Security Audits of Electronic Health Information (Updated)
Editor's note: This update supplants the November 2003 practice brief "Security Audits (Updated)."
Introducing the AHIMA Compendium http://compendium.ahima.org
Throughout this brief, sentences marked with the symbol indicate AHIMA best practices in health information management. These practices are collected in the new AHIMA Compendium, offering health information management professionals "just in time" guidance as they research and address practice challenges.
In a perfect world, access controls alone would ensure the privacy of electronic protected health information (ePHI). However, the complexities of the healthcare environment today make it extremely challenging to limit worker access to the minimum information necessary to do their jobs.
For example, many jobs in smaller organizations and community-based hospitals require workers perform multiple functions. Without access to at least select portions of every patient's health record, some employees' effectiveness could be significantly inhibited and patient care could be compromised.
Organizations must develop security audits and related policies and procedures to hold workers accountable for their actions while utilizing ePHI and an electronic health record (EHR).
Security audits are conducted using audit trails and audit logs that offer a back-end view of system use. Audit trails and logs record key activities, showing system threads of access, changes, and transactions. Periodic reviews of audit logs may be useful for:
This practice brief identifies and defines the components necessary for a successful security audit strategy. It also outlines considerations for legal and regulatory requirements, how to evaluate and retain audit logs, and the overall audit process.
Legal and Regulatory Requirements
Many regulatory requirements drive how and why security audits are conducted. HIM professionals should consider the following legal and regulatory requirements when developing the organization's security audit strategy.
HIPAA Security Rule
The HIPAA security rule includes two provisions that require organizations perform security audits. They are:
Payment Card Industry Data Security Standard
In 2006 the five major credit card companies worked collaboratively to create a common industry standard for security known as the Payment Card Industry Data Security Standard. Any organization that accepts credit cards for payment may be fined or held liable for losses resulting from a compromised credit card if it lacks adequate security controls.
The standard mandates organizations implement the following audit requirements:
The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009, also included provisions requiring organizations conduct audits. In essence, healthcare organizations and third-party payers are expected to monitor for breaches of PHI from both internal and external sources.
The phrase "covered entity or business associate did not know (and by exercising reasonable diligence would not have known) of a violation" implies active auditing and monitoring for PHI breaches would be expected as reasonable due diligence.
In addition, the Office of the National Coordinator's EHR certification criteria for the meaningful use program include audit requirements. Section 170.302(r), Audit log, requires the ability to:
The stage 1 meaningful use criteria also point to the HIPAA security rule, stating that provisions of the rule (including audits) must be met.
The Joint Commission
The Joint Commission accredits hospitals and has two information management (IM) standards that indirectly address a healthcare organization's responsibility to maintain (monitor) privacy and security:
Elements of performance for both of these standards require written policies, an effective process for enforcing policies, monitoring policy compliance, and the use of monitoring of information to improve privacy, confidentiality, and security.
Audit log information may also be useful for legal proceedings such as responding to an electronic discovery, or e-discovery, request. E-discovery is the common name for the revisions to the Federal Rules of Civil Procedures, which went into effect December 1, 2006. It refers to the information that an organization could be requested and expected to produce in response to litigation.
Establishing Strategy and Process
A multidisciplinary team is essential to developing and implementing an effective security audit strategy. The team should include at a minimum IT, risk management, and HIM representation, and it should be led and managed by the organization's designated security official in coordination with the designated privacy official.
In setting up strategy and process, the team should consider:
Audit information may also be useful as forensic data and valuable evidence during investigations into security incidents and privacy breaches, especially if sanctions against a workforce member, business associate, or other contracted agent will be applied.
Determining What to Audit
It would be prohibitive to perform security audits on all data collected. Good-faith efforts to investigate the compliance level of individuals educated on privacy and information security issues can be achieved through a well-planned approach.
In determining what to audit, organizations must identify and define "trigger events," or the criteria that will flag questionable access of confidential ePHI and prompt further investigation. Some triggers will be appropriate to the whole organization, while others will be specific to a department or unit. Once identified, trigger events should be reviewed on a regular basis, such as annually, and updated as needed.
Examples of trigger events include employees viewing:
Those individuals who review the audit logs should evaluate the number of trigger events and the breadth of the coverage chosen as well as the system's ability to log the data desired for such reviews.
Implementing Audit Tools
Certified EHRs that meet the stage 1 meaningful use criteria will also meet health IT audit criteria and may provide enough detail to determine if there was an unauthorized access into a patient's record.
These built-in audit logs can easily contain millions of entries of application transactions. Searching through these detailed logs to find the specific information needed when conducting an investigation regarding a particular encounter can take a significant amount of time and requires some specialized skills in reading and interpreting the data.
