Does your organization work with patient records? If so, you know how important ensuring privacy and security is. Many hospitals randomly check that the right people, view the right records. It's a measure often taken for lack of a better alternative. But the chances of coming across something in a spot check on thousands of views are very small. The NIS2 provides healthcare facilities with clear guidelines to protect sensitive medical information from data breaches and other threats and sets clear incident reporting requirements. With the incident reporting requirement of the NIS2, it is important to perform better analysis on who is accessing patient records so that you detect incidents in time. Therefore, in collaboration with the Martini Hospital Logspect developed. Logspect is an application that analyzes all consultations of an electronic health record (EHR).
Reporting requirement from the NIS2
The Netherlands already has specific rules for logging access to patient records anyway. According to the Additional Provisions for Data Processing in Health Care Act, you must record who has access to electronic records and who works in them. But as mentioned earlier, this was allowed on a random basis. However, the NIS2 has clear requirements for incident reporting. An incident is defined as an event that compromises the availability, authenticity, integrity or confidentiality of data or services. This can happen, for example, when unauthorized individuals gain access to patient records. With Logspect, you can detect all incidents and thus comply with the reporting requirement from the NIS2.
100% from analyzing SPD consultations
With Logspect, we give your organization more tooling to get a complete picture of EHR consultations. In fact, Logspect enables automatic analysis of 100% of EHR consultations. Unlike sampling, this means that the privacy of all patients is better ensured.
How does that work?
Logspect analyzes views of patient records for anomalies. These anomalies can be detected in two ways:
- The user sets criteria
It is possible for users, for example your security officers, to set up criteria that the person viewing the file must meet. With this, for example, the user chooses to compare values. The flexible setup allows us to read in and compare almost any data imaginable, departments, maiden names, functions, etc.
For example: The last name of the employee accessing the record must not match the patient's name or the employee must be scheduled in the same department where the patient is being treated.
- Notable insights
Conspicuous views are views in the log data that stand out from the "normal" pattern. Logspect detects these views and marks them as deviations.
Example: A physician often looks at a particular file, which no other employees are otherwise looking at. This contrasts with the normal pattern, causing Logspect to detect this as an abnormality.
The user views reports of detected anomalies through a dashboard. These anomalies can then be investigated further by viewing the data the underlying views. The data is displayed anonymously. This means that only the relationship between the data has meaning, but not the data itself. This allows the user to perform their analysis without bias.
Should the situation call for it, it is possible to trace the pseudonymized data back to the original data of the individuals involved, for example, if you want to investigate the situation further after analyzing an anomaly.
Improvements Logspect after use in practice
Logspect has already proven itself in practice at several hospitals and healthcare providers. Through testing in practice, it became clear which improvements were needed.
Showing proof
When you have implemented controls over patient record accesses, you want to be able to demonstrate this to an external auditor to show that your organizations comply with the guidelines. Logspect therefore offers the ability to show evidence that you are performing these controls. This means that you can demonstrate which controls were implemented and when, which is essential for a transparent and verifiable audit trail.
Grouping views
It is essential to have clear insight when a user repeatedly violates one or more rules. That's why we've added functionality in Logspect to group permissions by user. This feature allows you to aggregate multiple violations by a user, allowing you to identify patterns and take targeted action, such as informing a supervisor.
Linking applications
Detecting anomalies requires information from a variety of sources. Consider patient records, data on who has viewed the records, and sometimes scheduling information. All of this data comes from different applications. With Logspect, it is possible to link these different applications to provide an integrated and complete overview.
Why use Logspect
Logspect offers comprehensive control over patient record views, giving you much greater control over what is happening within your organization. Instead of limited sampling, you can analyze all accesses for peculiar patterns, leading to better management of patient data. In addition, Logspect increases awareness among employees; by informing them of the improved controls, they will take more care when accessing records. For want of better, in the past it was okay to perform spot checks on accesses to patient records. But with the advent of Logspect, it is now possible to do a full audit, ensuring that patient data is always safe with your organization.