Embed Size (px)
Citation preview
OBSERVEIT
OBSERVEIT.COM/TRYITNOW
INTRODUCTIONIn today’s healthcare industry, personal health information (PHI) is everywhere. Healthcare organizations havemassive heaps of data on each individual patient, including Social Security numbers,medical records, paymentinformation, employment information and income information.With somuch data concentrated in one place,healthcareorganizationsturntoapplicationsinordertocentralizeandmaintainallcustomerrecords.Eventhoughtheseapplicationsarehighlysophisticated,organizationsarehavingtroublekeepingtrackofexactly“whodidwhat”intheseapps.
Inaddition,withinhealthcareapplicationssuchasCerner,Epic,AllScripts,McKessonandMeditech,numeroususershaveaccesstoheapsofpatientdata.Asaresult,anydoctor,nurse,physician,pharmacist,registrar,assistant,etc.couldposeaseriousrisktohealthcareorganizationsusingtheseapps,simplybecauseanexploitedaccountwouldhaveaccess tomassivequantitiesofPHI. Furthermore,overlookedapplicationentitlementscanenableusers toaccessvastamountsofdataandnottriggeranyredflags.Duetothesheervolumeofactivityandnecessaryaccess,questionable actions are often hidden in the large volume of normal user actions, leading to undetected andoverlookedexposureofsensitivedata.Belowwebreakdownsomeof themostpopularapplicationsused in thehealthcaresector,andwhyitisimportanttoknowexactly“whoisdoingwhat”withintheseapplications.
CERNERCernerisoneofthemostpopularhealthcaresolutionscompanies.Withtheirsystemsinstalledinmorethan18,000facilitiesglobally,theyarepersistentlyknownasoneoftheleadersinhealthcareapplications.
CernerMillenniumenablesprofessionalstostore,captureandaccessPHI. Itprovidesreal-timeaccesstopatientresults and clinical information and enables these healthcare organizations to meet The Joint Commissionrequirementsforpatientconfidentiality.Theintegrateddatabaseservesbothacuteandambulatorysettings.
WHYMONITOR?
WithanapplicationlikeCerner’sElectronicHealthRecord(EHR),therearemanyriskyareassurroundingdataaccess.Becausethedataiscentralizedinonedatabase,userscanhaveaccesstoallsortsofpatientdata,includingpatientswhoarenotundertheircare.HIPAAmandatesthatpatientdataremaincompletelyconfidentialbetweenthedoctorand the patient. Accessing patient data that isn’t under a user’s necessary access violates this mandate. ThispotentialunauthorizedaccessbecomesamajorprobleminthecaseofVIPpatients,suchasfamouscelebritiesorpoliticians.MedicalrecordsofthesefiguresareoftensoughtafterbynormalbusinessusersgiventhevaluetheirPHI couldhave inan illegalmarket. In the caseof illegal activity,havinga forensic trail is critical forhealthcarecompaniesusinganEHRapplicationlikeCerner.Duringinvestigations,auditorsandinvestigatorsneedaccesstologinformationfromeachapplicationahealthcareproviderhas.Withoutpropermonitoring,theefforttocollectaccessloginformationcantakeuptoacoupleofmonths.
OBSERVEIT
OBSERVEIT.COM/TRYITNOW
EPICEpic makes software for mid-size and large medical groups, hospitals andhealthcare organizations. Their software spans clinical, access and revenuefunctions. Asoneofthe leadingEHRdevelopers,Epic’s36yearsofexperiencemakethemastandoutinthehealthcareapplicationsindustry.
EpicCareconnectsvarioushospitaldepartmentstopatientrecords.Thissystemimprovesworkflowbycreatingacentralizeddatabasethatcanbeaccessedacrossmanydepartmentsinordertomakedecisionsbasedonthemostrecentpatientinformation.Thesolutioniscustomizabletomeettheneedsofdifferentorganizations,departmentsandevensingleusers.ItpartnerswiththeEpicCareAmbulatoryEHRtoprovideanaccurateEHRacrosstheboard.
WHYMONITOR?
