Information Managers
  • Home
  • Services
    • All Services
  • Templates
  • Blog
  • Contact Us
  • Practice Management Success
  • Podcasts

Improve Your Healthcare Practice Security With Audit Logs

Posted on March 15, 2023 by Jean Eaton in Blog

Sharing is caring!

0 shares
  • Share
  • Tweet
  • LinkedIn
  • Email

How to Improve Your Healthcare Practice Security With Audit Logs

When was the last time that you reviewed your access logs in your healthcare practice?

 

In our policies, procedures, risk assessments, and privacy impact assessment submissions, we indicate the reasonable safeguards that we expect to implement in our practices to protect the privacy and security of health information.

But policies and good intentions alone isn’t enough.

We also need to take action on our policies.

We have tools, like audit logs, available to us. Audit logs of our computer and software systems are available to monitor users who have accessed the system and the information contained in the systems.

Audit Log Image

Audit logs monitor and records the transactions of users’ activities in your computer network and your electronic medical record (EMR). It is an automated, real-time recording of who did what, and when, in your system.

For example, when a user logs in to your computer network at the beginning of the work day, the user name, date, time, and perhaps the workstation identifier is recorded in the audit log.

When the user logs into the EMR and creates, views, modifies, or prints from a specific patient record, each activity is recorded in the audit log. In this way, the audit log records both the activity of each user and, in each patient’s electronic medical record, who has accessed that patient’s health information.

You MUST implement, use, and monitor your audit logs

The regular review of the audit logs can demonstrate that the administrative, technical, and physical safeguards that we implement to protect the health information, our people, and our assets are working. Review of audit logs can also identify weaknesses so that corrective action can be taken to improve our privacy and security strategy.

For example, when you review your audit log, you may see that an employee (authorized user) is accessing the EMR after clinic hours. When you investigate, you find out that the billing clerk is doing the billing submission from home.

This might be OK in your healthcare practice (or not). But, now you know what is happening iin your clinic EMR after hours and you can take appropriate action.

 

Audit Logs Are Valuable Metadata

Taken from a different point of view, the audit log provides important additional information, or metadata, about the care and treatment of the patient. Knowing who created a clinic note, wrote a prescription, or reviewed a test result provides a story about the care that the patient received. For this reason, the audit log of the EMR is usually required by legislation to be maintained for the entire retention period of the patient’s record. This is generally 10 or more years for adult patients and longer if the patient was a child at the time that they were a patient or client in your practice.

 

How You Can Use Audit Logs to Improve the Security of Health Information In Your Practice

Snooping, or viewing someone’s health information for an unauthorized use, is not uncommon in healthcare. Snooping is always a breach of confidentiality and trust that our patients give to us.

Sometimes, snooping is because someone is concerned or curious about a family member or friend and don’t intend to do anything ‘bad’ with that information.

We also know that people will sometimes access information for malicious means – that is,  using a ‘criminal intent’ or to be mean or disparaging to the individuals involved.

Say No to Snooping

When you regularly review your audit logs, you

  • Create a deterrent to all users to check something out ‘just this once, no one will know’.
  • Find potential threats or weaknesses in your current systems that you can improve to better mitigate your risks.

Custodians have an obligation to ensure reasonable safeguards to protect the privacy and security of health information. This means having appropriate policies and procedures in place and demonstrate and document that you have implemented your plans.

 

Action Steps That You Should Do Now

Use these points as a checklist to help you start using your audit logs to improve security in your healthcare practice.

  • Computer Network System Audit Log
    • Ensure that your computer network system has audit logging enabled.
    • Access and review your audit log. Don’t skip this step! Don’t assume that your audit logging is properly set up. You must discover how to access the audit log and record the procedure so that you can quickly access the audit log in the event that you have a privacy and security breach or routine security audit.
    • Determine how long your audit log information is accessible or retained. Is it included in your routine backup files? Legislative retention requirements differ but you probably want to keep the audit logs accessible for six months or longer.
    • Can you automate an audit log reporting tool to make it easier to review your audit logs regularly? Who in your healthcare practice is responsible to do this?
  • Electronic Medical Records (EMR) / Electronic Health Records (EHR) System Audit Log
    • Most health information legislation and regulations now require EMR / EHR to include an integrated audit log / access log. Confirm that you have enabled your EMR / EHR audit log.
    • Access and review your audit log. Don’t skip this step! Don’t assume that your audit logging is properly set up. You must discover how to access the audit log and record the procedure so that you can quickly access the audit log in the event that you have a privacy and security breach or routine security audit.
    • Determine how long your audit log information is accessible or retained. Is it included in your routine backup files? Legislative retention requirements differ but you probably want to keep the audit logs accessible for as long as you retain the entire patient record – generally, 10 or more years years.
    • Can you automate an audit log reporting tool to make it easier to review your audit logs regularly? Who in your healthcare practice is responsible to do this? Check out the Practice Management Nuggets Podcast

      How AI Improves EMR Auditing | Episode #094 with Rob Pruter from SPHER.

