Winning the Battle of Patient Privacy vs Provider Access

I’m so excited to be here at HIMSS this week, and it’s not just because it’s in Florida in February! Healthcare is my passion, the vertical which focuses on preserving and transforming lives. It’s being driven by so many interesting technology breakthroughs and patient-centered initiatives right now! It’s a dynamic place to be.

But the challenges are significant. Have you ever been stuck between a rock and hard place? Healthcare providers live with this situation every day.  Governing bodies are putting in place policy and legislation to ensure patients have absolute control over their own data and choose who can see it. However, initiatives such as the Merit-based Incentive Payment System (MIPS) and Medicare and Medicaid’s Promoting Interoperability Program drive increased digitization and data sharing. This is a tension for those who have to try to meet both goals.

The Battle of Privacy vs Access

Providers’ priority is patient care and outcomes. Due to requirements for Promoting Interoperability (formerly Meaningful Use), Electronic Health Records (EHRs) contain more patient information than ever.  With the collaborative nature of caregiving, clinicians access new patient records every day. This leads to three significant problems:

  • Healthcare providers frequently have more access than needed. In order to not be impeded in patient health concerns, administrators grant providers excessive access—rarely is unnecessary access removed.
  • If a clinician does not have access, granting emergency break-the-glass access is often done without governance and auditing.
  • Even when administrators grant access, the correct access can be abused. A cardiologist may have access to all patient records at a hospital, but he should not be accessing the record for a neighbor who happens to be in labor and delivery. Historically it’s been a great challenge to sift through log data and validate people are doing what they should be with the access they have, and it’s only ever examined after a complaint has been filed.

Shifting this paradigm may seem intimidating, but there is a solution to this challenge.

Addressing the Conflict

Saviynt and Securonix partner to provide a holistic approach to patient data access which can help healthcare IT manage the battle between digitization and patient privacy, allowing clinicians to focus on patient outcomes unimpeded.

Initial Access and Access Requests

We solve the first problem—timely provider access—with intelligent outlier analysis and proactive responses around access. Do four employees in radiology have similar access, but a fifth has more? We detect that difference (the outlier) and provide an administrator with the suggestion for a change in access.  This prevents privacy violations from ever being a possibility.  Additionally, as access is added or removed, the Saviynt + Securonix solution learns and provides access request suggestions to guide someone who doesn’t even know what access to request.

Exceptional Access

Of course, there are always cases where a clinician needs an immediate change of access, the “break the glass” scenarios. It could be a nurse employed by a third party about to work a shift in a clinic or a surgeon who needs to perform an emergency procedure and must have access to patient data immediately. In all cases, Saviynt provides an intuitive access request interface so a clinician can request and get immediate access to what she needs.  Additionally, the request has an automatic time-limit and will trigger a certification review by her manager. This keeps patient health front and center as the priority, but security and auditing are not neglected.

Right Use of Access

Last, we uncover “patient snooping” or inappropriate use of patient data by user behavior and analytics (UEBA). UEBA focuses on “learning” typical clinician behavior and forming a baseline of behavior.  Then we use that baseline to narrow in on anything suspicious.  For example, a provider accessing the record a patient with an address geographically close to her own home address is possible snooping.  A clinician looking at a patient outside of the scope he usually examines could also be suspicious.   We alert you of and enable you to examine any situation which denotes an exception to normal activity. Bad actors destroy trust in provider organizations, but we find them proactively rather than waiting for a crisis to occur.

Coming Together to Triumph

Saviynt provides the correct access, Securonix validates the correct use of access. Together we enable you to focus on providing better patient outcomes while meeting patient privacy concerns.  This solves real problems most providers are wrestling with. Are you? We are here to help ease your pain. Contact us at healthcare@saviynt.com to receive a more detailed white paper or schedule a demonstration.

Diana Volere

About author

Diana is a Principal Solution Architect with Saviynt and has been a professional in security, identity and access for almost twenty years. She has spent time in delivery and pre-sales for leading vendors Novell, Oracle and ForgeRock, as well as consulting with Edgile. Diana has architected and driven sales of solutions for global Fortune 500 companies and focused on several industry-specific verticals, with an emphasis on healthcare and financial. Her aptitude for translating complex technology terminology and capabilities to business value and language plays into her passion for bridging the gap between technology and business needs.

Leave a Reply

Your email address will not be published. Required fields are marked *