Dr. Aly, O.
Computer Science
Introduction
The purpose of this discussion is to discuss and analyze the design of a data audit system for health informatics, and the elements of the system design. The audit is part of the security measures, which must be implemented by organizations for privacy protection. Organizations must comply with regulations and rules such as HIPAA to protect the private information of the patients.
Data Audit System for Healthcare Informatics
Although significant progress in technological security solution such as information access control, the operational process is still confronted with a significant challenge (Appari & Johnson, 2010). In healthcare, the data access is provided broadly, and the “Break the Glass” (BTG) policy is adapted to facilitate the care effectively and promptly due to the nature of healthcare and the various purpose (Appari & Johnson, 2010). The BTG policy allows the granting emergency access to the critical electronic protected health information (ePHI) system by providing a quick approach for a person who does not have access privileges to specific information to gain access when required. As indicated in (Appari & Johnson, 2010), 99% of doctors were granting overriding privileges while only 52% required overriding rights on a regular basis, and the security techniques of health information systems were overridden to access 54% of the patients’ information. Moreover, the BTG policy can be misused by the employees (Appari & Johnson, 2010). As indicated in (Malin & Airoldi, 2007), a study found that 28 of 28 Electronic Medical Record (EMR) system incorporate audit capability, yet only 10 of the systems alert healthcare admin of potential violation. Thus, there is a serious need for healthcare organizations to design and implement a robust audit system to avoid such pitfalls that can lead to serious malicious attacks and data breaches.
Various research studies have exerted efforts and proposed audit systems to address these pitfalls and ensure the proper Security Policy with an appropriate Audit system and the implementation of such a policy correctly. In (Malin & Airoldi, 2007), the researchers proposed a novel protocol called CAMRA (Confidential Audits of Medical Record Access) which allows an auditor to access information from non-EMR systems without revealing the identity of those being investigated. In (Rostad & Edsberg, 2006), the researchers discussed and analyzed the role-based access control systems in healthcare, which are often extended with exception mechanisms to ensure access to needed information even when the needs do not follow the proper methods. The researchers recommend the limited use of the exceptions mechanisms because they increase the threats to patients’ privacy and subject to auditing. In (Bhatti & Grandison, 2007), the researchers proposed a model called PRIMA (PRIvacy Management Architecture) to exploit policy refinement techniques to gradually and seamlessly embed the privacy controls into the clinical workflow. The underlying concept of the PRIMA is based on the Active Enforcement and Compliance Auditing component of the Hippocratic Database technology and leverages standard data analysis technique. In (Ferreira et al.), the researchers discussed and analyzed the BTG policy in a Virtual EMR (VEMR) system integrated with the access control model already in use. One of the requirements of the Access Control model involves auditing and monitoring mechanisms which must be in place at all times for all users. In (Zhao & Johnson, 2008), the researchers proposed a governance structure based on controls and incentives where employees’ self-interested behavior can result in the firm-optimal use of information. The result of their analysis indicated that the Audit quality is a critical element of the proposed governance scheme.
The Role of Audit as a Security Measure
The security has three main principles known as CIA Triad: Confidentiality, Integrity, and Availability. There are additional security concepts known as the five elements of the AAA services; Identification, Authentication, Authorization, Auditing, and Accounting. The AAA services include the Authentication, Authorization, and Accounting or sometimes Auditing. The Identification reflects the identity when attempting to access a secured area or system. The Authentication is to prove the identity of the user. The Authorization defines the “allow” and “deny” of resources and object access for a specific identity. The Auditing is used to record a log of the events and activities related to the system and subjects. The Accounting (a.k.a Accountability) is used to review the log files to check for compliance and violations to hold users accountable for their actions (Stewart, Chapple, & Gibson, 2015).
The Auditingis the programmatic techniques to track and record actions to hold the users accountable for their actions while authenticated on the system. The Auditing is also used to detect unauthorized users and abnormal activities on the system. The Auditing is also to record activities of the users and the activities of the core system functions which maintain the operating environment and the security techniques. The Audit Trails which get created by the recording system events to logs can be utilized to evaluate the health and performance of the system. The crashes of the system indicate faulty programs, corrupt drivers, or intrusion attempts. The event logs can be used to discover the reason a system failed. Auditing is required to detect malicious actions by users, attempted intrusions, and system failures and to reconstruct events, provide evidence for the prosecution, and produce problem analysis and reports. The Auditing provides Accountability. It tracks users and records the time they access objects and files, creates an Audit Trail in the audit logs. For instance, the Auditing can record the time of a user reads, modifies, or delete a file (Stewart et al., 2015).
Auditing is a native feature of the operating systems and most applications and services. Thus, a security professional must ensure the auditing feature is enabled and configured on the systems, applications or services to monitor and records all activities including the malicious events. Moreover, most firewalls offer extensive auditing, logging, monitoring capabilities, alarms and primary intrusion detection system (IDS) functions. Every system must have the appropriate combination of a local host firewall, anti-malware scanners, authentication, authorization, auditing, spam filters and IDS/IPS services. Many organizations require the retention of all audit logs for three years or longer to enable organizations to reconstruct the details of past security incidents (Stewart et al., 2015). Every organization must have a Retention Policy that provides the rules for retaining such audit logs to comply with HIPAA investigations.
