accessing what unless there are eyes on it. Those eyes come in the form of access monitoring.
Definition of access monitoring
Access monitoring is proactively or reactively observing and analyzing what happened while a user was in a session. A session is defined as a single event where a user exercised their access rights, or the period of time a user was "logged in" to an asset, presumably performing work. It’s the security camera watching bank employees access the vault. Or the footage that’s viewed by police after a bank robbery. In short, access monitoring is the double check process to ensure that an organization’s access policy and controls are working like they should.
Components of access monitoring
- Proactive monitoring is the observation or analysis of a session with no pre-defined reason for review. This kind of monitoring is often conducted in real time, or as close to as possible, to a broad set of sessions. Think of the security guard watching real-time CCTV video across a property. This kind of monitoring is a real-time, multitude of angles kind of watching that offers up a broad, thorough view of what’s happening in a system.
- Reactive monitoring is the observation or analysis after a session due to a specific reason. Reactive monitoring requires systems and tools to be in place to record sessions. It’s generally applied to a single session or a small subset of sessions, and is most commonly used as part of an incident investigation. Think of the police watching security camera footage of one room of a bank after a robbery. It’s after the fact, and very targeted in what the monitoring is watching for.
- Observation is the collection or passive review of session information. Observation is required for analysis (see below) but not vice versa. Strong access monitoring doesn’t exist without observation, which can take forms such as a video recording of a session, a text-based audit, or a collection of session data.
- Analysis is the interrogation of the information or data collected. It can be used in both proactive and reactive use cases. Once an observation is complete, an analysis of a given session or data can occur.
Access Monitoring Best Practices
1. Complement analysis with observation
As stated above, you can have observation without analysis, but you can’t have analysis without observation. As a best practice, a strong access monitoring strategy uses both, and both can work together to create a full picture of what’s happening within a system. Consider the example of a nurse snooping on patient files. A proactive analysis of EHR records may flag a suspicious event, but a reactive observation of a session can provide additional context, and highlight the details of what happened -- whether the nurse was snooping or accidentally clicked on the wrong patient name.
2. Use proactive observation sparingly
Because it often occurs in real time, proactive observation is the most time-consuming, and often ineffective, form of access monitoring. Without parameters in place, a user could be real-time observing too much for too long without understanding what they are observing. However, it does have benefits if used sparingly and strategically. For high-risk, low-frequency access points and assets, employing another set of eyes can protect what’s most critical for an organization.
3. Proactive monitoring for high frequency, high-risk accesses
High-frequency and high-risk accesses, like those to patient files, should have proactive access monitoring utilized as a best practice. By using proactive analysis of the session data, cases of anomalies, threats, or misuse can be quickly identified. In addition, subsequent reactive observation can confirm or deny the suspicion and provide more critical context as part of an investigation.
How access monitoring helps healthcare organizations
Healthcare might as well be synonymous with high frequency, high-risk access points. A single hospital could contain thousands of patient files and other data that falls under HIPAA, and all of it is accessed regularly by doctors, nurses, technicians, and more. In fact, there’s over 2.5 million EMR access per health organization per day. That’s a whole new level of high frequency. Access monitoring is crucial in these instances, because access control -- often an extra layer of security -- becomes impractical in this situation. No one can be expected to wait for approval or only have a limited number of logins a day or other access control measures in place when those accesses total in millions. If a doctor needs approval from an IT department before accessing an EMR record on a patient’s allergies before administering medicine, the result could be deadly. Proactive analysis and monitoring, as well as reactive access monitoring, like not going through all the accesses that happened over a 24-hour period, would allow an organization to apply granular control without interrupting operations or creating an impractical situation for users. In fact, HIPAA regulations requires that an organization have an access control and access monitoring plan, and must be able to explain every access that occurs to EMRs. While access monitoring itself can be overwhelming, there’s patient privacy monitoring solutions, like SecureLink Privacy Monitor, that offer ease and efficiency, while helping organizations stay compliant with various regulations. Imprivata can help an organization filter through access points and assets that are most critical, provide real-time updates on suspicious activity, and relieve IT burden. While each organization may have different needs, employing some form of access monitoring is crucial to critical access management and strong access safeguards. For more information on access monitoring, see our Critical Access Management eBook.