With the state of the world today, healthcare facilities of all kinds and sizes are operating under a state of distress. Employees are working on the frontlines, while also having to manage low budgets for IT security, coupled with low resources and all the while having to manage legal and compliance issues on top of it. Sometimes there’s so much emphasis put on the primary platform where patient health information (PHI) resides, other parts of the network are overlooked to determine compliance.
Compliance is about behavior; as long as employees within a covered entity behave as they should, using PHI appropriately, there’s zero issue. So, non-compliance is any behavior where PHI is misused or mishandled in a way that breaches its security.
Therefore, meeting the data security standards within HIPAA is more than just establishing roles and permissions within your Electronic Health Record (EHR) application; to truly know you’re compliant, you need to be looking for non-compliant behavior within your IT environment.
To meet this need, you need to go beyond the EHR and understand a few places in the network that don’t necessarily host PHI but can be indicative of non-compliant behaviors.
- Directory Service—When external attackers gain access to a healthcare organization’s network, they work to establish persistence, stealth, and elevated access. All this involves modifying your directory service (likely Active Directory) to create dummy accounts, add them to groups to provide access to systems and applications hosting PHI outside your EHR. Understanding when changes are made, who made them, and what was changed provides insight into activities that can result in a breach of data and compliance.
- Servers—Part of the persistence previously mentioned includes control over systems on the network as footholds. Attackers modify the configuration of a server—such as installing a bogus service that’s actually a remote access trojan or disabling the Windows firewall—to facilitate an ability to regain access to the network remotely. These leading indicators of a threat action can be used to either stop a breach or establish the investigative path after one. Being able to monitor and maintain the configuration of key systems therefore becomes critical to ensuring compliance.
- User Activity—Something as simple as an out-of-the-ordinary logon by a user (e.g., based on the day or time of logon) could help indicate there may be an issue. Having a centralized way to monitor for, audit, and alert on actions taken on the network (generally via consolidation of audit log data) can be beneficial to ensure nothing malicious has occurred.
Determining compliance isn’t always as simple as looking to see who accessed Snoop Dogg’s record when he was admitted to the hospital; sometimes a breach isn’t as obvious. Healthcare organizations truly working to determine whether their systems are secure and their organization is compliant need to be looking beyond the EHR to sources of data the spell out what actions have been taken that can be purposed to inappropriately access and steal PHI.
By using the three sources of intelligence mentioned in this article, healthcare organizations will have a better handle on what their user behavior looks like and how it impacts HIPAA compliance