Cybersecurity vulnerabilities are a common thing for healthcare industry. It is shown once again, for example, by the study conducted by Independent Security Evaluators, which states that every modern healthcare organization have such problems. Outsider attacks present new challenges, but even more dangerous are hidden insider threats. For example, this year an employee working at the Montefiore Medical Center was indicted following the theft of personal data of more than 12000 patients. Such breaches made possible not only by lacking security practices, but also by integral vulnerabilities of EHR software.
EHR: benefits and vulnerabilities
In part thanks to the Information Technology for Economic and Clinical Health Act (HITECH) and a large incentive it provides, almost all healthcare providers use Electronic Health Record systems (EHR) to store and manage sensitive healthcare data - patient records. Benefits of those systems are enormous as they allow to streamline the workflow and consolidate all data in one place.
However, consolidated data also poses a great security risk, because if perpetrator gets an access to the system, he or she will receive full control over a wide range of personal patient data including:
- patient’s full name;
- bank account information;
- health data;
- Social Security number.
This data can then be sold or used for such crimes as identity theft, insurance fraud or to illegally obtain prescription drugs.
Most popular EHR systems include Cerner, Epic, Meditech, and McKesson software. Each of them includes some user tracking features, allowing you to see who accessed sensitive data. However, such features have their own set of limitations and vulnerabilities:
- Users with privileged accounts. EHR system usually logs or monitors user activity in one way or another. However, the actions of users with privileged accounts, such as administrator, are not being recorded, allowing them to carry out malicious activity undetected.
- Entitlement changes. By changing his or her entitlement level user can circumvent internal system monitoring and access personal patient data. Entitlement changes are usually go undetected and Administrator can easily change entitlement level of any user, including themselves.
- Sensitive data changes. Even if the instance of access to sensitive data is recorded, it is impossible to know how the data was used. Therefore, it can be hard to detect malicious actions on time. Moreover, violations can be difficult to prove, considering that user can just say that he or she misclicked or accessed data by accident.
Why current approach has problems
Most data protection solutions in healthcare are focused on establishing and maintaining security perimeter, but most attacks and security breaches happen from within the system. Perpetrators are either getting access to the system from inside the building (by, for example, using public Wi-Fi connection or a USB device) or are employees themselves. Based on recent reports, insider threats pose much bigger problem than most people give them credit for. 49% of all healthcare providers report high level of insider threats vulnerability. To protect from such inner threats, employee activity tracking solution is required.
Upcoming HIPAA audits that promise to strike in full force this year are the other thing healthcare providers need to consider. Maintaining a high level of security is required by Health Insurance and Portability Accountability Act (HIPAA) and HITECH standards and it is mandatory to pass a HIPAA audit. It is important to use a tracking software that will monitor all user activity in your HIPAA compliance audit checklist. For an electronic health record systems, auditor software that provides constant EHR systems monitoring can greatly speed up the audit process, thus lessening your headache and your spendings.
How Ekran Systems can help
Ekran System is a security and user monitoring solution that can help you with organizing reliable healthcare data protection.
Video recording. Ekran System conducts a video recording of everything that user sees on his or her screen. Every video is indexed and coupled with relevant metadata, such as application and active window names, keystrokes, visited URLs, etc. Each user can be clearly identified by the secondary level of authentication, allowing you to distinguish between users that work under shared accounts.
USB device blocking. Ekran System also features USB device connection monitoring and optional automatic blocking tools, preventing automatic execution of malware or unauthorized copying of data to a mass storage.
Service provider monitoring. Ekran System can be used to monitor and audit healthcare application providers. You can monitor, log and audit 3rd-party vendor activity, allowing you better control over access to the organization IT infrastructure and sensitive data. The solution works with all levels of user privileges allowing you to monitor healthcare security providers therefore assuring medical records data protection even from users with privileged access, from system administrators to security personnel.
These features allow you to know exactly who access patient data and how they are using it. Data recorded by Ekran System, as well as event alerts, user blocking, and USB blocking functionality can be used to organize a timely incident response, help in identity theft and fraud prevention, and used as an evidence in case of a criminal investigation.
As per HIPAA compliance requirements, Ekran System provides access control and can help in risk analysis and establishing a clearance procedure. It can also be used to help you develop and deploy information system activity reviews as required by HIPAA compliance rules.
The main difference between Ekran Systems and other audit healthcare security monitoring providers and services is a simple time-saving monitoring format and an employment of a flexible licensing system. It allows cost-effective deployments even on small number of end-points, making Ekran System an ideal solution for small or medium sized healthcare institutions. You can also try a free demo and see for yourself how Ekran System can be useful in strengthening cybersecurity of your healthcare institution.
User monitoring is the way to go
User monitoring solutions like Ekran System will go a long way toward securing personal data of your patients. They allow to mitigate every major vulnerability of popular EHR systems and even can be used to track 3rd-parties and software service providers. With HIPAA striking in full force and costs of potential data breaches skyrocketing, importance of reliable security is greater than ever. Monitoring software will provide the first level of defense against the insider threat and will help you to stay on top of your security and compliance needs. Take a look also at the best IT security policies and procedures.