Breaches often go undetected in manual reviews of audit logs due to the sheer volume of data. Conducting random audits of user access is like the old clichι "searching for a needle in a haystack."
To help ensure greater efficiency in audit reviews, many organizations rely on third-party audit tools, which systematically and automatically analyze data and quickly generate reports based upon search criteria matching the organization's audit strategy or defined triggers.
Specialized audit tools can be programmed to:
Third-party tools can be expensive to purchase and install. Up-front costs may include audit software, server and operating system for running the software, and labor costs for installation, training, and modification. In addition, there may be annual licensing and support fees, which must be factored into an organization's operating budget.
Some vendors offer audit tools as software as a service, or SaaS. This eliminates many of the up-front costs because the vendor supplies and owns the necessary hardware and software and provides the programming support. The healthcare organization pays a monthly fee to use the tool, usually through a Web interface.
Determining When and How Often to Audit
Due to a lack of resources, organizations typically examine their audit trails only when there is a suspected problem. Although this is a common practice, it is definitely not a best practice.
It is imperative an organization's security audit strategy outlines the appropriate procedure for responding to a security incident. However, it must also define the process for the regular review of audit logs. At a minimum, review of user activities within clinical applications should be conducted monthly. It is best to review audit logs as close to real time as possible and as soon after an event occurs as can be managed. This is especially true for audit logs, which could signal an unauthorized access or intrusion into an application or system. Automated audit tools can be helpful for providing near real-time reports.
Evaluating Audit Findings
Department managers and supervisors are in the best position to determine the appropriateness of staff access. Therefore, they should review the audit reports.
The organization's information security and privacy officials must provide education to the directors, managers, and supervisors responsible for reviewing security audit report findings so they are equipped to interpret results and determine appropriate versus inappropriate access based on defined and approved access permissions.
Presenting Audit Report Findings to Employees
In the event that an audit reveals potentially unauthorized access by an employee, human resources, risk management, and legal counsel (as appropriate) may need to be involved before addressing the report findings with the employee.
Organizations should consider factors such as education, experience, privacy and security training, and barriers to learning (e.g., language) when evaluating an employee's actions. They should remember that an individual may have had a good reason for out-of-the-ordinary access, even if the initial review indicates otherwise. In addition, organizations should consider treating the questioning of an employee as an inquiry, rather than an interrogation.
Organizations must be consistent in the application of their security and privacy audit policies and sanctions with no exceptions. Making exceptions to the policy risks the trust of the workforce and consumers and poses a risk to legal defense. Healthcare facilities leave themselves open to both individual and class action lawsuits when they do not have a strong, consistent enforcement program.1
Organizations should develop and implement graduated sanctions so that the punishment fits the incident. Sanction policies should allow management some limited flexibility. For example, sanctions to physicians and other licensed caregivers with specialized skills may negatively affect patient care and business operations if these individuals are removed from their job as a result of a violation.
In conjunction with sanction policies, organizations must develop and implement strong policies and procedures to address the processing of breaches, compliant with federal and state laws and regulations, in the event any security audit findings indicate a breach has occurred.
Protecting and Retaining Audit Logs
HIPAA requires that covered entities maintain proof that they have been conducting audits for six years. Such documents may include policies, procedures, and past audit reports. State statutes of limitations relative to discoverability and an organization's records management policies may require that this information be kept longer.
Organizations must review pertinent regulatory requirements, including applicable federal and state laws, in determining the appropriate retention period for security audit logs. Security and privacy officials should collaborate to establish the most effective schedule for the organization.
The Payment Card Industry Data Security Standard requires organizations "retain audit trail history for at least one year, with a minimum of three months' online availability."
Prevention through Education
The new mantra in healthcare should be, "Just because you can, doesn't mean you should." Education is a preventive measure that must be executed and re-executed to ensure optimal outcomes in the success of a security audit strategy. Organizations should:
AHIMA. "Building an Effective Security Audit Program to Improve and Enforce Privacy Protections." Online course. Available online at http://www.ahimastore.org.
Department of Health and Human Services. "45 CFR Parts 160, 162, and 164 Health Insurance Reform: Security Standards; Final Rule." Federal Register 68, no. 34 (Feb. 20, 2003). Available online at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityrulepdf.pdf.
Tom Walsh, CISSP
William Miaoulis, CISA, CISM
2010 Privacy and Security Practice Council:
Prepared by (Original)
Beth Hjort, RHIA, CHP
The information contained in this practice brief reflects the consensus opinion of the professionals who developed it. It has not been validated through scientific research.
Indicates an AHIMA best practice. Best practices are available in the AHIMA Compendium, http://compendium.ahima.org.