    • User activity recorded in an audit log is often visible to subsequent EMR users when they access a patient record. In the course of routine workflow, users may observe and question inappropriate access to an individual patient record. Instruct your users to notify the clinic manager or privacy officer if the audit log indicates a suspicious activity.
    • Include the review of audit logs as part of your routine privacy and security monthly audit.

Click the link below to get your copy of the audit templates and the training video!

I Want the Audit Templates to Improve Privacy and Security!

Are you already a member of Practice Management Success?

The instructional video and Privacy and Security Monthly Audit Template is already in your membership!

Click the button now to go to the membership to access your resources.

Go to my Practice Management Success membership

 When we know better, we can do better…

Jean Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

audit log, EMR, health care, healthcare practice, medical, reasonable safeguards

Do you know how to view your audit logs?

Posted on December 28, 2017 by Jean Eaton in Blog

Rebecca Herold, The Privacy Professor,  has predicted 11 privacy and security trends to watch – and prevent – in 2018.

I think that #5, Increased incidents of insiders selling patient data is likely a trend that we can prevent with regular monitoring of our audit logs of both our computer networks and our EMR's and other software and apps.

Rebecca predicts that “more insiders will take advantage of their access to valuable data because they know there are few logs of their access to catch them, or they see no one is reviewing the logs that do exist. All organizations need to establish access monitoring policies and procedures, and consistently enforce noncompliance.”

[clickToTweet tweet=”Do you know how to view your computer network and EMR software audit logs?” quote=”Do you know how to view your computer network and EMR software audit logs?”]

Audit logs can help you to monitor the activity of authorized and unauthorized users in your computer network and electronic medical record (EMR) and other software applications. Start by reviewing the audit logs ‘by exception'.

For example, if your clinic is open from 9-5, start by reviewing the audit log for user activity when the clinic is closed. Are there any users who consistently forget to log off? Or, are there authorized users who are accessing the network remotely. Is this an acceptable use for these users?

 If you don't know how to view your audit logs, schedule a 15 minute meeting with your computer network and EMR help-desk. It is usually easy to do – once you have the correct permissions settings set up.

When was the last time that you viewed your audit logs?

You should review the audit logs regularly and keep a journal or checklist of your regular security actions to document your good practices. When you spot potential problems, record the corrective actions that you take to follow-up.

When you have a managed computer network service provider, monitoring computer network traffic  may be included in your service package. Remember, you can delegate but you can't abdicate. Your computer network service provider may be able to identify intrusion attempts but you need to review the audit logs regularly to determine if authorized users are using their permissions to properly follow the privacy principles – the least amount of information, on a need to know basis.

 

Rebecca Herold is President of SIMBUS LLC, a cloud-based privacy and security firm and also CEO of The Privacy Professor, See Rebecca's article here: https://www.healthcareinfosecurity.com/blogs/health-data-privacy-security-what-will-2018-bring-p-2578 

audit logs, EMR, health care, healthcare

Privacy Impact Assessment (PIA)

Posted on May 1, 2017 by Jean Eaton in Clinic Manager / Privacy Officer, Established Practice, New Practice, Services, Vendor

Does your medical practice collect personal health information?

If so, you may need to conduct a Privacy Impact Assessment (PIA).

The Health Information Act requires health providers to complete a Privacy Impact Assessment when you:

  • open a new clinic
  • establish a new health services program
  • change how you collect and use personal information
  • implement Electronic Medical Records (EMR), or transition to a new EMR provider
  • share information with a Primary Care Network or other health program
  • access health information from Netcare or other data repositories

Information Managers' Privacy Impact Assessment (PIA) consultation helps you document your practices, meet practice management best practices, and ensure compliance with regulatory legislation.

The PIA consultation includes reviewing your current practices, documenting current or new privacy and security policies and procedures, information flow, legal authority analysis, risk assessment, and Privacy Impact Analysis.  Contact us and we’ll take a look at your current office practices and let you know how we can help make your workload easier, your information secure, and meet regulatory compliance.

The ABCs of Privacy Impact Assessments

What do you know about Privacy Impact Assessments (PIAs)? If you have implemented an electronic medical record (EMR ) funded through a provincial program, you have probably had to go through a PIA. It was probably time consuming to some degree, but perhaps not as bad as you thought. Jean Eaton is a consultant and expert on Privacy Impact assessments in the medical office. She explains in this blog post, The ABCs of Privacy Impact Assessments, what you should expect when required to undertake a PIA.

