-
7/31/2019 Fair Warning Presentation
1/13
2010FairWarning,
Inc.Privateand
Confiden:al
Privacy Monitoring
Solution OverviewUnited Kingdom & Europe
FairWarningsmissionistobethe
worldsleadingsupplierof
solu8onswhichmonitor&protectpa8entprivacyinElectronicHealth
Records.
-
7/31/2019 Fair Warning Presentation
2/13
2010FairWarning,
Inc.Privateand
Confiden:al
Streamlinepa:entprivacyinves:ga:ons,repor:ng,andaccoun:ng
ofdisclosures Automatesystema:cauditlogreviewofallapplica:ons
Alerton100+pa:entprivacyscenarioswithfiltering.
Deterssnooping,medicaliden:tytheH,iden:tytheH
100+ERssupportedout-of-the-box
Out-of-the-box,in-produc:on,massivescale,patentspending
See www.FairWarningAudit.com for detailed FairWarning to
regulatory mappings.
-
7/31/2019 Fair Warning Presentation
3/13
2010FairWarning,
Inc.Privateand
Confiden:al
Reactionary investigation
sDelayed, inconsistent incident discoveryManual, time consuming
processesAudit logs in stove pipes
-
7/31/2019 Fair Warning Presentation
4/13
2010FairWarning,
Inc.Privateand
Confiden:al
Regulatory
Inves:ga:onsand
Audi:ng
Detec:ng
SnoopingPaerns
Detec:ngIden:ty
TheHPaerns
Individual patientsIndividual userGP / PhysicianConsultant /
contractorsRandom patientsRandom usersOthers
VIP Scenarios: Prominentgovernment officials,
celebrities
Family member snoopingEmployee as patient
snooping
Executive snoopingNeighbour snoopingBreak-the-glass
functionsSelf examinationOthers
Sequential patient records Patient access thresholds Printed
records thresholds Deceased patient records Discharged patient
records Address changes Out-of-dept accounting,
billing accesses
Expired logins Simultaneous logins Other demographic changes
-
7/31/2019 Fair Warning Presentation
5/13
2010FairWarning,
Inc.PrivateandConfiden:al
2010FairWarning,
Inc.PrivateandConfiden:al
Other suites and supporting applications
New or in-house
apps added in 1 day
~ 20 apps
~ 10 apps
~ 5 apps
Millennium
~ 8 apps
~ 6 apps
~ 4 apps
Client / Server
Magic
Major Suite Vendors
User information from business & identity applications
PeopleSoft
FairWarningUsers
Privacy analysis,alerting, reporting
Patient privacy incidentsDetected by FairWarningoptionally sent
to SIEM
-
7/31/2019 Fair Warning Presentation
6/13
2010FairWarning,
Inc.PrivateandConfiden:al
2010FairWarning,
Inc.PrivateandConfiden:al
-
7/31/2019 Fair Warning Presentation
7/13
2010FairWarning,
Inc.PrivateandConfiden:al
2010FairWarning,
Inc.PrivateandConfiden:al
UCLA Medical Center istaking steps to fire at least
13 employees and isdisciplining others,
including doctors, forlooking at the pop star'sconfidential
files.
CVS Caremark Settles FTC Charges:Failed to Protect Medical and
Financial Privacy ofCustomers and Employees; CVS Pharmacy Also
Pays $2.25 Million to Settle Allegations of HIPAA Violations
HITECH Act Means More Aggressive HIPAAEnforcement Since the
Health Insurance Portability and Accountability Actbecame law,
enforcement has been a weak link. The number of covered entities
thatare in full compliance has been low, simply because the
Department of Health and
Human Services hasn't had much of an enforcement mechanism in
place. But that
was before the American Recovery and Reinvestment Act was
signed.
'SCAM' GUY HIT 50,000HOSP ID THEFT SPREEemployee charged with
selling patient information as
part of a wide-scale identity-theft ring illegally
accessednearly 50,000 patient files, prosecutors said
yesterday.
-
7/31/2019 Fair Warning Presentation
8/13
2010FairWarning,
Inc.PrivateandConfiden:al
MonitoringandAudi8ngAccesstoConfiden8alInforma8on
6.
Theorganisa:onshouldensurethatithasassignedoverallresponsibilityformonitoringandaudi:ngaccesstoconfiden:alpersonalinforma:ontoanappropriateseniorstaffmember,egtheCaldicoGuardian,IGLeadorequivalent.Thismemberofstaffshouldberesponsibleforensuringthatconfiden:alityauditproceduresaredevelopedandcommunicatedtoallstaffwiththepoten:altoaccessconfiden:alpersonalinforma:on.Theproceduresshouldinclude
howaccesstoconfiden:alinforma:onwillbemonitored;
whowillcarryoutthemonitoringofaccess;
repor:ngprocessesandescala:onprocesses;
disciplinaryprocesses7.Thefollowingareexamplesofeventsthattheorganisa:onshouldauditfor
frequency,circumstances,loca:onetcfailedaemptstoaccessconfiden:alinforma:on;
repeatedaemptstoaccessconfiden:alinforma:on;
successfulaccessofconfiden:alinforma:onbyunauthorisedpersons;
evidenceofsharedloginsessions/passwords;
disciplinaryac:onstaken.
-
7/31/2019 Fair Warning Presentation
9/13
-
7/31/2019 Fair Warning Presentation
10/13
2010FairWarning,
Inc.PrivateandConfiden:al
ROI - 10X reduction in privacy audit review time
2 2 31
3 3 3 16 22 10 8 3 2 40
5
10
15
20
25
Inappropriate EHR Access - Confirmed Incidents
January 2008FairWarning
PrivacySurveillance
Deployed
Training and reprimandsbased on privacy surveillance
Reviews reduced from 5 days / week to day / weekPersonnel
re-focused on training, education, research
Personnel re-focused on upcoming security projects
-
7/31/2019 Fair Warning Presentation
11/13
2010FairWarning,
Inc.PrivateandConfiden:al
2010FairWarning,
Inc.PrivateandConfiden:al
OtherAudit Logs
FairWarningUsers
Browser based user accessRole based access controlPrivacy, risk,
security
McKesson Horizon, STARAudit,
Clinical & Physician PortalAudit Logs
SAN
Appliance access via Customer VPNFairWarning
AdministrationPeriodic fine-tuningSupport & Maintenance
MEDITECH,ChartMaxxAudit Logs
Encrypted Archived Audit Logs
Browser based adminShell access optional
FairWarningAdmin
Cerner, GE,Epic, Siemens,
EclipsysAudit Logs
-
7/31/2019 Fair Warning Presentation
12/13
2010FairWarning,
Inc.PrivateandConfiden:al
Customercasestudies:[email protected]
U.S.andCanadawebinarsonprivacymonitoring:Clickhere
UKwebinaronprivacymonitoring:Clickhere
Privacymonitoringwhitepaper:Clickhere
FairWarningcompa8bilitywithSIEMswhitepaper:Clickhere
Returnoninvestmentcalculator: [email protected]
Comparison&evalua8onforms:[email protected]
Planning&deploymentguide:[email protected]
-
7/31/2019 Fair Warning Presentation
13/13
2010FairWarning,
Inc.PrivateandConfiden:al
