Using Big Data to Audit Access to Patient Data and Beyond
Middlesex Hospital, located in Middletown, Conn., is in the anticipation business. And thanks to analytics software, business is starting to get good.
Auditing who is accessing patient data in an electronic health record (EHR) is a requirement for hospitals attesting to Stage 2 of meaningful use under the Health Information Technology for Economic and Clinical Health Act (HITECH). It’s also required under the Health Insurance Portability and Accountability Act (HIPAA). Many organizations, such as Middlesex Hospital, are beginning to invest into data analytics software tools for compliance.
Middlesex, a community hospital with approximately 200 beds, two offsite emergency departments, a family practice, and nine primary care facilities, has always considered technology to be one of the pillars of the company. It has invested in Cerner (Kansas City, Mo.) for an inpatient EHR, eClinicalWorks (Westborough, Mass.) for primary care and multispecialty, and McKesson (San Francisco) for home care. It also has a homegrown system that acts as a health information exchange (HIE) across multiple departments and specialties.
However, with those HITECH and HIPAA regulations around protected health information (PHI) access, those EHR investments are no longer good enough. For the Cerner and the homegrown systems, Middlesex has begun to use an analytics tool from Splunk (San Francisco) that allows them to see who is accessing patient data and consolidate audit logs.
“If you are attesting to Stage 2 of meaningful use, (auditing access to PHI) not a ‘nice to have’ it’s a ‘need to have.’ The requirement is you need to audit all of your systems and it has to be a certified product to do so,” says Richard Schubach, Middlesex Hospital’s director of information technology. “As far as we’re concerned, simplicity is key.”
Every system vendor had its own recommendation for which company they should use to audit this patient access data. Cerner, which has the hospital’s biggest application, has products they recommend specifically for auditing. “But that was just for Cerner,” Schubach says. “We’re an outlier for Cerner customers in that we use other applications.”
Middlesex needed something that worked for those different systems. The company had used Splunk to help with network operations previously and thus knew the software would be simple and effective, says Schubach.
One of the reasons why it’s simple is that the software doesn’t need any structured data to ingest, explains Ant Lefebvre, Middlesex Hospital’s senior systems engineer. It can take any kind of data, and as long as someone keys some of the values that is in that data, and produces reports and audits. It also can take this data from various types of data silos, not just patient files.
“The fact we’re getting information from different systems, (the system) doesn’t care,” says Lefebvre. “If we get information from two different EHRs, as long as we know which log values are the patient, which are the medical record number, and who happens to be the user, you can take that information and put it into a single dashboard that shows us what’s being accessed.”
Having these logs consolidated not only saves time in the short term, but it allows Middlesex IT leaders to see trends over time. These trends give them a better idea of where they may have had gaps in their security environment, says Lefebrve. Already, it has done its job in one instance.
“Since we brought the system up in October, it has successfully captured the fact that someone was inappropriately accessing our system. We wouldn’t have normally been able to do that,” Schubach says.
Enabling this auditing capability across the enterprise is an ongoing process, says Lefebvre. Whether its client devices, phone systems, or a network, there are numerous systems and areas of the hospital that could be audited. Pretty much anything that can generate machine data, he says, Middlesex wants to use Splunk to audit. “If we can’t see what’s going on, we can’t troubleshoot what’s going on and what can’t make informed decisions about what to do next,” Lefebvre says.
Beyond that auditing aspect, Schubach similarly foresees a situation where this data can really be interpreted and analyzed for decision support, both from an IT and clinical perspective. “That’s a powerful tool for a small organization like us,” Schubach says.