Listen to the podcast with Dr. Alan Brookstone of Canadian EMR.

Document Management Tip: What is a Privacy Impact Assessment?

YouTube video: What is a Privacy Impact Assessment? Who needs a PIA? How can I tell if I have a PIA? Information about privacy impact assessments in Canada. Additional details for Alberta and Health Information Act, HIA, OIPC.

Having problems viewing the video here? Watch it on our YouTube channel: What is a PIA?

Computer Network Vendors and Privacy Impact Assessment

Video especially for vendors that supports healthcare practices

 

E-course: Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments

 

A PIA should be as common place to a healthcare practice as a business plan is to a business. BUT most healthcare practices don’t know this and often don’t know that a PIA is  usually part of their professional college requirements and often even a legislated requirement! Prevent malicious errors, omissions or attacks that could result in fines and even jail time for the business, healthcare provider, employee, or vendor by completing a PIA.

If your Privacy Impact Assessment was written more than 2 years ago this e-course is for you

ClinicManager_Icon

The Clinic Manager and Physician Lead and Privacy Officer  must ensure its content is updated to reflect the current state of administrative, physical and technical controls.

BONUS! Checklist to update your PIA to meet recent changes to Alberta’s Netcare Portal. If your practice has completed a PIA and now you need to update the PIA, you receive a checklist of items that you need to consider to refresh your PIA.

 

If you a vendor that supports healthcare practices this e-course is for you

Vendor_Icon

BONUS! One hour tele-consult with Jean, “Create a branded Privacy Impact Assessment Readiness Package”. Jean will work individually with you to review your documentation and coach you on how to prepare the package to give to healthcare practices.

BONUS! Vendor PIA live webinar includes Vendor non-disclosure agreement, Information Manager Agreement, GAP Analysis, Computer Network Narrative templates.

 

Jean has helped hundreds of physicians, chiropractors, pharmacists, and other healthcare providers complete their Privacy Impact Assessment. She has visited hundreds of practices across Canada. But time and geography limit my ability to visit each healthcare practice that needs a PIA. That’s why I developed this on-line interactive course to help you learn everything you need in order to review, amend, or create your own PIA. Each module includes a weekly live webinar, as well as templates, tools, resources and two common case studies to build on each week. You can use these scenarios to guide you through the PIA process.

You know your practice better than anybody else. If you had the right tools, at the time most convenient for you and a mentor to help you, you can develop good office practices, meet legislated and college requirements, and successfully complete your Privacy Impact Assessment requirements.

Consult, electronic medical record, EMR, health, healthcare, medical, Netcare, PIA, PIA completed, PIA templates, Privacy Impact Assessment

July 12 2016 Practice Management Q&A

Posted on July 7, 2016 by Jean Eaton in Practice Management Q&A

Tuesday, July 12, 2016 at 10:30 am MDT

Welcome to July's live Practice Management Q&A with Jean L. Eaton, Your Practice Management Mentor.

Send your questions about practice management, human resources issues, clinic management best practices, procedures, resources, practical privacy tips and more!

Attend the live webinar to view the presentation, hear the audio, and participate in the chat and ask questions.

Register for the Q&A Live Webinar

July Q&A topics include:

  1. We want to start to receive electronic versions of lab results reporting (e-Labs) and attach the results in our patients' electronic medical record (EMR). Do you have any project management tips?
  2. Dress code tips for summer weather in your healthcare practice.

 

Replays are available only to members of Information Managers Network.

Have a question?

Send an email to Jean at jean[at]informationmanagers dot ca.

 

Are you a member of the Information Managers Network?

You can access all the replays from your membership account.

 I'm a member of Information Managers' Network

 

Not a member, yet? Become one today!

I want to know more about being a member of Information Managers' Network

 

Practice Management Q&A series is hosted by Jean Eaton (Your Practice Management Mentor) of Information Managers Ltd.

clinic management, dress code, e-Lab, electronic laboratory results reporting, electronic medical record, EMR, health care, healthcare, healthcare practice management, practice management, Practice Management Mentor

Search the site

What is the elephant in the room?

The Elephant in the Room Find out here...

Privacy Policy

"The 15 Day Privacy Challenge has given me some great resource information and helped me to identify the areas that I need to work on. I found value in almost all of the Privacy Challenges, but I would say Risk Assessment, Social Media, Email Phishing and Spam, and Confidentiality are the top four."

- Sharon

Register for Free On-line Privacy Breach Awareness Training!

Privacy Policy

Copyright 2022 Information Managers Ltd.

Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}