Consumer Exercise Monitoring: Actual-Time Visibility Inside the EHR to Keep Forward of Insider Threats

In mild of accelerating incidents and information breaches throughout the {industry}, healthcare organizations are responding by beefing up their proactive cyber defenses to handle privateness and safety controls already required by HIPAA.

However whereas it has grow to be normal follow for healthcare organizations to concentrate on figuring out and stopping exterior threats to the privateness and safety of information, one usually neglected danger could also be proper inside your places of work — snooping workers and malicious insider threats. 

Even with routine, efficient worker coaching that addresses frequent assault strategies like social engineering and phishing, healthcare information stays weak. Actually, almost 70% of information breaches contain a human ingredient. This danger, along with regulatory danger, is why it’s so necessary to maintain a detailed eye on consumer exercise throughout your total group — and your provide chain, wherever doable — for anybody who accesses information about sufferers in addition to different protected information.

What’s consumer exercise monitoring (UAM)?

The Nationwide Institute of Requirements and Expertise (NIST) defines consumer exercise monitoring (UAM) as the potential to “observe and file the actions and actions of a person, at any time, on any gadget.” It goes on to say UAM can “detect insider menace and to help approved investigations.”

Sorts of UAM

Consumer exercise monitoring can assist healthcare organizations monitor and protectively establish suspicious or unauthorized entry to protected information like ePHI inside digital well being data (EHR) programs.

Business-recognized UAM controls additionally assist to make sure compliance with HIPAA requirements to guard the confidentiality, integrity, and availability of healthcare information.

There are lots of kinds of consumer exercise monitoring, for instance:

• Entry logs and monitoring
• Knowledge and file transfers, downloads, or exports
• Consumer authentication (multi-factor authentication and different controls to guard credentials)
• Position-based entry
• Actual-time alerts
• Least privilege entry (consumer solely accesses what is important primarily based on position)
• Keystroke logging
• Web monitoring
• Endpoint safety and information export monitoring
• Routine entry auditing
• Behavioral analytics

Why healthcare organizations want UAM

Healthcare organizations can use UAM to proactively detect insider threats and malicious consumer actions and to information not solely incident response planning and actions, but in addition the enterprise danger evaluation course of. That is particularly necessary as a result of the healthcare {industry} faces relentless and more and more refined cyberattacks, which can embrace social engineering to acquire credentials of workforce members with legitimate entry to information, in addition to true insider threats. 

Risk actors goal healthcare as a result of coated entities and their enterprise associates deal with huge quantities of delicate, and identifiable, information. And these actors should not simply after healthcare info. One profitable breach may end up in the exfiltration of different precious personally identifiable info (PII) discovered inside medical data, like social safety numbers, bank card numbers, financial institution accounts, beginning dates, addresses, and extra.

So it’s not shocking that healthcare has the very best common information breach price, reaching almost $10 million in 2023, topping IBM’s Value of a Knowledge Breach Report for greater than a decade. 

Unhealthy actors are working across the clock to take advantage of vulnerabilities and safety weaknesses, understanding that they’ve the capabilities to steal or ransom information, negatively impression affected person care and repair supply, and, worse, even trigger direct hurt, together with lack of life.

UAM controls, particularly when carried out to observe entry throughout the EHR, can assist healthcare organizations mitigate a few of this danger — and associated response and reputational bills — whereas additionally making certain compliance with HIPAA and different requirements, just like the NIST Cybersecurity Framework. Another advantages of implementing UAM embrace:

• Proactive menace detection
• Actual-time monitoring and alerts
• Sooner, more practical incident response
• Decreased downtime and elevated operational resilience
• Decreased compliance prices
• Improved affected person confidence in service supply
• Model and fame enhancement (we take privateness and safety significantly)
• Alternative to edge out opponents that don’t use UAM controls

Threat evaluation and UAM

HIPAA requires coated entities and enterprise associates to implement cheap and applicable controls to guard the confidentiality, integrity, and availability of affected person information, together with conducting HIPAA-compliant danger evaluation.

