In light of increasing incidents and data breaches across the industry, healthcare organizations are responding by beefing up their proactive cyber defenses to address privacy and security controls already required by HIPAA.
But while it has become standard practice for healthcare organizations to focus on identifying and stopping external threats to the privacy and security of data, one often overlooked risk may be right inside your offices — snooping employees and malicious insider threats.
Even with routine, effective employee training that addresses common attack methods like social engineering and phishing, healthcare data remains vulnerable. In fact, nearly 70% of data breaches involve a human element. This risk, in addition to regulatory risk, is why it’s so important to keep a close eye on user activity across your entire organization — and your supply chain, wherever possible — for anyone who accesses data about patients as well as other protected data.
What is user activity monitoring (UAM)?
Understanding EGPA: The Role of Eosinophils and Advancements in Treatment Options
FASENRA® (benralizumab) injection, for subcutaneous use, 30 mg is indicated for the treatment of adult patients with eosinophilic granulomatosis with polyangiitis (EGPA). FASENRA provides a treatment option for HCPs to consider when managing this challenging disease.
The National Institute of Standards and Technology (NIST) defines user activity monitoring (UAM) as the capability to “observe and record the actions and activities of an individual, at any time, on any device.” It goes on to say UAM can “detect insider threat and to support authorized investigations.”
Types of UAM
User activity monitoring can help healthcare organizations track and protectively identify suspicious or unauthorized access to protected data like ePHI within electronic health records (EHR) systems.
Industry-recognized UAM controls also help to ensure compliance with HIPAA standards to protect the confidentiality, integrity, and availability of healthcare data.
Top-Rated Practice Management Solutions for Med Spas
Every wellness clinic is only as successful as the capabilities of its software. Here's where you can find the top-rated practice management solutions for med spas.
There are many types of user activity monitoring, for example:
- Access logs and monitoring
- Data and file transfers, downloads, or exports
- User authentication (multi-factor authentication and other controls to protect credentials)
- Role-based access
- Real-time alerts
- Least privilege access (user only accesses what is necessary based on role)
- Keystroke logging
- Internet tracking
- Endpoint protection and data export tracking
- Routine access auditing
- Behavioral analytics
Why healthcare organizations need UAM
Healthcare organizations can use UAM to proactively detect insider threats and malicious user activities and to guide not only incident response planning and activities, but also the enterprise risk analysis process. This is especially important because the healthcare industry faces relentless and increasingly sophisticated cyberattacks, which may include social engineering to obtain credentials of workforce members with valid access to data, as well as true insider threats.
Threat actors target healthcare because covered entities and their business associates handle vast amounts of sensitive, and identifiable, data. And these actors are not just after healthcare information. One successful breach can result in the exfiltration of other valuable personally identifiable information (PII) found within medical records, like social security numbers, credit card numbers, bank accounts, birth dates, addresses, and more.
So it’s not surprising that healthcare has the highest average data breach cost, reaching nearly $10 million in 2023, topping IBM’s Cost of a Data Breach Report for more than a decade.
Bad actors are working around the clock to exploit vulnerabilities and security weaknesses, knowing that they have the capabilities to steal or ransom data, negatively impact patient care and service delivery, and, worse, even cause direct harm, including loss of life.
UAM controls, especially when implemented to monitor access within the EHR, can help healthcare organizations mitigate some of this risk — and related response and reputational expenses — while also ensuring compliance with HIPAA and other standards, like the NIST Cybersecurity Framework. Some other benefits of implementing UAM include:
- Proactive threat detection
- Real-time monitoring and alerts
- Faster, more effective incident response
- Decreased downtime and increased operational resilience
- Decreased compliance costs
- Improved patient confidence in service delivery
- Brand and reputation enhancement (we take privacy and security seriously)
- Opportunity to edge out competitors that don’t use UAM controls
Risk analysis and UAM
HIPAA requires covered entities and business associates to implement reasonable and appropriate controls to protect the confidentiality, integrity, and availability of patient data, including conducting HIPAA-compliant risk analysis.
Risk analysis can do more than just identify where you may be susceptible to insider and supply chain risk. Your organization can also use risk analysis to inform your UAM strategies, including the most effective and comprehensive UAM controls for your unique environment.
A risk analysis, when performed properly, will help you identify your critical assets, understand your vulnerabilities, and guide prioritization efforts to proactively address weaknesses.
Once you identify your security and privacy risks and use your risk analysis to align those risks to your business goals and objectives, you can apply this information to guide decision-making around the selection of reasonable and appropriate UAM controls, and guide employee education and training.
In return, you can also use UAM data, for example, user activity logs, to drive ongoing risk management, incident response, and workforce engagement strategies.
Going beyond risk analysis
While every covered entity and business associate has a unique attack surface and business goals, there are industry-recognized user activity monitoring best practices every organization can take to ensure compliance with HIPAA security and privacy regulations. Here are four recommendations to get you started:
- Use role-based access controls (RBAC). Role-based access controls ensure users can only access the least amount of data necessary to perform specific job functions. These controls can be role or responsibility-specific. Using RBAC isn’t a set-it-and-forget-it exercise. It should be an ongoing process with routine reviews and adjustments, especially when employees change roles or leave your organization.
- Conduct routine workforce training. Your UAM controls are only as effective as those using them. Routine employee training and education are imperative, but this should go beyond your team members and extend into your C-suite, board, other key stakeholders, and even your supply chain, wherever possible. This includes awareness of basic cyber and data privacy best practices, such as strong passwords, procedures to identify suspicious activities, and how and where to report suspicious user activities. By aligning this training to each user’s specific role or job function, you can increase user buy-in and help them better understand their role in your organization’s overall security and resilience needs.
- Use behavioral analytics. Use user activity monitoring and associated data logs to better understand user patterns. This will allow you to quickly identify anomalies and swiftly respond to potential incidents in real-time. Proactive threat identification can help you stay several steps ahead of attackers to effectively mitigate risks before they become real-world security incidents.
- Conduct routine audits and establish audit trails. All healthcare organizations with ePHI need routine internal and third-party audits and assessments to ensure HIPAA compliance, especially to decrease the chance you’ll experience a breach and face potential regulatory fines and penalties. Audits and compliance assessments that demonstrate you’re effectively tracking, monitoring, and documenting UAM controls can establish a comprehensive audit trail to ensure you ace your next audit or regulatory investigation and can demonstrate you’re effectively protecting patient data privacy and security.
User activity monitoring is vital for every healthcare organization’s cybersecurity and data privacy strategy. These controls can play an important role in protecting your business against insider threats and potential data breaches while also ensuring ongoing HIPAA compliance.
Photo: traffic_analyzer, Getty Images
Andrew Mahler, JD, CIPP/US, AI Governance Professional (AIGP), CHC, CHPC, CHRC is Vice President of Privacy and Compliance Services at Clearwater, where he leads initiatives to enhance data protection and compliance across the healthcare industry.
This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.