Compliance Matters: User Access Monitoring, 5 Things You May Not Be Thinking About

A newsletter turned blog by Clearwater VP of Privacy and Compliance Services, Andrew Mahler

Welcome to Compliance Matters, a series that shines a light on important privacy/compliance topics and what’s on my team’s radar. In this issue, let’s dive into five things that may not have crossed your mind when your organization is thinking about effective user access monitoring and auditing.

If you like what you read, sign up to receive the Compliance Matters newsletter directly to your inbox whenever I release a new issue!

User Access Monitoring

I’d like to address a few often-overlooked questions you should consider when thinking about the effectiveness of your user access monitoring program…

1. Are the monitoring program and work plan (alert types used, frequency of reviews, investigation, sanctions recommendations, etc.) included in the organization’s risk analysis? Regular risk analyses play a crucial role in guiding the priorities of an organization’s user access monitoring and auditing function. Think of user access monitoring as a necessary, secret weapon that gives us instant updates on who is accessing patient information and why, adding a helpful layer to our overall risk analysis. Your game plan for monitoring access to data can flow naturally from your overall risk analysis, as you understand risks to the privacy and security of data within your environment.

2. Are you performing proactive monitoring? Proactive monitoring means implementing strategies to help identify and prevent security incidents before they happen or even when they are happening. The goal is to pinpoint potential risks and vulnerabilities and then take active measures to address them in real time, not only after an incident has occurred.

3. Are you monitoring privileged users? The sad truth is individuals with higher-level permissions like system administrators or even those in leadership roles could misuse their authority for activities that they shouldn’t engage in, like purposeful, unauthorized actions, removing or stealing data, or using systems to view data they should not see. (This point is especially important when dealing with users who have temporarily been granted elevated privileges).

4. Are you monitoring third parties? Organizations frequently provide access to their data to third-party vendors, partners, affiliates, or contractors for various/understandable reasons. It can be quite a challenge to keep an eye on what these parties are up to, especially when they’re accessing large amounts of data. So, I think it’s a good idea for us to review our vendor risk program as we think about effective user access monitoring. This way, we can make sure we’ve thoroughly evaluated the risks, categorized vendors appropriately, and incorporated the evaluation of third-party access into our overall access monitoring efforts.

5. Are you monitoring across platforms and applications? With the rise in the use of the cloud, mobile devices, and remote work, it’s important to expand the monitoring of user access beyond our traditional systems, such as the organization’s EHR. Organizations need to make sure that someone is keeping an eye on what users are doing across different platforms, because sensitive data may be maintained outside of the EHR, and it’s sometimes possible to make inferences about a particular patient based on data found in different systems. For example, we should think about systems that hold data, for example, about research subjects, as well as older, legacy applications that may still be in use by a small number of staff. And then there is the concept of “shadow IT”, when employees use technology or software without getting the green light from our IT department. This could lead to gaps in our monitoring of user access because the IT team might not even know about these systems or have the ability to see what users are up to within them.

Feel free to use the above five questions as guidance to help you identify and address potential privacy and security vulnerabilities within your organization (which is always the goal ). I cover these in a little more context here.

At Clearwater, we’re committed to enhancing the privacy and compliance protocols of organizations like yours. Our team is here to support your efforts in safeguarding sensitive information and ensuring compliance with industry regulations. We’d love to assist. Let’s schedule a call to explore how we can help you achieve your mission.