Written by Tim Burris, HCISPP, Product Manager, Privacy and Security - iatricSystems
Healthcare Privacy and Information Security programs have evolved substantially in recent years. This is due not only to the requirements of Meaningful Use, HIPAA, and HITECH, but due to the growing threats to our sensitive information. Recent Cyber security analysis estimates that nearly half of all cyber attacks identified in 2015 were directed at healthcare. Many of these incidents involved insider threats or the mishandling of information by staff. It can be a daunting task to keep our Privacy and Security practices ahead of the threats that target them. This is why a risk-based approach to auditing is not only helpful, it is necessary.
Privacy investigators have been moving from traditional reactive audits to a more proactive auditing approach. Instead of responding to privacy complaints, auditors are embracing technology that helps to proactively identify potential inappropriate access. This puts the investigators ahead of the breach. However, sifting through the results of such proactive auditing programs can be extremely time consuming and resource intensive.
In an effort to help with large data volumes, it is important that privacy programs and solutions are tailored in a manner that limits false positives. This helps prevent time wasted investigating access that was legitimate and appropriate. But what are auditors to do when audit volumes still exceed the capability of their available resources? This is where risk based auditing comes into play. The ability to investigate incidents in a prioritized order based on their level of risk is a game changer.
Iatric Systems has developed a tool specifically to accommodate the need for risk based auditing. Auditor’s Desktop™ is a companion product for Security Audit Manager™ that allows for the assignment of a risk score or “weight” to each event that triggers an algorithm identifying it as potential inappropriate access.
When an audit triggers more than one of these algorithms, the weights are added and the event moves higher on the auditor’s list. These weights can also be customized to allow organizations to establish their own auditing priorities. This strategy helps to take millions of events, pick out those that look suspicious, and prioritize them by risk score.
We recently interviewed one our customers, Union Hospital, and they found that with Auditor’s Desktop, they could quickly determine whether a breach occurred and eliminate false positives, without having to individually review multiple audits.
Risk-based auditing is the next logical step in the effort to protect sensitive information. It helps to ensure that the valuable time of auditors is spent focused on those incidents that need it most. With the hard work of privacy and security teams coupled with innovative technology, we can help to keep our sensitive information secure.