Web Exclusive Report: Strategizing Around Data Security Vulnerability

Speaking Wednesday at a webinar hosted by FairWarningAudit.com, McMillan noted that two final rules issued this month under the federal Health Information Technology for Economic and Clinical Health (HITECH) Act and a proposed rule for a revision to the Health Insurance Portability and Accountability Act (HIPAA) will compel CIOs to take a closer look at how data is use within their organizations. The new regulatory environments created by changes under HITECH and HIPAA have log management and audit requirements associated with them, he said. “The bottom line is collecting information with regard to what our systems are telling us is going on in our environment and what our users are doing.”

“Almost every one of our healthcare organizations today has multiple regulatory requirements that they have to contend with,” McMillan said. “And they need a very robust ability to handle this.” In his view, that ability comes in the form of log management, which he said provides CIOs with real time insight into how data is being used. When combined with processes such as the ability to correlate data, log management will allow CIOs to take a much more proactive role in risk management in their environments. This provides a more accurate picture of how data is being used, providing tighter control as well as a way to educate users against behaviors that pose risk to the environment, he said.

The need for tight control of data has grown more critical with time. Data breaches reported to the Department of Health and Human Services’ office of Civil Rights (OCR) grew by 6 percent, to 80-plus breaches involving 500 records or more this year compared to last year, McMillan said. He added that the OCR has received “quite a few” notifications of smaller breaches as well. Large breaches and, depending on the circumstances, smaller breaches, make the healthcare provider a candidate for a compliance audit, said McMillan.

McMillan believes that one of the best ways that CIOs can maintain a good understanding of what is going on in their information systems and environments is to monitor the log information that is generated every time somebody does something in the information system. To make that work in a healthcare environment, most of which generate thousands of logs per second, an automated approach is necessary, he said. This represents a significant hurdle for many health providers. In 2008, according to McMillan, only 60 percent of health providers used some sort of automated logging system; in 2009, the percentage inched up to 64 percent.

“The idea that we can effectively collect, analyze, report and take action on our logging environment through a manual process is no longer valid,” said McMillan. “If we want to build a proactive environment that is going to inform and educate our security measures and our behaviors, we need to go to a more automated approach to collect those logs and use an effective correlation engine to crunch those data very quickly.” The payoff, he added, is the ability to highlight activities that are inappropriate or dangerous and take action on them in a direct and timely manner.