7/31/2019 Fair Warning Presentation
1/13
2010FairWarning,
Inc.Privateand
Confiden:al
Privacy Monitoring
Solution OverviewUnited Kingdom & Europe
FairWarningsmissionistobethe
worldsleadingsupplierof
solu8onswhichmonitor&protectpa8entprivacyinElectronicHealth
Records.
7/31/2019 Fair Warning Presentation
2/13
2010FairWarning,
Inc.Privateand
Confiden:al
Streamlinepa:entprivacyinves:ga:ons,repor:ng,andaccoun:ng
ofdisclosures Automatesystema:cauditlogreviewofallapplica:ons Alerton100+pa:entprivacyscenarioswithfiltering.
Deterssnooping,medicaliden:tytheH,iden:tytheH
100+ERssupportedout-of-the-box Out-of-the-box,in-produc:on,massivescale,patentspending
See www.FairWarningAudit.com for detailed FairWarning to regulatory mappings.
7/31/2019 Fair Warning Presentation
3/13
2010FairWarning,
Inc.Privateand
Confiden:al
Reactionary investigation
sDelayed, inconsistent incident discoveryManual, time consuming processesAudit logs in stove pipes
7/31/2019 Fair Warning Presentation
4/13
2010FairWarning,
Inc.Privateand
Confiden:al
Regulatory
Inves:ga:onsand
Audi:ng
Detec:ng
SnoopingPaerns
Detec:ngIden:ty
TheHPaerns
Individual patientsIndividual userGP / PhysicianConsultant / contractorsRandom patientsRandom usersOthers
VIP Scenarios: Prominentgovernment officials,
celebrities
Family member snoopingEmployee as patient
snooping
Executive snoopingNeighbour snoopingBreak-the-glass functionsSelf examinationOthers
Sequential patient records Patient access thresholds Printed records thresholds Deceased patient records Discharged patient records Address changes Out-of-dept accounting,
billing accesses
Expired logins Simultaneous logins Other demographic changes
7/31/2019 Fair Warning Presentation
5/13
2010FairWarning,
Inc.PrivateandConfiden:al
2010FairWarning,
Inc.PrivateandConfiden:al
Other suites and supporting applications
New or in-house
apps added in 1 day
~ 20 apps
~ 10 apps
~ 5 apps
Millennium
~ 8 apps
~ 6 apps
~ 4 apps
Client / Server
Magic
Major Suite Vendors
User information from business & identity applications
PeopleSoft
FairWarningUsers
Privacy analysis,alerting, reporting
Patient privacy incidentsDetected by FairWarningoptionally sent to SIEM
7/31/2019 Fair Warning Presentation
6/13
2010FairWarning,
Inc.PrivateandConfiden:al
2010FairWarning,
Inc.PrivateandConfiden:al
7/31/2019 Fair Warning Presentation
7/13
2010FairWarning,
Inc.PrivateandConfiden:al
2010FairWarning,
Inc.PrivateandConfiden:al
UCLA Medical Center istaking steps to fire at least
13 employees and isdisciplining others,
including doctors, forlooking at the pop star'sconfidential files.
CVS Caremark Settles FTC Charges:Failed to Protect Medical and Financial Privacy ofCustomers and Employees; CVS Pharmacy Also
Pays $2.25 Million to Settle Allegations of HIPAA Violations
HITECH Act Means More Aggressive HIPAAEnforcement Since the Health Insurance Portability and Accountability Actbecame law, enforcement has been a weak link. The number of covered entities thatare in full compliance has been low, simply because the Department of Health and
Human Services hasn't had much of an enforcement mechanism in place. But that
was before the American Recovery and Reinvestment Act was signed.
'SCAM' GUY HIT 50,000HOSP ID THEFT SPREEemployee charged with selling patient information as
part of a wide-scale identity-theft ring illegally accessednearly 50,000 patient files, prosecutors said yesterday.
7/31/2019 Fair Warning Presentation
8/13
2010FairWarning,
Inc.PrivateandConfiden:al
MonitoringandAudi8ngAccesstoConfiden8alInforma8on
6. Theorganisa:onshouldensurethatithasassignedoverallresponsibilityformonitoringandaudi:ngaccesstoconfiden:alpersonalinforma:ontoanappropriateseniorstaffmember,egtheCaldicoGuardian,IGLeadorequivalent.Thismemberofstaffshouldberesponsibleforensuringthatconfiden:alityauditproceduresaredevelopedandcommunicatedtoallstaffwiththepoten:altoaccessconfiden:alpersonalinforma:on.Theproceduresshouldinclude
howaccesstoconfiden:alinforma:onwillbemonitored; whowillcarryoutthemonitoringofaccess; repor:ngprocessesandescala:onprocesses; disciplinaryprocesses7.Thefollowingareexamplesofeventsthattheorganisa:onshouldauditfor
frequency,circumstances,loca:onetcfailedaemptstoaccessconfiden:alinforma:on; repeatedaemptstoaccessconfiden:alinforma:on; successfulaccessofconfiden:alinforma:onbyunauthorisedpersons; evidenceofsharedloginsessions/passwords; disciplinaryac:onstaken.
7/31/2019 Fair Warning Presentation
9/13
7/31/2019 Fair Warning Presentation
10/13
2010FairWarning,
Inc.PrivateandConfiden:al
ROI - 10X reduction in privacy audit review time
2 2 31
3 3 3 16 22 10 8 3 2 40
5
10
15
20
25
Inappropriate EHR Access - Confirmed Incidents
January 2008FairWarning
PrivacySurveillance
Deployed
Training and reprimandsbased on privacy surveillance
Reviews reduced from 5 days / week to day / weekPersonnel re-focused on training, education, research
Personnel re-focused on upcoming security projects
7/31/2019 Fair Warning Presentation
11/13
2010FairWarning,
Inc.PrivateandConfiden:al
2010FairWarning,
Inc.PrivateandConfiden:al
OtherAudit Logs
FairWarningUsers
Browser based user accessRole based access controlPrivacy, risk, security
McKesson Horizon, STARAudit,
Clinical & Physician PortalAudit Logs
SAN
Appliance access via Customer VPNFairWarning AdministrationPeriodic fine-tuningSupport & Maintenance
MEDITECH,ChartMaxxAudit Logs
Encrypted Archived Audit Logs
Browser based adminShell access optional
FairWarningAdmin
Cerner, GE,Epic, Siemens,
EclipsysAudit Logs
7/31/2019 Fair Warning Presentation
12/13
2010FairWarning,
Inc.PrivateandConfiden:al
Customercasestudies:[email protected] U.S.andCanadawebinarsonprivacymonitoring:Clickhere UKwebinaronprivacymonitoring:Clickhere Privacymonitoringwhitepaper:Clickhere FairWarningcompa8bilitywithSIEMswhitepaper:Clickhere Returnoninvestmentcalculator: [email protected] Comparison&evalua8onforms:[email protected] Planning&deploymentguide:[email protected]
7/31/2019 Fair Warning Presentation
13/13
2010FairWarning,
Inc.PrivateandConfiden:al