The Role of the Auditor
The auditor must review and verify that the Security Policy is implemented properly and the security solutions are adequate. The Auditor produces compliance and effectiveness reports to be reviewed by the senior management. The senior management transforms the issues discovered in these reports are transformed into new directives. Moreover, the role of the Auditor is to ensure a secure environment is properly protecting assets of the organizations (Stewart et al., 2015).
HIPAA Audit Requirement Compliance
The Audit Trails are records with retention requirements. Healthcare Information Management should include them in the management of the electronic health records. The legal requirements and compliance drive the Audit Trail management. HIPAA Audits have been occurring around the country resulting in judgments of substantial fines; organizations must sustain less risk and robust Audit Trails for their clinical applications (Nunn, 2009).
Audit Trail is distinguished from Audit Control. As cited in (Nunn, 2009), the Audit Trail is defined by the Fundamentals of Law for Health Informatics and Information Management as a “record that shows who had accessed a computer system, when it was accessed, and what operation was performed.” The Audit Control is a term used by the IT professional which is defined as “the mechanisms employed to record and examine system activity. The data collected and potentially used to facilitate a security audit is called the audit trail that in turn may consist of several audit files located on different entities of a network” (Nunn, 2009). This distinction indicates that it may take several different audit trails of systems to detect inappropriate access or malicious intrusions into the clinical databases.
Organizations must conduct routine random audits on a regular base to ensure the compliance with HIPAA and other regulations to protect the privacy of the patients. Audit Trails can track all system activities including a detailed listing of content, duration, and the users, generating date and time for entries and logs of all modifications to EHRs. The routine audit can assist in capturing the inappropriate use and access by unauthorized users. When there is inappropriate access to a medical record, the system can generate information about the name of the individual gaining access; the time, data, screens accessed and the duration of the review. This information can assist in providing evidence for prosecution if the access was not authorized or there is a malicious attack or data breach. HIPAA Security Rule requires organizations to conduct Audit Trails and document information system activities, and have the hardware, software, and procedures to record and examine these activities that contain health information (Ozair, Jamshed, Sharma, & Aggarwal, 2015; Walsh & Miaoulis, 2014).
In summary, healthcare organization must ensure to implement Audit system to comply with regulations such as HIPAA to ensure the protection of the patients’ private information. The Audit system should consider the Audit Trail techniques to track the system activities and the access by users to the health information. The limited access to authorized users is recommended. The BTG policy is misused in healthcare. It should be applied for exceptions only. However, it has been applied to users who do not necessarily have any exception to access the health records. The audit is also used to detect fraud activities. Thus, the organization must take advantages of various hardware and software to implement the Audit system not only to protect the privacy of the patients but also to detect fraud.
References
Appari, A., & Johnson, M. E. (2010). Information security and privacy in healthcare: current state of research. International Journal of Internet and enterprise management, 6(4), 279-314.
Bhatti, R., & Grandison, T. (2007). Towards improved privacy policy coverage in healthcare using policy refinement. Paper presented at the Workshop on Secure Data Management.
Ferreira, A., Cruz-Correia, R., Antunes, L., Farinha, P., Oliveira-Palhares, E., Chadwick, D. W., & Costa-Pereira, A. How to break access control in a controlled manner. Paper presented at the Computer-Based Medical Systems, 2006. CBMS 2006. 19th IEEE International Symposium on.
Malin, B., & Airoldi, E. (2007). Confidentiality preserving audits of electronic medical record access.
Nunn, S. (2009). CS881. Retrieved from http://library.ahima.org/doc?oid=93266#.Wu5wd4gvx7w, Journal of AHIMA(80), 44-45.
Ozair, F. F., Jamshed, N., Sharma, A., & Aggarwal, P. (2015). Ethical issues in electronic health records: a general overview. Perspectives in clinical research, 6(2), 73.
Rostad, L., & Edsberg, O. (2006). A study of access control requirements for healthcare systems based on audit trails from access logs. Paper presented at the Computer Security Applications Conference, 2006. ACSAC’06. 22nd Annual.
Stewart, J., Chapple, M., & Gibson, D. (2015). ISC Official Study Guide. CISSP Security Professional Official Study Guide (7th ed.): Wiley.
Walsh, T., & Miaoulis, W. (2014). Privacy and Security Audits of Electronic Health Information. Retrieved from http://bok.ahima.org/doc?oid=300276#.Wu5xmIgvx7w, Journal of AHIMA(85), 54-59.
Zhao, X., & Johnson, M. E. (2008). Information Governance: Flexibility and Control through Escalation and Incentives.
Think and Knowledge Tank 