Still a newcomer to the title of most cyberattacked industry in North America, healthcare has its work cut out for it. Health IT teams must protect data from external hackers. However, just like a creepy image from a horror movie, sometimes the threat is coming from right within the organization. Internal threats to ePHI include: • Snooping – One internal threat that plagues IT teams is employees snooping in patient records where they shouldn’t be looking. Types of snooping often include looking up a celebrity patient record after a case makes the news or viewing the record of a family member or friend. It’s an unfortunate way some employees are losing their jobs as it’s a violation of HIPAA’s federal laws against viewing patient records without authorized access. Read more here. • Employee negligence – Beyond snooping, unintended data disclosure, such as emails containing PHI sent to the wrong recipient or servers left publicly accessible, accounted for 41 percent of reported health data breaches for the first nine months in 2017, according to research from Beazley. • Flat out stealing – According to Verizon’s 2015 Data Breach Investigations Report, roughly 20 percent of all breaches are considered insider misuse events, where employees could be stealing and/or profiting from company-owned or protected information. This study isn’t just measuring healthcare breaches, which shows that the problem is widespread across many verticals. Most organizations have an audit log built into their production electronic health record (EHR). This is an important level of IT security as it is critical to perform regular reviews of audit logs to: • Detect unauthorized access to patient information • Establish a culture of responsibility and accountability • Reduce the risk associated with inappropriate accesses (Note: Behavior may be altered when individuals know they are being monitored) • Provide forensic evidence during investigations of suspected and known security incidents and breaches to patient privacy, especially if sanctions against a workforce member, business associate, or other contracted agent will be applied • Track disclosures of PHI • Respond to patient privacy concerns regarding unauthorized access by family members, friends, or others • Evaluate the overall effectiveness of the organization’s policy and user education regarding appropriate access and use of patient information (Note: This includes comparing actual workforce activity to expected activity and discovering where additional training or education may be necessary to reduce errors) • Detect new threats and intrusion attempts • Identify potential problems • Address compliance with regulatory and accreditation requirements Source: http://library.ahima.org/doc?oid=300276#.WpSmP-dG3IV FairWarning protects ePHI – including legacy records Privacy and security teams can spend days manually poring over audit logs to spot insider threats and and provide evidence for the misuse of access to ePHI. Organizations struggle to keep up with securing access to ePHI and responding to inquiries for access to ePHI due to industry challenges such as mergers and acquisitions, large volumes of data, complex workflows, and heavy regulatory burden. With FairWarning, those days are gone. Auditing more than 375 business applications, FairWarning solutions provide a comprehensive platform and managed services for performing forensic investigations of applications, enforcing access policies, conducting legal investigations, and improving compliance effectiveness. Your audit log is just the beginning. FairWarning’s programs and services constantly are on the lookout for suspicious activity based on specific logic designed for your organization’s set of rules. FairWarning helps its customers through OCR audits, forensic investigations, and eDiscovery and lawsuits, proactive detection of misuse – all while giving them time back in their day. “Our customers are under pressure to do more with less with their privacy, security, and compliance investments,” said Hobie Long, Marketing and Media Manager at FairWarning. “FairWarning’s Patient Privacy Intelligence platform offers a path forward for organizations to focus their time on securing patient data more efficiently, and most importantly improving the quality of patient care.” Legacy Records now are Protected Recently, Harmony Healthcare IT became the first discrete data archiving company certified by FairWarning to implement its audit platform for monitoring the long-term security of historical patient and employee record storage. Together, FairWarning and Harmony Healthcare IT ensure that electronic Protected Health Information (ePHI) within Harmony Healthcare IT’s HealthData Archiver® (HDA) product is monitored and protected for unusual activity and compliance through FairWarning’s Patient Privacy Monitoring Platform. This means healthcare providers can have the same peace of mind for their go-forward EHR and legacy archived data since the complete patient record is blanketed by the added security of the robust FairWarning. Do you have concerns about protecting your organization’s ePHI? Are you ready to shore up your legacy records into a secure archive with an added level of protection? Connect with us online. Or, visit us at HIMSS18, March 5-9 at the Sands Convention Center in Las Vegas. Harmony Healthcare IT will be at booth #1454 and at kiosk #8600-66 in the Cybersecurity Command Center. FairWarning will be at kiosk #8600-75 in the Cybersecurity Command Center. Both companies will be presenting a theater presentation.