Minimize Chance of Breach by Rogue Employee

Topic: Access Logs

Breaches of ePHI can be caused by mistakes (someone loses a laptop) or by a bad actor (hacker, rogue employee). Let’s take the case of the rogue employee (and there are lots of these cases, so it can happen to anyone) What can be done? Rogue employees typically look to access and copy patient records for sale on the black market or to commit fraud.

A software security breach ended in a cancellation of more than 40 appointments at Absolute Dental Hygiene in Eugene, Oregon. The dental facility said the breach also gave access to 871 patient's personal information. Things like social security numbers, medical history and more was hacked. This was caused by a rogue employee with malicious intent. Read the original article here.

What could have been done to prevent this? These employees caused these breaches over time. Was anyone checking on the access? Most likely not. Did these providers know if the employees were accessing the system at 3 AM from home? Was the employee looking at an unusually large volume of records? Was the employee looking at records they had no business reason to access? Therein lies the value of checking access logs; spotting potential problems before they become real problems. When your employees know their access is logged, and the logs are regularly checked, it reduces their temptation to do anything inappropriate.

It is not uncommon for organizations to discover and report breaches a year or two after they happened, because they delayed or failed to check their logs. Don’t let this happen to you.

Computer logs can be voluminous and difficult to interpret. Here are some commonly asked questions about logs:

Q. Is this really a HIPAA requirement?

A. Yes, here are the sections of the HIPAA Security Rule that discuss this:

• Section 164.308(a)(1)(ii)(d): Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

• Section 164.308(a)(5)(ii)(c): Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies.

• Section 164.312(b): Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

Q. How often should I run the reports?

A. As with a lot of items in HIPAA, it is up to your discretion. Once per month is probably fine, but think through your situation and what is best for you.

Q. Which systems should I run reports on?

A. All systems that contain ePHI. Hopefully your software vendors are aware of this type of requirement for HIPAA and have reports already designed for this purpose.

Q. What information should the reports contain?

A. This is up to you, but the goal you are trying to achieve is to be able to determine if inappropriate access has occurred. Some of the information that could be analyzed includes:

• What time an employee logs in. From where (local or remote)

• The number of failed login attempts on a computer or a specific ID

• Who downloaded new software, and when

• When and how often passwords are changed

• What information was accessed by the person logged in

• What protected health information (PHI) was changed and by who

Q. What do I do if I suspect something is wrong?

A. Review the information with your IT staff, IT vendor or software vendor to see if they agree with your conclusions. If you still think something is wrong, contact HIPAA Secure Now! and we can review the situation with you.

Q. What do I do with the reports once I have reviewed them?

A. Best practice would be to upload them to the HIPAA Secure Now! portal. Make sure the report indicates the time frame of the analysis, date of the analysis and who performed the analysis. In the event that you ever do have a breach, investigators will ask you for a copy of your log reviews. Being able to produce these will tremendously improve your standing in the case of an investigation or audit.

Q. How long should this take?

A. Properly configured reports should only take a few minutes to run and analyze assuming no irregularities are discovered.

Q. Is there any other value to this?

A. Yes! This is something that every organization should be doing (regardless of what industry they are in).This is a best practice for cyber-security. Early discovery and prevention of problems will avoid enormous time and expense later.