|
<< Click to Display Table of Contents >> Periodic Security Review |
  
|
|
<< Click to Display Table of Contents >> Periodic Security Review |
|
At the EHR application level, the Periodic Security Review focuses on ensuring that Rule Based Security and other technical controls are working as designed and that access to sensitive information contained in the Thrive EHR is appropriate.
Below are recommendations for using the Security Audit Log as a part of a Periodic Security Review.
Example 1
Monitor user queries by patient name.
1.From the Security Audit Log screen, define a date range and set the Action equal to Query.
a.Count the number of times queried by user. Is it excessive?
b.Count how often a particular “name” is queried. Is it excessive?
2.Continue the investigation if the results show excessive or suspicious behavior.
Example 2
Monitor PHI that is exported from the EHR.
1.From the Security Audit Log screen, define a date range and set the Action equal to Copy.
2.Sort the output by description. The description will show what was exported form the EHR.
a.Interfaces will be included in this list under the login IMS.
3.Continue the investigation if the results show excessive or suspicious behavior.
Example 3
Monitor PHI that is printed (hard copy) from the EHR.
1.From the Security Audit Log screen, define a date range and set the Action equal to Print.
2.Sort the output by description. The description will show what report was printed from the EHR.
a.Interfaces will be included in this list under the login IMS.
3.Continue the investigation if the results show excessive or suspicious behavior.
Example 4
Monitor access to patient demographic information.
1.From the Security Audit Log screen, define a date range and set the Action equal to Access and the Program equal to XCNROOT2.
a.Review the results, are there users listed that should not access Demographics?
2.Acquire an sample of 5-10 confidential accounts, and run the Security Audit Log screen for the Account number and the Program equal to XCNROOT2.
b.Is the access to the confidential patient excessive or unnecessary?
3.Continue the investigation if the results show excessive or suspicious behavior.
Example 5
Monitor access to the POC Virtual Chart.
1.From the Security Audit Log screen, define a date range and set the Action equal to Access and the Program equal to XNSVCROOT.
a.Review the results, are there users listed that should not be viewing the POC Virtual Chart?
2.Continue the investigation if the results show excessive or suspicious behavior.
Example 6
Monitor access to other areas of the system.
1.From the Security Audit Log screen, define a date range and set the Action equal to Access and the program equal to the area being monitored. See the PHI Category table below for a list of program names that may be used to review access to PHI.
a.Review the results, are there users listed that should not be viewing the data?
2.Continue the investigation if the results show excessive or suspicious behavior.
PHI Category |
Expected Users |
Program Name |
Clinical Documentation |
Physicians (Clinic Setting, EDIS) |
clindoc |
Clinical Monitor Review Screen |
Physicians |
sharedClinMonitorRev |
Computerized Physician Order Entry (CPOE) |
Physicians |
cpoe |
E-Forms Documentation |
Nursing |
XEFRTSELECT |
Electronic Prescription |
Physicians |
rx |
Home Health Patient Information |
Home Health |
XHMROOT2 |
Insurance Claim Information |
Billing, Claims Editors |
XISUPCLM |
Insurance Claims Generated |
Billing |
XISGEN |
Insurance Claims Generated from a specific account |
Billing |
XISCGEN |
Laboratory Results |
Laboratory, Nursing, Physicians, Members of Patient Care Team |
laboratory |
Looking up Patient in Charts Application |
Physicians, Nursing |
wb |
Medical Records Procedures List |
Health Information Management, Coders |
mrProcedureListScr |
Medication Reconciliation |
Physicians, Nursing |
medrec |
New Pharmacy Order |
Nursing, Pharmacy |
XPCNIVORD |
Non IV Orders |
Physicians |
cpoeNonivOrderScreen |
Nursing Order Entry |
Nursing |
poccpoe |
Order Entry Laboratory Result Edit Screen |
Laboratory |
oe_lab_result_edit |
Patient Alerts Screen |
Physicians, Nursing |
patient_alerts |
Patient Allergies |
Care Team, Nursing, Physicians, Patient Intake |
patAllergies |
Patient Allergy List |
Care Team, Nursing, Physicians, Patient Intake |
allergy_list |
Patient Ancillary Orders |
Physicians, Nursing |
ancillaryOrderDetail |
Patient Billing, Insurance, Claims |
Business Office, Billers |
XISROOT |
Patient Charge Item Review |
Physicians, Nursing, Billing, Business Office |
charges |
Patient Charging |
Business Office |
XCGROOT2 |
Patient Charts – Order Chronology |
Physicians, Nursing |
orderChronology |
PHI Cat |
Expected Users |
Program Name |
Patient Clinical History |
Physicians, Nursing, Health Information Management, Members of Patient Care Team |
patCH |
Patient Demographics (Census) |
Patient Intake (Registration) Health Information Management Billing Business Office |
XCNROOT2 |
Patient Diagnosis Menu |
Health Information Management, Physicians, Nursing |
patient_diagnosis_menu |
Patient Education Documents |
Nursing |
patEducation |
Patient eMAR |
Nursing, Physicinas |
marmain |
Patient Functions Screen (CW4 Access) |
Patient Intake, Health Information Management, Ancillary Departments, Business Office, Billing |
XBAROOT |
Patient Health History |
Physicians, Nursing |
health_history_menu |
Patient List of Problems |
Physicians, Nursing, Health Information Management |
problist |
Patient Medical Records |
Health Information Management, Coders |
XMRROOT |
Patient Medical Summary |
Health Information Management |
pat_med_summaries |
Patient Medication Administration Screen |
Nursing |
marmedadmin |
Patient Order Entry (CW4) |
Ancillary Departments |
XOEROOT |
Patient Order Review |
Ancillary Departments such Laboratory, Radiology |
XRGROOT |
Patient Order Verification Screen |
Nursing |
order_verify_patient |
Patient Plan of Care |
Physicians, Nursing |
planofcare |
Patient Profile Demographics |
Health Information Management, Patient Intake, Business Office, Billing |
XARCOMM |
Patient Scheduling (EWS) |
Schedulers, Patient Intake, Nursing |
XESROOT |
Pharmacy Temporary Orders |
Pharmacy |
XPCMAIN |
Physician Documentation |
Physicians (Inpatient Setting) |
physdoc |
Physician Esigned Orders |
Physicians |
cl_xespre.cbx |
Physicians Query |
Physicians, Health Information Management, Coders |
physician_query |
POC Nursing Pharmacy |
Nursing |
XNSPHAR |
Point of Care Virtual Chart |
Nursing (Inpatient Setting) |
XNSVCROOT |
Prescription Writer Edit Screen |
Physicians |
rx_edit |
Problem Diagnosis Screen |
Physicians, Nursing, Health Information Management |
probdiag |
Quality Improvement Patient Information |
Nursing, Health Information Management |
XQIROOT |
Specific information regarding patient problem |
Physicians, Nursing, Health Information Management |
probdetail |
Temporary Registration |
Nursing |
tempreg |
PHI Category Table