Three Steps to Help Manage Security Alert Overload

Transcription

1 BEST PRACTICES GUIDE Patient Privacy Protection Three Steps to Help Manage Security Alert Overload

2 Patient Privacy Protection 2 How many security alerts does your healthcare organization generate every day? One hundred? One thousand? More? These numbers are not unusual. It s also not unusual for healthcare organizations to have a single investigator responsible for patient privacy violations one who is likely overworked and overwhelmed. Take the lower end of the spectrum: say you have 100 security alerts per day. Then, assume you have one investigator, who can handle an average of fifty security alerts per day. That leaves 50 security alerts unaddressed every day. Is it any wonder that cyber crimes cost healthcare organizations an average of $2.4M a year? 1 There are simply too many alerts to handle! $2.4 M the average cost that cyber crimes cost healthcare organizations. The two biggest culprits driving security alert volume for healthcare organizations are web-based attacks and malicious insiders 1. But since most hospitals cannot hire dozens of investigators to examine each and every one of these alerts, what can be done? 1. Poneman Institute Fifth Annual Benchmarking Study on Privacy & Security of Healthcare Data,

3 Patient Privacy Protection 3 Where Are All The Alerts Coming From? When it comes to unauthorized data access, there are three main tools that generate alerts: Rules pinpoint known patterns of suspicious behavior with speed and efficiency. Rules are static in nature and can work with limited data points. Profiling identifies abnormal behavior for an employee based on their past behavior or the behavior of those in similar roles. Advanced Analytics (e.g., Predictive, Models, Scoring) extrapolate questionable behavior based on multiple data points and trending information. Advanced analytics are adaptive in nature and require a large volume of data points. Reduce Alert Volume The first step to reducing the ever-increasing volume of security alerts is to focus on patient risk. When you strip everything else away, that is what alerts are all about: they represent potential risk to your organization but more importantly your patients. A patient risk mindset takes into consideration such factors as: The amount of trust lost from your patients The negative impact on your organization s reputation Compliance and legal ramifications The effect on your organizations competitive position Having adopted a patient risk mindset, you need to put in place a filter to determine the risk category for each alert. This is done via a scoring system that evaluates the potential likelihood of a privacy data breach for a given event (e.g., does it represent a 5% or 90% chance of a privacy violation?) and the potential magnitude of a breach for a given event. Magnitude relates to the fact that not all alerts are created equal. An alert that signifies a potential theft of 100 patient records is more important than one that indicates a potential theft of 5.

4 Patient Privacy Protection 4 An unauthorized perusal of a celebrity s account where the information might be leaked to news-hungry media agents carries more weight than an employee conniving a look at a friend s patient record. A filter and scoring system, therefore, helps narrow down the number of alerts generated, and prioritizes high-risk transactions that have a significant likelihood of actually being a privacy violation. It is critical to understand, however, that the accuracy of such a scoring system and its efficacy in reducing the number of false-positive alerts is increased by connecting the dots across applications, systems, networks, and log files and correlating across multiple channels to reveal risky patterns. Patient security is like a puzzle: many pieces fit together to form a single picture. For that reason, if a risk score is assigned based solely on the information from one application interaction or data set, then it may not reflect the true risk involved. In detecting patient privacy violation, a combination of data points is much more than the sum of its parts. RULE: identifies a VIP patient access without a visit ANALYTICS: reveals multiple workers this week accessing this VIP patient PROFILE: shows this employee doesn t normally deal with VIP patients Data correlation and analysis reveal that the three alerts in combination result in a highrisk score demanding immediate investigation.

