Security Investigation

<< Click to Display Table of Contents >>

Navigation:  Security Audit Application > Recommended Security Audit Usage >

Security Investigation

 Previous pageReturn to chapter overviewNext page

In compliance with the HIPAA Security Rule, covered entities should have a procedure in place when a security investigation is to be conducted. Examples of when a security investigation may be appropriate are listed below.

 

Patient Privacy Complaint

Results of a Periodic Security Review

Discovery of suspicious activity outside the EHR (ex. email server, at firewall)

VIP procedure may call for an immediate audit of a patient’s chart.

 

When conducting an investigation very little may be known on the front end. Therefore it may be necessary to first look broadly and identify potential events that could be considered suspicious and then research details on those events. Most investigations begin with some kind of patient identifier, user identity or data compromised.

 

A patient identifier could be anything from a Medical Record Number to a Social Security Number. Prior to using the security audit log, it is recommended that the Person Profile ID be gathered and used as a comprehensive patient identifier in the system.

 

A user identity could be anything such as a name, initials, employee number or login. The audit log may be searched by Login or User's Name (display name). Keep in mind some users may have more than one login. Or the display name may be a nickname.

 

The data compromised would be the area of the patient's chart that was accessed. Examples include, Diagnosis, Lab, Medication or Rad. The audit log may be searched by Description to pinpoint changes made to a specific area of the system by such categories.

 

 

Below are recommendations for initiating the investigation process with either a patient identifier or a user identity.

 

 

Example 1

Begin investigation with a patient identifier.

 

1.Use the given patient identifier to obtain the Person Profile ID.

2.From the Security Audit Log screen, define a date range and enter the Person Profile ID in the Profile field.

a.Searching by Person Profile ID pulls all visits associated to the Person Profile that have been accessed during the date range. Even visits older than the date.

3.Use the Description field in the auditing parameters to search for a particular category of data. (ex. Diagnosis, Lab, Medication, Rad)

a.The Description field uses contain logic to simplify the search process.

 

 

Example 2

Begin investigation with a user identity.

 

1.Use the given user identity to obtain the Login or User's Name.

2.From the Security Audit Log screen, define a date range and enter the Login and/or User's Name.

a.The User's Name field uses contain logic, so searching by "beth" would produce results for user's with names like Bethany, Elizabeth, Beth.

b.The Login field accepts the "*" wildcard character; thus, events by users with multiple logins can be found easily. For example john* will find events for john, john1, johna and john12.

3.Use the Description field in the auditing parameters to search for a particular category of data. (ex. Diagnosis, Lab, Medication, Rad)

b.The Description field uses contain logic to simplify the search process.