Access Audits as a Breach Deterrent

Why Kaiser Permanente Stresses Accountability
Access Audits as a Breach Deterrent

To protect patient privacy without adversely affecting the quality of healthcare delivered, hospitals and clinics need to aggressively monitor records access in addition to appropriately using access controls, says Eric Liederman, M.D. He's director of medical informatics for The Permanente Medical Group, a Northern California physician practice that's part of the national Kaiser Permanente organization.

See Also: How Enterprise Browsers Enhance Security and Efficiency

He portrays the approach as striking a balance between access control and accountability, but advocates placing stronger emphasis on the latter. That's because if role-based access controls are too strict, they can hurt the quality of care.

"Access restriction has its place," Liederman says. "Role-based access generally works. ... But you never know what a clinician might need to do in their role now and then. So it's pretty hard to effectively restrict access without cutting out the ability of people to do their jobs."

Access control "tends to get over-used" as a way to prevent internal breaches involving inappropriate access to patient records, Liederman argues. "It's very commonly used as the only approach to protect privacy ... It needs to be used in combination with accountability."

Liederman made his comments in a presentation Feb. 21 at the Healthcare Information and Management Systems Society Conference in Las Vegas.

EHR Log Function

Kaiser Permanente in Northern California uses the access log function within its inpatient and outpatient electronic health records systems, both from Epic Systems Corp., to selectively track records access and detect snooping. Other units of the organization across the nation use a similar approach, Liederman explains.

Although the Northern California region has 21 hospitals and 7,000 physicians, only two dedicated report writers handle the EHR access audit process, Liederman says. The key, he says, is to conduct targeted audits focusing on situations with the highest risks. That includes, for example, employees looking up records of neighbors and clinicians accessing inappropriate records, such as labor and delivery staff members looking up records of patients who are not pregnant.

By publicizing the audit effort, healthcare organizations can dramatically cut back on inappropriate access to records, Liederman contends. In Northern California, Kaiser Permanente saw a 90 percent reduction in privacy violations within weeks of ramping up records access audits, and the reductions have since been maintained, he says.

"If I know I'm going to get caught and fired" for inappropriately accessing a record, that's a powerful deterrent, he adds.

Accountability Tips

In launching an accountability program through access audits, Liederman advises organizations to take several steps, including:

  • Record all records views;
  • Investigate all compliants;
  • Use surveillance to find silent offenders;
  • Sanction the guilty;
  • Publicize the sanctions.
  • When implementing access controls, it's important to offer a "break the glass" function for use in emergencies. Liederman's organization enables clinicians to access a record they normally couldn't by choosing a reason from a pick list and re-entering their password. And those steps show up in an audit report.

    "So far, no one who has broken the glass, that we're aware of, has been found to be a privacy violator," he notes.

    Additional Summit Insight:
    Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.

    About the Author

    Howard Anderson

    Howard Anderson

    Former News Editor, ISMG

    Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

    Around the Network

    Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.