5 Patient Privacy Protection 5 Segment Alerts to Prioritize Actions Suppose you have determined that your investigator can handle 50 alerts a day. How do you decide which 50 get reviewed? There is one more necessary step: segmenting alerts by category. Without segmentation, you might simply take the top 10 alerts based on their risk score. The problem is that some alerts which deserve your attention may not make your top 10 list. For instance, what if an alert signifying unauthorized access to a patient record is buried farther down the list? Segmenting allows you to prioritize certain types of alerts over others (e.g., VIP Snooping alerts over Working After Hours alerts) to appropriately address patient risk. You may want your investigator to review every alert from one category but only the top 10% from another. Over 90% The percentage of healthcare organizations have experienced a data breach over the last two years 2 By evaluating the patient risk associated with each segment and combining that information with the risk scores for the alerts themselves, you can determine which alerts should claim priority processing each day. Viewing alerts in this way helps investigators move away from asking, How fast can I process this mountain of alerts? to inquire instead, Where is my time best spent to protect the interests of the patient and the organization? 2. Poneman Institute Fifth Annual Benchmarking Study on Privacy & Security of Healthcare Data,

6 Patient Privacy Protection 6 Get More from Your Investigators Scoring and prioritization help investigators focus on the most important alerts but is it possible to actually increase the number of alerts investigators can handle in a given day? After all, if an investigator can review 200 alerts instead of 50, your organization s risk profile is enhanced. With the right tools and processes, the answer is Yes. For instance, consider the skill, complexity, and time involved in a typical patient privacy data breach investigation. An investigator needs to understand what different data points mean, identify the important pieces of data for a given alert, cross-check other systems for confirmation, establish connections between various data points, etc. But what if you could give your investigator a tool that would consolidate information (alleviating the need to maneuver between multiple systems) and contextualize information (giving meaning to bare data points)? By placing all the information an investigator requires at their fingertips, they would have a complete picture of the situation significantly increasing the speed and accuracy of investigations. The right tool can also speed alert handling by managing workflow. An investigation may need to follow a compliance process or have input across multiple departments from Human Resources, Legal, or Finance, for example. But when the investigator transfers the file to the next person, it can be effectively lost in transit. A good workflow tool will track each case from initiation to conclusion, sending reminders when necessary to keep the file moving, and providing management with complete visibility into the caseload. Search capabilities are another critical tool for investigators. For instance, an investigator may know that a privacy violation has been perpetrated on a certain patient record, but not know how or by whom. A solution that has a Google-like search will help them quickly find what they are looking for, while screen-by-screen replay will then give them visibility into every activity that has taken place for that patient record, along with who performed the activity, step by step. They can then determine if a single employee was involved in the violation, or if two or more people were acting in collusion.

7 Patient Data Security 7 Lower Your Organization s Risk Profile & Increase Patient Privacy Managing security alerts effectively is critical as you seek to protect your patients privacy, your organizations reputation and compliance position. By translating security alerts into patient risk and appropriately scoring, categorizing, and segmenting them, you can identify the top priorities for your investigation team, focusing their attention and concentrating their efforts where it will have the greatest impact on your company s risk profile. This, coupled with tools that can shorten case cycle time and improve the quality of investigations, will enable you to manage security alerts of your patient s data efficiently and with confidence. Is your privacy and data security solution able to stand up to the evolving threat landscape? Find out how you can stay ahead with this informative video. To learn more about privacy and data security solutions, visit Bottomline at or contact: Phone: info@bottomline.com About Bottomline Technologies Bottomline Technologies (NASDAQ: EPAY) powers missioncritical business transactions. We help our customers optimize financially-oriented operations and build deeper customer and partner relationships by providing a trusted and easy-to-use set of cloud-based digital banking, fraud prevention, payment, financial document, insurance, and healthcare solutions. Over 10,000 corporations, financial institutions, and banks benefit from Bottomline solutions. Headquartered in the United States, Bottomline also maintains offices in Europe and Asia-Pacific. Corporate Headquarters Portsmouth, New Hampshire USA info@bottomline.com Copyright Bottomline Technologies, Inc. All rights reserved. Bottomline Technologies and the BT logo is a trademark of Bottomline Technologies, Inc. and may be registered in certain jurisdictions. All other brand/product names are the property of their respective holders. REV