Entitlementchangesareamajorriskwhenusinganapplication likeEpicCare.Administratorscanshifttheirownentitlementsandtheactioncangounseenwithinthehospital.Thus,oncetheyhaveshiftedtheirentitlements,alloftheiractivitywillappearnormalandnotraiseanyconcerns.AnotherwayanapplicationlikeEpicCarecanprovetobeharmfulisthelackofinsightofwhatisdonewithpatientdataonceitisaccessed.Apharmacydirectorislikelygrantedaccesstoeverypatientinordertomakesureeachpatientisgettinghisorherpropertreatment.Whileitiseasytoseethatthepharmacydirectordidaccessthepatientdata,itisimpossibletoknowwhathe/shedidwiththedataorwhythedatawasaccess.Also,Ifthedirectorishavinghisorhershift
covered,andlowerlevelemployeewill likelyneedtoaccesspatientdatathatisn’ttechnicallyhisorherpatient.Therefore,iftheemployeetookadvantageofthisaccess-level,andaccessedpatientdatawiththeintentofstealinginformation,he/shecouldsaythedatawasclickedonbyaccidentandtherewouldbenoproofotherwise.Whilesystems like EpicCare do provide a break-glass scenario, in which a window would pop-up verifying that thisemployeeisaccessingpatientdatathatisn’tunderhisorhercare,itisimpossibleforhealthcareorganizationstoknowexactlywhatwasdonewiththePHIonceithasbeenaccessed.
ALLSCRIPTSAllscripts is a healthcare solutions company that is a leader in EHRsolutions.Theyserve180,000physiciansin45,000physicianofficesand2,500 hospitals. They offer an integrated portfolio of healthcareinformationtechnologysolutions.
Allscripts (Eclipsys)SunriseClinicalManager isacustomizableEHRsolutionthat isusedbytensof thousandsofhealthcareproviders.Thesolutionhasawidevarietyofenticingfeaturessuchasaprenatalmodule,award-winningAPI for thirdpartyapps,mobileaccessand input flexibility. Alongwithallof these features,Allscripts (Eclipsys)SunriseClinicalManageroffersclinicaldecisionsupportatthepointofcareandnearly800clinician-reviewedcareguidestodrivecareintheambulatorysetting.
OBSERVEIT
OBSERVEIT.COM/TRYITNOW
WHYMONITOR?
AllscriptsEHRsolution,likeCernerandEpic,doesagreatjobincreasingworkflow,butcanopenorganizationsuptounexpectedsecurityvulnerabilities.Whenpatientsare initially joiningamedicalpractice,asystemadministratorenterstheirinformation.Thissystemadministratorassignstheirinformationtoacertaindoctor,butthereisnowayofknowingwhatthissystemadmindoeswiththePHIbeforethepatientisofficiallyassigned.Toomuchaccesscanalsobecomeaproblemwhenadministratorshaveaccesstootheremployees’PHI.Manyhealthcareprofessionalsopttousetheirownorganizationfortheirownhealthcare.Asaresult,generalizedaccessaccountscanposeamajorriskwhenoneemployeecouldaccesstherecordsofanotheremployee,breachinghisorherprivacy.Patientprivacyalsoisamajorconcernforcompanieswhousegeneralizedaccessaccounts.Indepthreportingandanalyticsarerequired by healthcare companies in order to meet HIPAA patient privacy regulations. Having the ability tounderstandandmanagedataiscriticalwhenprovidingreporting.
MCKESSONMcKesson started in the 1830s as a distribution network forhealthcare professionals. Today, their business ranges fromdistribution to technology services. Their EHR systemsareamongthemostpopularinthecurrenthealthcareapplicationsmarket.
McKessonHomecare(formerlyMcKessonHorizon)isahomecaresoftwaresolutionthataddressesbothclinicalandfinancial data. The solution streamlines workflow to help reduce errors and omissions and helps improve theaccuracyandconsistencyofdocumentation.Theapplicationcomesequippedwithatoolthatprovideswarningsforvisitsfallingoutsideoforder.McKessonHomecarealsosupportstheabilityofintakestafftogatherthenecessaryinformationfromreferralpartnersinordertoquicklyassigntheinitialvisittoclinicalstaff.
