Access monitoring key to thwarting insider health security threats

West Virginia United Health System is taking an aggressive stance against inappropriate access of patient records, according to assistant chief information officer Mark Combs.

Though it had a read-only system with sign-off procedures, its previous policy allowed employees to use their work access to look at their own records, he says in an interview with

That has now changed.

"We began to get concerned about the integrity of the record if it allowed people to use their full production access to look at their own record," he says. "We changed our policy and pushed employees to the patient portal. We gave physicians a slightly different level of access, but still read-only access to their own record and for those people who had given them proxy rights to view their information."

The organization uses technology that allows the team to look at the audit logs of multiple systems--the EHR system, the PAC system, the pathology system--and audits millions of record accesses every year.

It's all role-based, controlled access, Combs adds.

"If a nurse is hired on the ninth floor of the hospital, that role is defined down to a granular level," he says. "That information is coupled with the audits, so when we run that audit, we know what that person has access to.

"When we find a problem, we're constantly feeding that information back into the process to improve what we're doing."

Employees remain the leading cause of security compromises, but receive the least attention among efforts to prevent breaches, Experian said in its 2015 Data Breach Industry Forecast.

Even if employees mean no harm, just by browsing the Internet or checking their email they can put networks at risk, especially if done using the same system that houses electronic health records or other hospital information, according to Ari Baranoff, assistant special agent in charge for the U.S. Secret Service's Criminal Investigative Division.

To learn more:
- listen to the interview