CommuniCare Health Centers is a full-service primary healthcare system with 14 locations serving Bexar, Kendall and Hays counties in the state of Texas, USA. The centre offers an array of services including paediatric and family medicine, senior care, woman’s health, dental and behavioural health.
The organisation has 450 employees including highly-trained healthcare providers who need access to electronic health records to deliver integrated primary care. It is therefore imperative for all locations to meet and exceed national compliance requirements including the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for patient information and Payment Card Industry Data Security Standard (PCI DSS) for any patient payment information.
Part of CommuniCare’s security strategy is to have a layered approach to its network with access to files restricted based on job function.
To track abnormal user access and movement of electronic health records
The HIPAA regulations require health care providers to develop and follow procedures that ensure the confidentiality and security of protected health information when it is transferred, received, handled, or shared. As a healthcare organisation dealing with confidential patient data, CommuniCare required a solution that will help monitor the access and movement, including reading and writing, of files on its network.
The software solutions that the IT team had previously implemented to help monitor access to files did not meet the granular level that was required to safely manage and monitor file access.
Some of the employees at the healthcare centre are data owners, which means that they are effectively network administrators who have the ability to create, edit, modify, share and restrict access to data. But not all of these data owners are IT-savvy so CommuniCare specifically wanted to find a security solution that was suitably robust, yet very easy to use.
Granular access security to meet regulatory compliance alongside easy transparency for data owners who are not tech-savvy
CommuniCare’s IT team discovered IS Decisions’ FileAudit solution after a comprehensive audit of product reviews in the media.
FileAudit offers real-time monitoring of file access making it easy to see what’s happening with data, when it happens, so action can be taken if any suspicious activity is detected. Its reporting features were also granular enough to meet the IT team’s file auditing requirements. This granular level of access management helped CommuniCare meet and exceed the regulatory requirements of both HIPAA and PCI DSS. However, FileAudit was also ideal for the non IT-savvy data owners who need to easily read and analyse normal types of logs.
During the 30-day trial, the IT team monitored two different servers and had time to familiarise themselves with the reporting and real-time auditing processes. The team took a couple of days to familiarise themselves with FileAudit and how it works, but the implementation itself took no more than 20 minutes. The trial helped CommuniCare make the decision to purchase full FileAudit licences.
A robust security solution that is simple to use
FileAudit can provide a baseline of activity for each user which helps in identifying file reads and writes that are not normal. Once there is a clear picture of user activity, it is easy to detect abnormal behaviour. If an alert is received showing that there is an unusually high number of file reads for example, the IT team will be able to immediately stop the threat.
Sebastian Hernandez, Information Systems Manager of CommuniCare Health Centers said: “FileAudit does exactly what it says on the tin. It monitors and audits how files are accessed by employees on a granular level based on their job function. The user interface is very well designed so you don’t have to be tech savvy to use it which was important to our administrators who don’t have an IT background.”
CommuniCare started using FileAudit in the beginning of 2016 and is currently on version 5.