WHYMONITOR?McKesson’sHomecaresolutionisusedbysomanyprofessionalsnationwide,thatitisrecognizedasoneofthemostused apps in the entire healthcare industry. But with users accessing these systems for a variety of reasons,monitoringtheuseractionswithinMcKessonisvital.
McKesson Homecare comeswith a tool that notices if users are visiting patient information they shouldn’t beviewing.However,thisfallsshortontwofronts.First,thisdoesn’tcoverthedangerofentitlementchangeswithintheapplication.AnyadministratorwithinaMcKessonapplication,suchasHomecare,canedittheaccesslevelsofanyuser.Thus,auserwhoseentitlementchangeshaveenabledthemtoviewallaccountswillnotbecaughtbythistoolwithinMcKessonHomecare,simplybecausetheactionwouldappeartobecrediblebasedontheaccount’saccesslevel.Second,thetoolonfocusesonwhoisviewingeachpatient’saccount,andNOTonwhattheuserisdoingwith that account’s information. Understandingwho accessed data improperly doesn’t answer themoreimportantquestionofwhatwasdonewiththedata.
OBSERVEIT
OBSERVEIT.COM/TRYITNOW
MEDITECHMeditechspecializesinEHRsolutions.TheirEHRsystemwasdesignedby physicians in order to maximize productivity and encourageevidence-based decision-making. With a patient- centric approach,Meditech works across hospitals, ambulatory care, home care,hospice,long-termcareandbehavioralhealth.
Meditech offers an EHR system under its own name. The solution optimizes sharing information, financialtransactions and reporting, and centralizes workflow. Staff uses the home care aspect of their solution acrossdepartmentssuchashospicestaff,billers,hospital staff,andhospitaladministrators. Theirsolutioncomeswithcustomizablerole-basedaccess,encryption,anddetailedauditlogs.Theirmobileapplicationisincrediblyflexibleandcanbeusedonanytabletorsmartdevice.
WHYMONITOR?MeditechhasitsownmonitoringcapabilitieswithinitsEHRapplication,sothereisnoneedtomonitorright?Wrong.AlthoughMeditechdoesmonitor and report on certain actions, it doesn’t cover a key areawithin applications;entitlement changes.When administrators promote their own entitlementswithinMeditech, the actionwill gounnoticed.Thisisamajorconcern,especiallywithinHIPAAregulations,asapplicationadministratoraccessisnowwithin the scope of HIPAA. Furthermore, HIPAA compliance audits can be incredibly in-depth.Without propermonitoringinplace,theseauditscanbeincrediblytedious.Companiesneedtobeabletoretrieveapplicationauditlogsinatimelyfashion,andthelogsneedtobeeasytounderstandinordertosavetimereviewingthem.
SATISFYINGHIPAA’SMONITORINGREQUIREMENTSUntilrecently,therewasacommonmisconceptionamongstmanyhealthcareprovidersthattheresponsibilityofprotectingpatientdatafallsundertheEHRvendorandnotthehealthcareorganization.Thisissimplynottrue.
TheHIPAASecurityRule,whichwentintofulleffectin2005,outlineshowhealthcareproviderswhotransmithealthinformationinelectronicformneedtoprotectPHI.Thebasicguidelinesofthesecurityareseparatedintofourparts:
1.Ensuretheconfidentiality,integrity,andavailabilityofallPHItheycreate,receive,maintainortransmit;
2.Identifyandprotectagainstreasonablyanticipatedthreatstothesecurityorintegrityoftheinformation;
3.Protectagainstreasonablyanticipated,impermissibleusesordisclosures;and
4.Ensurecompliancebytheirworkforce
TheSecurityRule alsooutlines thatuses anddisclosuresofPHI shouldbe limited to the “minimumnecessary.”HealthcareprovidersneedtoimplementpoliciesandproceduresforauthorizingaccesstoPHIonlywhensuchaccessisappropriatebasedontheuserorrecipient’srole.
OBSERVEIT
OBSERVEIT.COM/TRYITNOW
TherearenumeroustechnicalsafeguardswithinTheSecurityRulehealthcareprovidersneedtoadheretoinordertobeconsideredcompliantwithHIPAA:
• Access Controls: A covered entity must implement technical policies and procedures that allow onlyauthorizedpersonstoaccesselectronicprotectedhealthinformation.
