Healthcare organizations can apply analytics to the art and science of cybersecurity in two ways: reactively and proactively.
Proactive use of analytics must be stressed for the best security posture, said Brandon Neiswender, COO at the Chesapeake Regional Information System for Our Patients health information exchange.
Just don’t neglect reactive analytics while you’re at it.
“Reactive use of analytics involves reporting and a linear approach,” Neiswender explained. “Did Brandon access Bill’s record yesterday inappropriately? And then communicating to the user all the rules about appropriate versus inappropriate access and delivering that through user profiles in EHR systems. This is kind of the norm today.”
Indeed, healthcare organizations must be proactive in order to prevent such access in the first place, Neiswender said.
“We need to be proactive, we need a learning capability that understands patterns, that understands normal access to types of patients and populations,” he explained. “As that learning environment happens on the computing side, you can build out access profiles, which is totally different from access requests. We understand that Brandon is an OB-GYN provider, Brandon usually accesses between 8 a.m. and Noon, he should not be accessing a 45-year-old male who lives on his street.”
Still, reactive use of analytics in cybersecurity is important.
“Say we have identified, based on patterns for the profile of Brandon, that he has inappropriately accessed a record,” Neiswender said. “What are your sanctions? What are you communication methods? How do you communicate to curb the behavior? Then you have the audit trail, so each security officer can apply sanctions. And when you think about your data outside the four walls of your organization, your data is being viewed.”
Neiswender points out that his health information exchange can send automated alerts when it has identified that a form of access is outside an organization’s normal access.
“It could be that a patient lives in the neighborhood of the person accessing the data, is not part of that person’s regular population, and the alert we can send says please refer back to the rules and mandates of your organization to determine appropriate access,” he said. “That helps curb inappropriate access, people know Big Brother is watching. And it creates efficiencies for security officers to react on positive hits, as there are thousands of accesses a day. So those are ways the appropriate analytics can be used around privacy and impact an organization.”
Analytics for security will be among the topics experts address at the Privacy & Security Forum in Boston, Dec. 5-7, 2016. What to expect:
⇒ How to beat back hackers and savvy cybercriminals? Delve into the dark web
⇒ A CISO, consultant, and infosec vendor nail down cybersecurity best practices
⇒ Gone' phishin': Mayo Clinic shares tips for fending off attacks
⇒ Security budgets grow but breaches continue unless hospitals adopt best practices
⇒ Think offshoring PHI is safe? You may not be covered if a business associate breaches data
