Complying with HIPAA – The HALOCORE way

Medical records of patients are amongst the most sensitive type of data. It’s loss and misuse do not only affect the hospital but every individual patient who’s PHI has been breached.

On 12 December this year, news portals carried the unsavory news of another data breach – this time that of over many hundreds of electronic Protected Health Information (e-PHI) of patients having their records at the Pagosa Springs Medical Center in Colorado – a direct violation of HIPAA. It is understood that the organization did not de-activate a former employee’s username and password following termination of employment, thus effectively giving him access to confidential information – a clear case of lack of access control.

A long story

Information Security Media Group states, “The case dates back to 2003, when Zhou, a licensed cardiothoracic surgeon, received notice that he was being dismissed from his job. On the day he received the notice, Zhou accessed and read his immediate supervisor’s medical records and those of other co-workers, according to prosecutors. For three weeks, he continued illegally accessing patient records, including those of celebrities, accessing the patient records system 232 times.” [1]

Well, while the issue in point may not be a direct case of insider threat, it does bring into focus the key question: how do you effectively protect sensitive data that is being downloaded?

HIPAA in the light of SAP Business Object Business Intelligence

HIPAA sets the standard for protecting sensitive patient data. Any company that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed. The act contains a ‘Privacy Rule’ and a ‘Security Rule’, which, in turn, protect the privacy and sets standards for the security of e-PHI. Taken together, these rules establish national standards for how companies working with sensitive patient data must ensure that data’s confidentiality, availability, and integrity.

The case of a US university hospital

A popular university hospital that was recently working on influenza research created a data universe in BO with all hospital cases of influenza and vaccination history. This database was made available to a large number of researches working on a project to correlate vaccination percentage versus reported flu instances and other various flue-related correlations.

Obviously, the hospital should ensure 100% compliance with HIPAA as this universe contained sensitive patient records.

Can HALOCORE help to meet HIPAA compliance?

A definite yes. The hospital installed SECUDE’s HALOCORE to audit all access and block this information from being exported from SAP applications.

When users from the influenza research group accessed Web Intelligence reports pertaining to that particular universe, the activity log generated by HALOCORE captured those events for auditing purposes.

Moreover, using the Block feature, researchers were able to view this information within their Web Intelligence platform, but could not download it to the computers’ front end. Export access was granted only to management-level researchers to prevent unwanted information disclosure.

Interested to know more about HALOCORE? You can read more about this solution here.

Reference

[1] HIPAA Violation Leads to Prison Term

[2] HIPAA Case: Hospital Fined for Ex-Employee’s Access to PHI

Related Reading

[1] Companies realize that they are unprepared for GDPR

[2] Data breach by National Health Service reconfirms that systemic data leaks is an often overlooked security issue

[3] Data security in times of SAP S/4HANA

[4] Why reinvent the wheel? Leverage existing investments in data security with a difference

[5] Hospitality doesn’t pay; Robust data security does: What Marriott should have done at the outset