Case Study: Thwarting Insider ThreatsWhy Letting Staff Know They're Being Monitored Is Essential
To protect patient privacy, West Virginia United Health System is taking a multi-step approach to thwarting insider threats, including aggressive analysis of access audits, says Mark Combs, assistant CIO, who helps lead the system's privacy and security efforts.
An auditing tool grabs reports from multiple clinical systems, including the organization's electronic health record system, and looks for signs of inappropriate access, such as staffers accessing records of patients with the same last name as theirs, Combs says in an interview with Information Security Media Group.
When evidence of inappropriate access is found, supervisors are alerted and incidents investigated.
"You're always going to find some level of inappropriate access - such as an ex-spouse looking at an ex-spouse's records ... but we wanted to clamp down on as many inappropriate accesses as possible," he says. "Our audit team runs audits on millions of record accesses every year, and we have the technology in place to facilitate that process."
For efforts to prevent breaches involving insiders to be successful, it's vital that the workforce understands and follows the rules, Combs says.
When it comes to getting employees to adhere to the organization's privacy and security policies and procedures, "you're most successful when you hit them on multiple fronts, but the No. 1 thing is to explain 'why' - why are we doing this," he says.
"It's not just a HIPAA thing - I encourage people to drop the 'H" word in a lot of this talk," Combs says. Rather, the emphasis should be on the value of protecting patients' privacy.
"The last thing [patients] need to worry about is whether or not their identities are going to be stolen because they showed up at your organization for care," he says.
That point needs to be driven home with all staff, including doctors, nurses, housekeeping and IT, he stresses. It's also vital that staff know that they are being monitored. "There's an old saying, 'what's measured is what matters' - if they know you are measuring it and are watching [behavior], they are much more attuned and attentive."
Combs sums up the effort this way: "An organization cannot call itself a quality organization unless they're taking seriously the protection of people's privacy and the security of their information."
In this interview, Combs also discusses:
- The many other steps the organization is taking to deal with insider threats, including role-based access to records;
- Why West Virginia United Health System changed its policies and procedures for how it allows its healthcare workforce to access their own health records;
- The institution's mobile security strategy, including BYOD policies;
- How Comb's previous role as CISO of the delivery system's hospitals prepared him for his recent promotion to assistant CIO of the entire organization.
As assistant vice president and assistant CIO for West Virginia United Health System, Combs is responsible for the development and maintenance of information systems and security programs, which encompasses patient privacy, technical security, ongoing education and risk assessments. Previously, Combs was CISO of West Virginia University Hospitals, a unit of the health system.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.