Patient records contain sensitive information that must remain private. Therefore, only those who have a treatment relationship with the patient are allowed to access a file. To control this, our parent company Enshore in collaboration with Martini hospital Logspect is developing. This application analyses patient record log files to see if all views were performed with the correct authorisation.
The NEN 7510 legally requires healthcare institutions to check the log data of patient records. But without specific software, it is not possible to do this for all records. Therefore, the NEN 7510 states that the check may also be done manually and on a random basis. A measure that seems only included due to lack of an automated alternative.
From the Martini Hospital IT department, a solution was critically examined: automated log files of all analyse electronic patient records, as required by NEN 7510. Logspect makes this possible. Unlike sample, it means that each patient's privacy is better safeguarded.
Logspect analyses patient record log data for suspicious patterns and 'anomalies'. Which patterns are suspicious is configured by the user (create rules). Anomalies (strikingly different values) are found by Logspect itself, based on statistical calculations.
How does that work?
Logspect analyses views of patient records for anomalies. These anomalies can be detected in two ways:
It is possible for users, for example your security officers, to set up criteria that the person accessing the file must meet. With this, the user chooses, for example, to compare values. Because of the flexible set-up, we can read in and compare almost any data imaginable, departments, maiden names, functions, etc.
For example: The last name of the staff member accessing the file must not match the patient's name or the staff member must be rostered in the same department where the patient is being treated.
Conspicuous views are views in the log data that stand out from the 'normal' pattern. Logspect detects these views and marks them as deviations.
Example: A doctor often looks at a certain file, which no other employees otherwise look at. This contrasts with the normal pattern, causing Logspect to detect this as an abnormality.
Through a dashboard, Logspect users get notifications of the suspicious patterns and abnormalities. These can be investigated further by accessing practitioner and patient data. This data is displayed pseudonymised. This means that only the connection between the data is meaningful, but not the data itself. The data is thus secure and private, allowing the user to conduct unbiased research into the situation.
If the user wants to find out the persons involved after their research, it is possible to trace the pseudonymised data back to the original data. This makes it possible to involve the persons concerned, should the situation call for it.
Logspect quickly proved itself by coming up with valuable insights. Already in the testing phase, insights surfaced that met the established rules and deviations. This not only provided insights that could be used to improve patient privacy in the future, but also improved processes. In fact, Logspect also gave reports of accesses that turned out to be legitimate on further investigation, but where the practitioner could not log this properly. With these insights, the authorisation process to access the EHR was optimised.
Deploy Logspect in your organisation? Schedule a demo or visit nestor-security.co.uk/tools/logspect