Threat evaluation can do extra than simply establish the place chances are you’ll be prone to insider and provide chain danger. Your group can even use danger evaluation to tell your UAM methods, together with the simplest and complete UAM controls to your distinctive surroundings.

A danger evaluation, when carried out correctly, will show you how to establish your essential belongings, perceive your vulnerabilities, and information prioritization efforts to proactively deal with weaknesses.

When you establish your safety and privateness dangers and use your danger evaluation to align these dangers to your enterprise objectives and targets, you may apply this info to information decision-making across the collection of cheap and applicable UAM controls, and information worker schooling and coaching.

In return, you can even use UAM information, for instance, consumer exercise logs, to drive ongoing danger administration, incident response, and workforce engagement methods.

Going past danger evaluation

Whereas each coated entity and enterprise affiliate has a novel assault floor and enterprise objectives, there are industry-recognized consumer exercise monitoring finest practices each group can take to make sure compliance with HIPAA safety and privateness laws. Listed here are 4 suggestions to get you began:

1. Use role-based entry controls (RBAC). Position-based entry controls guarantee customers can solely entry the least quantity of information essential to carry out particular job capabilities. These controls might be position or responsibility-specific. Utilizing RBAC isn’t a set-it-and-forget-it train. It must be an ongoing course of with routine opinions and changes, particularly when workers change roles or go away your group.

2. Conduct routine workforce coaching. Your UAM controls are solely as efficient as these utilizing them. Routine worker coaching and schooling are crucial, however this could transcend your group members and lengthen into your C-suite, board, different key stakeholders, and even your provide chain, wherever doable. This consists of consciousness of primary cyber and information privateness finest practices, resembling sturdy passwords, procedures to establish suspicious actions, and the way and the place to report suspicious consumer actions. By aligning this coaching to every consumer’s particular position or job operate, you may enhance consumer buy-in and assist them higher perceive their position in your group’s general safety and resilience wants.

3. Use behavioral analytics. Use consumer exercise monitoring and related information logs to raised perceive consumer patterns. It will mean you can shortly establish anomalies and swiftly reply to potential incidents in real-time. Proactive menace identification can assist you keep a number of steps forward of attackers to successfully mitigate dangers earlier than they grow to be real-world safety incidents.

4. Conduct routine audits and set up audit trails. All healthcare organizations with ePHI want routine inside and third-party audits and assessments to make sure HIPAA compliance, particularly to lower the possibility you’ll expertise a breach and face potential regulatory fines and penalties. Audits and compliance assessments that display you’re successfully monitoring, monitoring, and documenting UAM controls can set up a complete audit path to make sure you ace your subsequent audit or regulatory investigation and might display you’re successfully defending affected person information privateness and safety.

Consumer exercise monitoring is significant for each healthcare group’s cybersecurity and information privateness technique. These controls can play an necessary position in defending your enterprise in opposition to insider threats and potential information breaches whereas additionally making certain ongoing HIPAA compliance.

Photograph: traffic_analyzer, Getty Photos

Andrew Mahler, JD, CIPP/US, AI Governance Skilled (AIGP), CHC, CHPC, CHRC is the Vice President of Privateness, and Compliance Companies at Clearwater, the place he leads information privateness and healthcare compliance consulting and managed providers. Andrew has supported numerous shoppers with privateness and compliance assessments, advisory help, and consulting, and in Interim Chief Privateness Officer roles. Earlier than Clearwater, Andrew served because the Chief Privateness and Analysis Integrity Officer for the College of Arizona, the place he was liable for implementing privateness and analysis compliance packages for the universities, departments, clinics, hospitals, and educational well being sciences all through Arizona.

Andrew is a lawyer and holds the CIPP/US, CHC, CHRC, and CHPC certifications. He has developed programs in healthcare regulation and information privateness and is a visitor lecturer for different regulation and enterprise programs in regulation, healthcare, and compliance. As well as, he has printed and introduced on matters together with well being regulation, information privateness and HIPAA, analysis compliance, and danger administration.

This put up seems by way of the MedCity Influencers program. Anybody can publish their perspective on enterprise and innovation in healthcare on MedCity Information by way of MedCity Influencers. Click on right here to learn how.