HUMAN VS. MACHINEEmbracing the Old or Exploring New Frontiers

FACILITATORS

Holly Benton, Duke Privacy, Duke University

Lauren Steinfeld, Chief Privacy Officer, Penn Medicine

Marti Arvin, VP Audit Strategy, Cynergistek, Inc.

DISCLAIMER: This presentation contains slides that have been combined for purposes of presentation continuity. The speakers do not necessarily endorse the content of each other’s slides. Moreover, the views expressed in this presentation belong to the speakers and do not necessarily represent the views of their organizations or other organizations.

3

AGENDA

•Case Study 1

•Case Study 2

•Case Study 3

•Questions

CASE STUDY 1

CASE STUDY 1 – HUMANS & MACHINES

• Your privacy team has been analyzing access logs from your Electronic Health Record to audit for inappropriate access to records. The team has been focusing the proactive monitoring on mainly on VIP patients and their care team, as well as access to records that are protected by an extra layer of protection (BTG). You also perform “reactive” audits from allegations made by patients and staff.

CASE STUDY 1 – HUMANS & MACHINES

• A new tool is being used by a peer institution that uses behavioral analytics anomaly detection to find inappropriate access to medical records. You have reviewed the tool and are impressed that the tool utilizes your EHR data, HR data, and social media & news media search queries together to hone in on suspected inappropriate access. You’d like to bring this tool to your institution to streamline proactive monitoring.

• One example the vendor presents the scenario: “A well-known community member (politician) was accessed by an individual who was not on the care team, and the addresses of the patient & employee shows that they are neighbors”

CONSIDERATIONS – CASE STUDY 1

• What are the implications of utilizing this tool?

• What are the different implications of using behavioral analytics software over humans beings’ targeted auditing

• Does leadership need to be briefed and if so on what aspects?

• Do you limit what the tool looks for?

•

CONSIDERATIONS – CASE STUDY 1

• What are the considerations for educating staff & patients about this tool

• Will there be awareness about results of using the tool, i.e. disciplinary actions resulting from the tool

• Other considerations?

• Breach notification to individuals – VIP scenario

• Work force considerations – termination and how that affects operations

CASE STUDY 2

CASE STUDY 2 – HUMANS & MACHINES

• During a recent review of incident assessment metrics, you identify a steady rise in reportable breaches over the past few years from unencrypted data leaving your institution. The circumstances of each incident vary, but the bottom line is data is going out unprotected, without benefit of HIPAA’s safe harbor.

CASE STUDY 2 – HUMANS & MACHINES

• Your HIPAA training covers the significance of encryption and you have rolled out an email communication program that uses fun, memorable reminders to keep people focused on the need for encryption. You think it’s working, and it was certainly less expensive than the recent laptop encryption rollout, but the rise in incidents suggests otherwise.

CASE STUDY 2 – HUMANS & MACHINES

• Your charge is to minimize reportable breaches and effectively implement risk-based HIPAA compliance across the board with what is already resourced.

• You have three strategies at play; all have their strengths, but each has significant limitations:• DLP – increasing controls means more false positives• Encryption – encrypting more than laptops is ideal,

but there is no funding for the initiative• Communication/training – more is great, but it’s

challenging to measure effectiveness

CASE STUDY 2 – HUMANS & MACHINES

• You worry about the frustrations and human resource implications related to DLP false positives.

• You already have revisiting HIPAA training on your annual plan and you have been considering partnering with ISO and communications on a more robust communications campaign.

• Encrypting additional devices makes sense, but leadership’s funding support was limited to laptops.

CASE STUDY 2 – CONSIDERATIONS

• What are the issues around providing encrypted devices?

• Is it simply economic?

• Is there more risk due to more access?

• What are the limits of data loss prevention?

• False positives? Illusion of comprehensive coverage?

• Frustrated staff, faculty and outside partners?

CASE STUDY 2 – CONSIDERATIONS

• Can training or communication plans impact on numbers?

• What other issues does this highlight?

• Culture?

• Awareness?

CASE STUDY 3

CASE STUDY 3 – HUMANS & MACHINES

• To comply with HIPAA’s minimum necessary requirement, your entity is considering tightening role-based access to your systems. The system that is of most concern is the Electronic Medical Record system, that allows for very specific role-based access. This seems to make sense, because your entity has inpatient psychiatry units, infectious disease clinics, as well as family planning & pregnancy loss clinics.

CASE STUDY 3 – HUMANS & MACHINES

• Your HIPAA training & awareness program addresses the minimum necessary requirement, but you are finding that users are accessing records outside of the scope of their duties.

CASE STUDY 3 – HUMANS & MACHINES

•One suggestion is that front desk staff be limited to the clinic or group for which they work, as well as to only certain areas of the chart, like the appointment desk. This would prevent a dermatology registration employee from accessing oncology or radiology information in a patient record.

CASE STUDY 3 – HUMANS & MACHINES

•Alternatively, another person suggests to limit clinicians to their area of specialty within the chart. A family medicine doctor would not be able to access notes and encounter information for psychiatric appointments

CONSIDERATIONS – CASE STUDY 3

• What are some questions that are raised by limiting EMR access

• Are there safety risks associated with limiting a clinician’s access?

• Will there be logistic issues limiting a front desk worker’s access?

• Are there populations outside of your entity that are higher risk that require more scrutiny/focus

• Outside physicians

• Community Connect

• Auditors or other 3rd parties

• Can general training and awareness suffice rather than tighter role-based access?

QUESTIONS

CONTACT INFORMATIONHolly Benton

Holly.Benton@duke.edu

919-684-0497

Lauren Steinfeld

laurenst@upenn.edu

215-573-3348

Marti Arvin

Marti.Arvin@cynergistek.com

512-402-8550, ext 8071