HIPAA is to healthcare data what a vaccine is to an ill patient — only useful if applied. While the need for data security in the healthcare industry has become a priority, it is often viewed as a secondary concern. The reason for this is that by nature, the main focus for hospitals and healthcare providers is, and should be, patient care.
But what many healthcare organizations may not realize is that by putting HIPAA compliance mandates on the back burner, another critical side of patient care is being overlooked — privacy and trust. HIPAA is not simply an inconvenience. It signifies, along with a growing list of privacy regulations, society's new recognition that electronic information is power. And this power belongs to the people that information represents, not the fiduciary entrusted with it. HIPAA requires healthcare organizations to be good fiduciaries.
There are many different and complex aspects to the challenge of data privacy — from employee training on the proper handling of paper records to the protection of ePHI stored in healthcare organization data servers. Data auditing is one essential component in the overall fabric of an effective data privacy and HIPAA compliance strategy. HIPAA requires the "assessment of the potential risks and vulnerability of PHI," including audit controls. It calls for the "regular review of information system activity, such as audit logs, access reports and security incident tracking reports."
Data auditing addresses these requirements. But implementing data auditing effectively — from both an operational and economical standpoint — has proven to be a significant challenge.
Traditionally, the auditing of user activity at data sources required the use of database logging — with the information to produce audit reports coming from database and file audit logs. The problem with this approach is that it puts a performance burden on databases, file systems and applications. It also uses valuable database administrator and system administrator resources to cull through mountains of database and file logs to produce required reports.
In response to the raft of new regulations, a new generation of database monitoring and network appliance solutions has become available to help eliminate these issues. One challenge that anyone responsible for the implementation of auditing must ask is "where do I get the audit data I need?" Some of the data flows through the network while other activities only occur locally on a server.
I'm a proponent of a hybrid approach that includes a passive network appliance that can audit across different types of servers and a lightweight agent for capturing local traffic. With this approach, the majority of the processing is on board the appliance, limiting server load to only those few transactions that are initiated directly on the server.
This model of monitoring preserves precious server resources and, because most of the auditing occurs outside the server, allows for the monitoring of multiple databases by one appliance.
Another major data auditing challenge has been the ability to automate the auditing of composite data like PHI. PHI is defined as the simultaneous exposure of both information that identifies a person and something material about that person's healthcare status. This means that not all accesses to patient information or healthcare data needs to be audited, only those instances that meet the criteria. In order for a data/database auditing approach to be effective, it must be capable of executing policies that specify combinations of data — name plus diagnosis or social security number plus treatment code, etc.
Other questions to take into consideration: Do you need centralized management? How do you produce the reports your compliance officers/auditors require? And is the mechanism you're using to monitor flexible enough to describe simple monitoring (such as failed login) or granular enough to filter based on tables, columns or file names? The technology must also be robust enough to adapt to new auditing requirements as they arise.
Finally, another challenge to HIPAA compliance has been the "regular review of information system activity" requirement. For organizations using traditional logging techniques, regular review is anything but traditional. It's a time-sinkhole and disruptive — which makes it easy to put on the back burner.
Fortunately, the new auditing technologies take most of the manual sifting and assessment out of the process of reviewing information activities. Some even provide automated, custom reports based on policies that you create or templates that are provided by the solution vendors.
Again, it's important to weigh your organization's patient information security priorities, and your budget and other resources, as well as the requirements set forth by HIPAA to help you determine the best solution for your specific situation.
The good news is that with the latest technologies, data auditing for HIPAA is a whole lot easier — which means that patient privacy is much closer to being a part of patient care that healthcare providers can confidently provide. And the even better news: you can now accomplish these goals economically and with confidence.
Prat Moghe, was the founding CEO of Tizor in 2002. In his current role as founder and CTO, he leads the company's technology, market strategy and vision.