• AuditControls:Acoveredentitymustimplementhardware,softwareand/orproceduralmechanismstorecordandexamineaccessandotheractivityininformationsystemsthatcontainorusePHI.
• TransmissionSecurity:Acoveredentitymust implement technical securitymeasures thatguardagainstunauthorizedaccesstoPHIthatisbeingtransmittedoveranelectronicnetwork.
MonitoringuseractionsonapplicationsistheonlywayhealthcareproviderscanstayinlinewithTheHIPAASecurityRule requirements. FurthermoreHIPAA outlines healthcare providerswho operate EHR systemsmust track theactionsofexternalvendors,suchasGE,McKessonandSiemenU.S.WhenthesecompaniesaccessEHRinformation,alloftheiractivitymustbemonitoredinordertomeetHIPAAcompliance.
SATISFYINGARRAHITECH’SMONITORINGREQUIREMENTSIn2009,PresidentObamasigneda$789billion-dollareconomicstimuluspackagecalledTheAmericanRecoveryandReinvestment Act (ARRA).Within ARRA is the Health Information Technology for Economic and Clinical Health(HITECH)Act.HITECHallocates$19billiontohospitalsandphysicianswhodemonstrate“meaningfuluse”ofEHRs.4
HITECHqualifiesphysiciansforupto$44,000inMedicarebonusincentivesiftheydemonstrate“meaningfuluse”ofanEHR.Thisalsoincludeshealthcareproviderssuchashospitals,clinics,nursingfacilities,pharmacists,andmanymore.
“Meaningful use” has had a changing definition since the Act was signed into action in 2009. Currently,demonstrating and executing “meaningful use” of an EHRhasmany requirements.However, in 2012when the“meaningfuluse”definitionwasmostrecentlyupdated,manynewexpectationswereaddedtoMeasure7outof16:ProtectElectronicHealthInformation.SomeofthemostimportantEHRstandardswithinthismeasureare:
1.EHRtechnologymustbeabletorecordactionsrelatedtoelectronichealthinformation
2.EHRtechnologymustbeabletodetectwhetheranauditloghasbeenalteredornot
3.EHRtechnologymustenableausertocreateanauditreportforaspecifictimeperiodandtosortentriesintheauditlog
4.EHRtechnologymustbeabletoverifyagainstauniqueidentifier(s)(e.g.,usernameornumber)thatapersonseekingaccesstoelectronichealthinformationistheoneclaimed
5.EHRtechnologymustbeabletoestablishthetypeofaccesstoelectronichealthinformationauserispermittedbasedontheuniqueidentifier(s),andtheactionstheuserispermittedtoperformwiththeEHRtechnology5
While someEHRprovidersdomeet someof these requirements,propermonitoring software fully coversARRAHITECH’sstandards.ItisespeciallyimportantforhealthcareproviderstostartmeetingARRAHITECH,asstartingthisyear(2015),physicianswhoelecttonotuseanEHRwillbepenalized,startingwitha1%Medicarefeereduction.
OBSERVEIT
OBSERVEIT.COM/TRYITNOW
WHATCANBEDONE?Now,it’stimeforsomebadnewsandsomegoodnews.Thebadnewsisthatevenifyouweretoimplementeverypracticeoutlinedabove,yourorganizationwould stillnotbe fullyprotected.Whilewestrongly recommend theseriousconsiderationofeverysuggestionwe’vedescribed,noneofthemareiron-clad.
For example, profiling business users and data is difficult, especially as businesses are dynamic and frequentlychanging;gapswillinevitablyremain.Restrictingunnecessaryaccesstodataiscritical,butultimately,manybusinessuserswillstillneedaccesstothecompany’smostsensitivedata.Restrictingtheuseofdangerousapplicationsisalsocrucial, yet dangerous applicationswill always be needed by someusers,while other userswill be able to findalternativeapplicationsnotonyour“blocklist.”Andnomatterhowcomplexyourpasswordsare,andhowwellyoutrainyouremployeestoprotectthem,theywillalwaysbevulnerabletothemostsophisticatedanddeterminedhackers.
