This article can also be found in the Premium Editorial Download "Information Security magazine: Tips from the 2007 Security 7 Awards."
Download it now to read this article plus other related content.
By Marcia Savage
With more than 11,000 employees using 250 clinical applications, auditing access to medical records of hundreds of thousands of patients at Beth Israel Deaconess Medical Center seemed a daunting if not impossible task.
But Mark Olson, manager of IS security and disaster recovery, tackled the problem head on. Working with other IT groups and the business conduct office at Beth Israel, a teaching hospital of Harvard Medical School in Boston, he and his security team devised a program that ensures compliance with privacy regulations by quickly catching employees who peek at patient records they have no business looking at. And there is a lot of temptation: Beth Israel is the official hospital of the Boston Red Sox.
The innovative program ties data mined from a cross section of clinical applications, security devices and databases with the geographic location of an IP address to quickly catch inappropriate access. It looks for atypical patterns like a physician accessing an extraordinarily large number of records in one day, or a clinician looking up data from an unusual location, and issues an alert.
Olson says the program is modeled on the credit card industry's system of monitoring spending patterns to detect abnormal behavior. He's getting the word out about Beth Israel's program through presentations
| at national and local conferences to help IT professionals understand that some basic data mining and ingenuity can go a long way in building an effective auditing program.
"People shy away from it because they look at the problem as too large of one to solve," he says.
John Powers, Beth Israel's chief administrative information officer, says Olson's creativity and thoroughness have been invaluable.
"The bottom line is that we think that the safety of our patient database is markedly improved compared to other hospitals as a result of this security umbrella we put over it using Mark's concept," he says.
The program is a novel turn on the usual reactive, complaint-driven approach to compliance with privacy standards, and allows the hospital to be proactive, says Tim Hogan, Beth Israel's director of corporate counsel.
Olson's team has also added auditing to a Web-based training system that meets HIPAA required training for handling patient records.
"He's just done tremendous work in bringing about a transformation of the technical security, but also in providing leadership across the various technology groups to get everybody aware of the need for security when making changes or introducing technologies," Powers says.
"We've buttoned down our environment mightily since Mark has been at the helm of our security," Powers says.
Today, Olson extols the benefits of auditing. In the health care industry, records are shifting from paper to electronic, which promises significant benefits but also presents challenges in guaranteeing that information is kept private and secure.
Being proactive is essential, Olson says, and doing more in the area of auditing would help the security industry become less reactive.
"Security isn't looked at as an auditing job and in my view it is," he says. "We need to do more auditing to discover trend analysis and find out [when] something is about to happen."
This was first published in October 2007