Marti Arvin, Executive Advisor for CynergisTek sits down to talk about user access monitoring in the COVID crisis and things that organizations should be doing on a routine basis and the importance during the COVID-19 crisis.
Links to stories:
You can view this in video format while listening to this episode visit https://youtu.be/4cW93dpmPDo.
Read Marti’s blog “User Access Monitoring in the Current COVID-19 Crisis”.
Welcome to see CTEK Voices: The Risk Perspective. I’m your host Lauren Freckle, today I’m joined by Marti Arvin executive advisor at CTEK. Marti is considered a subject matter expert in health care compliance and today she’ll be discussing user access monitoring.
Hi Marti, Thanks for joining us today!
Good morning, Lauren and hello, everyone!
The topic I want to talk about this morning is user access monitoring in the current time of the COVID crisis. It’s one thing that an organization should be doing on a routine basis and should have been doing prior to the crisis occurring and it may even be more important now that the crisis has occurred.
When you think about what you should have been doing or might have been doing pre-COVID, you should be thinking about or thought about the idea that you want to evaluate what kind of access is your users are making to any system that has electronic protected health information.
As you looked at those you might have considered looking at whether co-workers were snooping on their colleagues, whether co-workers were snooping on family members, whether they were looking at high profile individuals, or if you’re doing it on a more reactive basis to look at what someone might have done and whether or not an access was improper or not based on some sort of complaint or incident. None of that changes post-COVID when you think about your obligation, the regulatory provisions say that you’re obligated if you’re a covered entity to have a system in place to detect improper accesses or security violations, and you should be doing some sort of regular monitoring of your systems to determine whether there have been any security violations.
So, this would mean that you should be looking at what your users are doing on a regular basis. That’s what I refer to as proactive user access monitoring. Reactive user access monitoring is what I mentioned a moment ago when you have an actual complaint or suspect an incident and you’re reacting to it. If you’re thinking during this time of COVID with everything else that you’ve got going on in your health care system that you might want to set aside user access monitoring.
I would recommend against that and there are a couple of reasons for that.
First, is the obligation being still there. The law has not changed the office for civil rights has not put out any sort of guidance indicating that during the COVID crisis they are going to suspend or not engage in regulatory enforcement for failure to detect and then actually appropriately respond to any sort of improper access for security violation.
The second, is in this time of crisis where everyone is looking to determine whether they might be positive, or their family member might be positive or have been exposed to people might have increased curiosity. They might wonder if that co-worker who got put out for a two-week leave tested positive for COVID because they might have had lunch with that co-worker. They might have been on a unit in the hospital or in the clinic with that co-worker and they might be concerned for themselves.
That doesn’t give them the right to access that individual’s record, but again in the higher stress times that were currently under people might be tempted to look. So, I would actually encourage you to continue your user access monitoring that you’ve been doing prior to the COVID crisis and the National Emergency being declared. Think about maybe adding an up in fact up being it because the temptation to look might be greater now than ever because individuals are going to be curious and it’s a very stressful, very intense time.
So, as you think about this remember your regulatory obligations have not gone away. Your users might be more curious than ever, and these are things that you might be considering even though it might be tempting to suspend that user access monitoring and not do as much as you’ve done pre-code COVID
Again, I hope you’ve liked this podcast. I hope you found it informative. I also have written a Blog that you can find on the CynergisTek website on this topic, and I look forward to talking with you on other topics as the week’s progress. Thank you.
Awesome. Thank you so much, Marti, for that info.