Now,thegoodnews:Insiderthreatmonitoring&preventionisacomprehensiveuser-focusedsecuritysolutionthatcoversallthegapsleftafteryou’vedoneeverythingelseyoucan.Thisisbecausewhenyouknowexactlywhateveryuserisdoingincriticalapplicationsanddataoneverydesktopintheorganization,youwillbeabletoimmediatelydetectdangerous,unauthorizedandout-of-policyuseractivity–andyouwillbeabletostopitinitstracks.Youwillalsobeabletoquicklyandaccuratelydetermine,afterthefact,exactlywhodidwhatwithyoursensitivedataandapplications,whenandhow.
OBSERVEIT–INSIDERTHREATMONITORING&PREVENTIONObserveIThelpsover1,600organizationidentifyandeliminateinsiderthreats.ObserveITprovidesthetechnologyto capture all user activity across all applications, even applications that do not generate logs and convertsscreenshots intouseractivity logs thatmake it easy to search,analyze, audit andactuponalerts for suspiciousapplicationusers,adminsandexternalvendorswhohaveauthorizedaccesstoanorganization'sdata.
INSIDERTHREATDETECTIONRelyonhundredsofcarefullycalibrated,out-of-the-boxInsiderThreatRulesthatprovideinsightintomanyinsiderthreatvectors.Coupledwith insiderthreat intelligenceandreportingObserveITwillenhancesecurityoperationsandregulatorycompliance
OBSERVEIT
OBSERVEIT.COM/TRYITNOW
OBSERVEITDASHBOARD
INSIDERTHREATPREVENTIONReduceriskwithreal-timeusernotificationsandblocking.Directlyenforcecompanysecuritypolicy—automaticallyandinrealtime—topromotesecurityawarenessandpreventinsiderthreats.ObserveITenablestheabilitytowarnusersagainstproceedingwithactionsthatviolatepolicy,aswellastheabilityblockactionsalltogether.Thiswillreducenon-compliantactionsandhelpstopinsiderthreatincidentsbeforetheycanprogress.
OBSERVEIT
OBSERVEIT.COM/TRYITNOW
VISUALCAPTRUEANDACTIVITYANALYSIS
Playingbackausersessionshowsexactlywhatoccurredonscreenduringthesession.:Thesoftwaretranscribeseveryusersessionintoaneasy-to-readuseractivitylogandDVRlikecapture.Clickingonanyparticulareventintheloglaunchesthevideoplaybackfromthatexactmoment.Thisactivityanalysis isalsousedtogeneratereal-timeuseractivityalertsandreporting.
SESSIONCAPTURE
USERACTIVITYANALYTICSObserveITcapturesdetailedsessionactivitydataanddisplaysthisinformationinanactivityprofile.Administrators,ITsecurityofficersandauditorscaneasilyviewabaselineofactivityandrapidaccessto:
• Namesofapplicationsrun
• Titlesofwindowsopened
• Accounts
• SystemAccess
• URLsaccessedviabrowsers
• Texttyped,edited,pasted,selected,auto-completed,etc.
• CommandsandscriptsrunintheCMDconsole
Everyresultingsearchhit is linkeddirectlytotheportionofthesessioncapturewheretheactionoccurred.Thismakesitincrediblyeasytofindtheexactmomentthatanyparticularactionwasperformed.Additionally,ObserveITnativelyintegrateswithmajorSIEMtools,ticketingsystems,logmanagementapplications,andmoretoprovideaholisticviewoftheorganization’sITsecurity.
USERANALYTICS
SUMMARYObserveIT works with 1,600+ organizations worldwide and is trusted on millions endpoints across everymajor vertical.Organizations aremobilizing to dealwith allmanner of Insider Threat Risk.ObserveIT has spentmore than 10 years helping enterprises assess and carry out investigations of intentional and unintentionalinsider threatswithintheirsystems.ObserveITistheonlyInsiderthreatmonitoringandpreventionsolutionthatempowers security teams to detect insider threats, streamline the investigation process, and prevent dataexfiltration.
OBSERVEIT
OBSERVEIT.COM/TRYITNOW
