Industry Insights with Andrew Mahler, Vice President of Privacy and Compliance, Clearwater

Healthcare , HIPAA/HITECH , Identity & Access Management

User Access Monitoring

5 Things Healthcare Leaders Should Be Thinking About
User Access Monitoring

User access monitoring is a critical component of a healthcare cybersecurity strategy, serving as a digital sentry guarding the gates to patient data and proprietary information. As the healthcare sector becomes increasingly interconnected, the potential risks associated with unauthorized access and data breaches loom. This is where user access monitoring acts as a watchful guardian to ensure that only authorized personnel gain access to patient records and confidential data.

See Also: Live Webinar | Cyber Resilience: Recovering from a Ransomware Attack

What Is User Access Monitoring?

User access monitoring refers to systematically tracking and analyzing the activities and behaviors of users who interact with digital systems, networks, applications and data within an organization. It involves continuously surveilling user actions - such as logging in, accessing files or databases, making changes to settings, and other relevant activities - to ensure that only authorized individuals use the resources and that their actions are within acceptable boundaries.

The primary goal of user access monitoring is to enhance security by preventing unauthorized access, detecting suspicious or anomalous behavior, and responding promptly to potential security threats or breaches.

By closely monitoring user activities, organizations can:

  • Prevent unauthorized access;
  • Detect insider threats;
  • Mitigate security risks;
  • Ensure compliance;
  • Enhance incident response.

Questions for Healthcare Leaders

Healthcare leaders have been employing user access monitoring for some time now, as it is crucial for maintaining data privacy and security. Still, how and to what extent organizations leverage this as part of their cybersecurity strategies can vary. The following questions involve best practices around user access monitoring, and they aren't discussed as frequently as they should be:

  1. Is the monitoring program and work plan - i.e., alert types, frequency of reviews, investigation, sanctions recommendations, etc. - included in the organization's risk analysis? Regular risk analyses can and should support priorities for the organization's user access monitoring and auditing function. In addition, user access monitoring contributes to the organization's overall risk analysis by providing real-time insights into the security posture.
  2. Are you performing proactive monitoring? Proactive monitoring involves implementing measures to detect and prevent security incidents before they occur. The focus is on identifying potential risks and vulnerabilities and proactively mitigating them. On the other hand, reactive monitoring is generally a more passive approach, focusing on investigating and mitigating the consequences of incidents after they have already occurred.
  3. Are you monitoring privileged users? Monitoring access by privileged users, such as system administrators or executives, is essential. These users often have elevated permissions and can abuse their privileges for unauthorized activities, data theft, or misconduct.
    • Consider users with temporarily elevated privileges.
  4. Are you monitoring third parties? Organizations frequently grant access to third-party vendors, partners, affiliates or contractors for various purposes. But monitoring their activities can be challenging, especially if they are using their own systems or network connections.
    • Consider assessing your vendor risk program to confirm your organization has properly assessed risks, tiered vendors accordingly, and include assessing third-party access as part of the organization’s access monitoring program.
  5. Are you monitoring across platforms and applications? With the increasing adoption of cloud services, mobile devices and remote work, user access monitoring must extend beyond traditional on-premises systems. Organizations need to ensure that user activities on various platforms - including cloud applications, virtual environments and mobile devices - are adequately monitored to maintain data privacy and security. For example:
    • Consider systems maintaining data outside the EHR, such as research programs and legacy applications.
    • Consider shadow IT risks. Shadow IT refers to unauthorized technology or software that employees use without the IT department’s knowledge or approval. This can create blind spots in user access monitoring, as IT teams may not be aware of these systems or have visibility into user activities.

Addressing these lesser-known issues related to user access monitoring requires a comprehensive and proactive approach. Implementing monitoring tools, establishing clear policies and procedures, robust training, consistent application of sanctions and discipline and, of course, regular reviews of access logs and activity reports will help you identify and address these potential security vulnerabilities.

About the Author

Andrew Mahler, Vice President of Privacy and Compliance, Clearwater

Andrew Mahler, Vice President of Privacy and Compliance, Clearwater

Vice President of Privacy and Compliance, Clearwater

Andrew Mahler is the Vice President of Privacy and Compliance Services at Clearwater and has supported diverse clients with privacy and compliance assessments, advisory support, and consulting, and in Interim Chief Privacy Officer roles. Before Clearwater, Andrew served as the Chief Privacy and Research Integrity Officer for the University of Arizona. He was responsible for implementing privacy and research compliance programs for colleges, departments, clinics, hospitals, and academic health sciences throughout Arizona. Andrew started his career in data privacy and information security with the U.S. Department of Health & Human Services, Office for Civil Rights (OCR), where he investigated and managed cases related to HIPAA Privacy, Security, and Breach Notification Rule compliance, as well as cases related to civil rights laws. While at OCR, Andrew designed corrective action plans and resolution agreements, including the first resolution agreement resulting from a breach report required by the HITECH Act. Andrew is a licensed attorney and holds the CIPP/US, CHC, CHRC, and CHPC certifications. He has developed courses in healthcare law and data privacy and is a guest lecturer for other law and business courses in law, healthcare, and compliance. In addition, he has published and presented on topics including health law, data privacy and HIPAA, research compliance, and risk management.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.