April 9, 2012

Clinic Uses Tracking Software as HIPAA Tool
By Robert J. Murphy
For The Record
Vol. 24 No. 7 P. 30

Tennessee’s McKenzie Medical Center resourcefully implemented user-monitoring software after managers at the 300-employee clinic noticed diminished productivity despite high computer bandwidth usage. Not only did they identify more than $18,000 worth of wasted time as employees engaged in non–work-related activities, they also used the application to investigate employees suspected of HIPAA violations, exonerating most of them.

Numerous scenarios may fuel suspicion of a HIPAA violation, says Nathan Hacker, an IT security officer at McKenzie. Most violations involve employees looking at a patient’s chart for reasons unrelated to the employee’s job responsibilities.

“A scenario you might run into, for instance, is a lady who is an employee here, and her daughter is dating this guy and then they break up,” Hacker says. “And so [the employee] starts looking through her daughter’s ex-boyfriend’s medical information, seeing if she can get some dirt on him, so to speak.”

Sometimes people’s natural curiosity can cause trouble. “You might have a situation where maybe something appears in the local paper, someone dies mysteriously, and perhaps it’s a patient that’s staying at the clinic,” Hacker says. “Some people may be interested to get in there and just be a little nosy, see why they were there, or whom did they see last when they were here.”

How It Works
McKenzie uses SpectorSoft’s Spector 360, one of several similar user-tracking applications on the market, to monitor, capture, and analyze user and user group activity, according to the Vero Beach, Florida, company’s website. Examples include e-mail exchanges, chats/instant messaging, websites visited, applications and programs accessed, Web searches, file transfers, and data printed or saved to removable devices.

Organizations can use Spector 360 for multiple functions: to track and enforce acceptable use policies, protect intellectual property and trade secrets, identify security breaches and risks, monitor and audit compliance requirements, and benchmark user productivity.

The software distinguishes between what is considered active and focus time, which reveals whether an application is opened and left idle or whether it’s open and actively being used. This helps not only in maximizing productivity and improving training but also in gathering metering data.

Analyzing Data
When all of Spector 360’s functions are operating, organizations can collect a mass of data, most of it “white noise.” Are there human resources costs to consider when deciding how extensively to use the software? Does someone have to stare at a screen all day and monitor these data?

Not really, says Hacker. “The interface and the way the data are presented, it’s pretty straightforward,” he explains. “It’s usually not the situation where you are required to sit there 24/7 constantly going over people’s data. For instance, Internet usage. There are quick-view panels where you can see the top 100 most accessed websites over a certain period. That helps me see at a glance if there is misuse of the Internet.”

Instant keyword alerts and thorough audit trails allow access to critical organizational matters. Keyword alerts, which can be customized, signal instances when a user’s activity calls for attention. The function that generates administrator alert trails and control center activity reports ensures that all data changes are captured and displayed graphically before and after they were made.

Despite the tool’s intense tracking abilities, Hacker says no one comes to work each morning bracing for a witch hunt. Before digging deep into the data, security officers must receive a request from a department manager. A recent investigation of 30 individuals suspected of viewing a patient chart exonerated all but one.

Risky Business
When using Spector 360, IT administrators must balance optimal functionality with a user-monitoring application that satisfies their need to protect against HIPAA violations and boost productivity.

“One of the things that makes this [software] a little unique is that it has something that we haven’t seen anywhere else. It does things like capture keystrokes,” says Chris Apgar, CISSP, president of Apgar & Associates, a consulting firm specializing in privacy issues.

Capturing such vast amounts of data requires what Apgar calls an “ultrasecure” application. “If I were tracking that kind of information—say keystrokes as an example—I would want more than just a password,” he says. “I would want a strong password, and I would want some other kind of identification such as a smart card or biometrics.”

Apgar says the chief downside to a sophisticated user-activity monitoring program is that the more data you collect, the greater your legal risk if an audit uncovers incriminating data that have been collected but not analyzed.

“I can collect all the data I want and look at it, and I have not only a civil legal risk because there may be something out there that is a breach and I didn’t look at it so I didn’t know it was there, but I also have regulatory risk because HIPAA requires that I look at all those things. And the more stuff I have turned on, the more I have to look at and the more I have to track,” he says.

The Big Brother Effect
With the privacy of patient information being such a top-of-the-mind topic in the healthcare industry, it’s easy to surmise that healthcare staff would expect management to be monitoring their activities. Still, McKenzie employees are notified at the outset that their Internet and other computer usage will be monitored.

Such oversight not only helps prevent potentially devastating breaches, but it also may boost productivity by making sure staff are not taking care of personal business on company time.

“If someone has gone to the bank [online] or they’re paying their bills online or something that’s obviously not business or patient related, it’s something that’s addressed at the time,” says Don Page, McKenzie’s IT manager and security officer. “But it’s not like 1984, George Orwell.”

For staff with a pressing need to send an e-mail or access a website, there are four computers in McKenzie’s cafeteria available for general use.

Whose Job Is It Anyway?
With mountains of data to sort through, smart managers must pursue the most promising leads and the most risky activities while searching for the proverbial needle in the haystack. Consider it sort of a computer misuse triage.

“While you’re on the clock, you’re working for our company,” Page says. “I don’t like reading people’s e-mails, but if something comes in and says, ‘Your purchase on eBay,’ I could look at that. But there’s too many other things going on around here for me to read people’s e-mails on a constant basis.”

Ultimately, an organization’s IT security essentially comes down to its people. “It’s not the fact that we don’t have good technology,” Apgar says. “Technology helps, but it is a tool.”

Mindful employees take it from there.

— Robert J. Murphy is a freelance writer based in Philadelphia.