Health IT, Hospitals, Startups

Children’s Hospital CMIO turns entrepreneur to more rapidly detect patient data breaches

Children’s Hospital of Philadelphia is working with DreamIt Ventures through its Open Canvas@CHOP program to […]

Children’s Hospital of Philadelphia is working with DreamIt Ventures through its Open Canvas@CHOP program to identify enterprise software applications and commercially viable companies. It recently selected two companies from the pediatric hospital that will go through the one-year program, including Haystack and 3D Pediatrics. The security analytics company was co-founded by CHOP Chief Medical Information Officer Dr. Bimal Desai to more rapidly identify patient data breaches.

In response to emailed questions, he talked about the technology behind Haystack and what spurred him to start the company with co-founder Adrian Talapan.

What triggered the concept for this company?

I was motivated to solve this problem of [electronic health record] patient privacy after seeing examples of breaches across the country, where EHR users “snooped” on patient data in the EHR.  This is a big deal because hospitals are required by the Office of Civil Rights and the HITECH Act to monitor EHR access logs and have a process in place to identify and investigate suspected privacy breaches.

I spoke with privacy professionals at our organization to learn more about this issue and to learn how they tackle the problem currently.  I wanted to know, for a complex patient, let’s say someone who was admitted to the ICU for two weeks, how much audit data a privacy officer would have to review to conduct an investigation, and I was shocked at the answer.  For one patient with a two-week hospitalization, we were talking about nearly 100,000 rows of audit log data. And, if that patient had a suspected breach, a privacy officer would have to manually review those access events for something that looked suspicious. That’s an overwhelming task.

Anecdotally, I know of hospitals that randomly audit the EHR access logs of 100 patients per month to meet the privacy requirements.  That task alone can take one to two full-time employees two weeks, which is amazing considering that those 100 patients are the tip of the iceberg. To me, this means there’s a huge disconnect between what hospitals must do, because it’s the right thing to do to protect patient privacy and because it’s legally required of us; and what we can do given the state of the art in EHR privacy monitoring.

Do children’s hospitals tend to be more vulnerable to data breaches?

I don’t think we’re more or less vulnerable.  The motivations may be different (someone could snoop on the records of their neighbor’s kids, rather than the neighbor herself).  But Haystack isn’t specific to children’s hospitals. In fact, we’re looking for a variety of sites to pilot Haystack: small, medium, and large healthcare systems; adult and pediatric.

How does it work?

Modern EHRs keep an exhaustive access log of who did what for which patient, on what date/time, from which workstation.  Every screen you look at, every report you print, every order you place, every note you write ends up as a row in the access log.  It’s a built-in function to track audit logs, specifically for this purpose and to support other hospital auditing and legal requirements.  By definition, these logs are exhaustive: They capture every access event in your EHR, whether they represent normal care or not.  And that’s why you need a different tool altogether to identify snooping.  Access logs, by themselves, were never designed to identify breach.

What are some of the examples of wrong patient data uses that this technology is designed to prevent or reduce?

EHRs are, by their nature, distributed, multi-user systems.  We see a million patients per year in our ambulatory network.  We see upwards of 70 thousand patients per year in our emergency department.  We have thousands of users who are required – as part of their job – to interact with the EHR.  While hospitals can define level of EHR access through “role-based access control” or RBAC (the EHR rules that specify, for example, that a nurse can view lab results but can’t sign medication orders), RBAC doesn’t prevent snooping. As a physician, my EHR access allows me to see the demographic and lab information of every patient in the system. It’s my ethical responsibility to only do so for patients in whose care I’m involved. If I cross that line, I’m committing a privacy violation. It could be out of curiosity (reading the notes of a hospitalized celebrity or a neighbor’s child), or out of malice (intent to commit identify theft).

What happens when someone does do the wrong thing? Who gets notified first?

A hospital’s response to actual breach events is typically multi-tiered, involving partnership between information security, privacy/compliance, and risk/legal, but it begins with an exhaustive investigation of the breach. The privacy officer would begin by reviewing the access logs to see what protected health information may have been compromised, conducting interviews with staff and documenting findings, contacting the employee’s manager, etc.  In addition to the privacy analytics and visual display, Haystack also includes features to simplify the documentation and investigation tracking functions. Our goal is to give privacy professionals the right tools, so that healthcare organizations can fulfill the promise of patient privacy.

[Photo credit: Flickr user Nick Carter]

Shares0
Shares0