User access monitoring is a requirement under the HIPAA Security Rule. However, the specifics of what must be done remain a little cloudy. The regulations state, “implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information” 45 C.F.R. §164.312(b). The rule also requires that covered entities “implement policies and procedures to prevent, detect, contain, and correct security violations” and “implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.” 45 C.F.R. §164.308(a)(1)(i) and 45 C.F.R. §164.308(a)(1)(ii)(D) (emphasis added).
Lack of Specificity from OCR
But the guidance from the Office for Civil Rights (OCR) has not provided any specifics on what needs to be addressed and how robust the system activity review needs to be. In the January 2017 Office for Civil Rights Cybersecurity Newsletter, OCR stated, “it is imperative for Covered Entities and Business Associates to review their audit trails regularly, both particularly after security incidents or breaches, and during real-time operations. Regular review of information system activity should promote awareness of any information system activity that could suggest a security incident or breach.” The Newsletter tells covered entities they need to use their risk analysis results and operational factors to determine the process for system activity reviews.
Without more specificity, it is often difficult to convince senior leadership this is a component of the privacy and security program they need to invest in. Modern EHRs, include reports and other tools that can help support this function, but it is often a resource-intensive process and is difficult to do in a meaningful fashion. Using the reports and queries from the system often necessitates chasing down information only to determine the access was completely legitimate. This is not an effective use of resources.
This means a covered entity that wants to meet this requirement of the Security Rule will need a technology solution to support a meaningful system activity review process such as user access monitoring program. There are multiple tools in the market today. Of course, purchasing a license for such a solution costs money, and it is not the total solution. Technology is simply a tool to support a more effective approach to meeting the requirement.
Enforcement Action on this Topic
It can also be pointed out that failure to have a process in place can result in significant enforcement action. In February of 2017, OCR announced a settlement and resolution agreement with Memorial Healthcare System for $5.5 million dollars. One of the findings was that Memorial failed to meet the provisions of 45 C.F.R. §164.308(a)(1)(ii)(D). The incident that brought this to OCR’s attention was a self-reported breach.
How to Discuss this Topic with Senior Leadership
Convincing senior leadership to provide the budget to have a robust, proactive user access monitoring program will be a difficult case to make. But not having anything in place is clearly a violation of the regulations. So, what can be done to convince them it is necessary?
1. Identify What You Will Assess
First, try to identify what the program will be assessing. Consider, at a minimum, engaging proactive user access monitoring of four common instances of improper accesses, which are users accessing:
- Family members’ records
- Co-workers’ records
- VIP records
- Neighbors’ records
Another possible item is assessing high volume accesses. Next, determine what internal resources are available in both reports that can be obtained from the EHR and other systems plus FTEs available to review those reports. Ideally even do a test of the time it takes to review just one of the improper accesses identified, such as co-worker snooping.
2. Calculate the Resources Required to Conduct Manual Reviews
Also, evaluate how effective the process would be. If the organization picks two random days every month to review accesses would that be effective in actually detecting a randomly selected user accessed a co-worker’s record? Probably not, but to monitor all users against all co-workers would be daunting. But once the baseline data is available to show how much time and effort it takes to do this without a technology solution the case can be built for getting the technology solution.
3. Evaluate User Monitoring Vendor Solutions
Look at the vendors who offer a technology solution to support the program. Compare the cost to do it internally with the cost of the solution and the features the solutions offer. Newer solutions on the market are easier to implement and offer more sophisticated ways of identifying what are likely improper accesses versus false positives. Thus, the organization can have a more robust program that is effective with fewer resources than trying to do it without a technology solution.
4. Understand that Breaches are Inevitable
Another discussion point with senior leadership is that breaches are inevitable. At some point, the organization will be reporting a breach. If the breach is the result of an activity that could have been detected through proactive user access monitoring, there could be a settlement and resolution agreement in the organization’s future. Not only would this result in paying the settlement amount, but it would also include a mandate to put a process in place, so the organization would be expending the money anyway.
This will be a difficult conversation. It is never easy to convince senior leadership to spend money on something that is not revenue producing. But like most of the activity that is undertaken in the privacy and information security program, it is about risk avoidance, management, and mitigation. The organization’s senior leadership needs to think of this in the same way they think about expending funds for any risk management project.