Insider Threat Management

PHI Data—5 Must Monitor Healthcare Application Providers

Share with your network!

(Updated on 02/23/2021)


In today’s healthcare industry, personal health information (PHI) is everywhere. Healthcare organizations have massive heaps of data on each individual patient, including Social Security numbers, medical records, payment information, employment information and income information. With so much data concentrated in one place, healthcare organizations turn to applications in order to centralize and maintain all customer records. Even though these applications are highly sophisticated, organizations are having trouble keeping track of exactly “who did what” in these apps. In February of 2015, Anthem Blue Cross Blue Shield announced they were the victims of one of the largest healthcare data breaches ever, with 80 million customers’ PHI data being exposed. This attack shows the massive value PHI has in today’s cybercriminal market and how outsiders can gain access to important company data by stealing employee credentials and mimicking normal employee activity. At Florida Hospital, a hospital located in Orlando, a worker was found to be guilty of stealing the names and injury details of 12,000 patients that used the hospital. The worker was a registration representative in the Emergency Department, which meant he entered all the patient data for new patients into the hospital systems. He used his position to steal and sell patient data of recent car accident victims to claims lawyers and chiropractors. The employee obviously needed access to the hospital systems to enter the information; however, the hospital had no idea what actions the employee was doing once inside the system. Thus after two years, officials finally found out about the breach by consistent reports of car accident victims being contacted by claims lawyers and chiropractors.

The Florida Hospital breach sheds light on the scary amount of access normal business users can have in the healthcare industry. In the case of healthcare applications such as Cerner, Epic, AllScripts, McKesson and Meditech, numerous users have access to heaps of patient data. As a result, any doctor, nurse, physician, pharmacist, registrar, assistant, etc. could pose a serious risk to healthcare organizations using these apps, simply because an exploited account would have access to massive quantities of PHI. Furthermore, overlooked application entitlements can enable users to access vast amounts of data and not trigger any red flags. Due to the sheer volume of activity and necessary access, questionable actions are often hidden in the large volume of normal user actions, leading to undetected and overlooked exposure of sensitive data. Below we breakdown some of the most popular applications used in the healthcare sector, and why it is important to know exactly “who is doing what” within these applications.


Cerner is one of the most popular healthcare solutions companies. With their systems installed in more than 18,000 facilities globally, they are persistently known as one of the leaders in healthcare applications.

  • Cerner Millennium enables professionals to store, capture and access PHI. It provides real-time access to patient results and clinical information and enables these healthcare organizations to meet The Joint Commission requirements for patient confidentiality. The integrated database serves both acute and ambulatory settings.

Why Monitor?: With an application like Cerner’s Electronic Health Record (EHR), there are many risky areas surrounding data access. Because the data is centralized in one database, users can have access to all sorts of patient data, including patients who are not under their care. HIPAA mandates that patient data remain completely confidential between the doctor and the patient. Accessing patient data that isn’t under a user’s necessary access violates this mandate. This potential unauthorized access becomes a major problem in the case of VIP patients, such as famous celebrities or politicians. Medical records of these figures are often sought after by normal business users given the value their PHI could have in an illegal market. In the case of illegal activity, having a forensic trail is critical for healthcare companies using an EHR application like Cerner. During investigations, auditors and investigators need access to log information from each application a healthcare provider has. Without proper monitoring, the effort to collect access log information can take up to a couple of months.


Epic makes software for mid-size and large medical groups, hospitals and healthcare organizations. Their software spans clinical, access and revenue functions. As one of the leading EHR developers, Epic’s 36 years of experience make them a stand out in the healthcare applications industry.

  • EpicCare connects various hospital departments to patient records. This system improves workflow by creating a centralized database that can be accessed across many departments in order to make decisions based on the most recent patient information. The solution is customizable to meet the needs of different organizations, departments and even single users. It partners with the EpicCare Ambulatory EHR to provide an accurate EHR across the board.

Why Monitor?: Entitlement changes are a major risk when using an application like EpicCare. Administrators can shift their own entitlements and the action can go unseen within the hospital. Thus once they have shifted their entitlements, all of their activity will appear normal and not raise any concerns. Another way an application like EpicCare can prove to be harmful is the lack of insight of what is done with patient data once it is accessed. A pharmacy director is likely granted access to every patient in order to make sure each patient is getting his or her proper treatment. While it is easy to see that the pharmacy director did access the patient data, it is impossible to know what he/she did with the data or why the data was access. Also, If the director is having his or her shift covered, and lower-level employee will likely need to access patient data that isn’t technically his or her patient. Therefore if the employee took advantage of this access-level, and accessed patient data with the intent of stealing information, he/she could say the data was clicked on by accident and there would be no proof otherwise. While systems like EpicCare do provide a break-glass scenario, in which a window would pop-up verifying that this employee is accessing patient data that isn’t under his or her care, it is impossible for healthcare organizations to know exactly what was done with the PHI once it has been accessed.


Allscripts is a healthcare solutions company that is a leader in EHR solutions. They serve 180,000 physicians in 45,000 physician offices and 2,500 hospitals. They offer an integrated portfolio of healthcare information technology solutions.

  • Allscripts (Eclipsys) Sunrise Clinical Manager is a customizable EHR solution that is used by tens of thousands of healthcare providers. The solution has a wide variety of enticing features such as a prenatal module, award-winning API for third-party apps, mobile access and input flexibility. Along with all of these features, Allscripts (Eclipsys) Sunrise Clinical Manager offers clinical decision support at the point of care and nearly 800 clinician-reviewed care guides to drive care in the ambulatory setting.

Why Monitor?: Allscripts EHR solution, like Cerner and Epic, does a great job increasing workflow, but can open organizations up to unexpected security vulnerabilities. When patients are initially joining a medical practice, a system administrator enters their information. This system administrator assigns their information to certain doctor, but there is no way of knowing what this system admin does with the PHI before the patient is officially assigned. Too much access can also become a problem when administrators have access to other employees’ PHI. Many healthcare professionals opt to use their own organization for their own healthcare. As a result, generalized access accounts can pose a major risk when one employee could access the records of another employee, breaching his or her privacy. Patient privacy also is a major concern for companies who use generalized access accounts. In depth reporting and analytics are required by healthcare companies in order to meet HIPAA patient privacy regulations. Having the ability to understand and manage data is critical when providing reporting.


McKesson started in the 1830s as a distribution network for healthcare professionals. Today, their business ranges from distribution to technology services. Their EHR systems are among the most popular in the current healthcare applications market.

  • McKesson Homecare (formerly McKesson Horizon) is a home care software solution that addresses both clinical and financial data. The solution streamlines workflow to help reduce errors and omissions, and helps improve the accuracy and consistency of documentation. The application comes equipped with a tool that provides warnings for visits falling outside of order. McKesson Homecare also supports the ability of intake staff to gather the necessary information from referral partners in order to quickly assign the initial visit to clinical staff.

Why Monitor?: McKesson’s Homecare solution is used by so many professionals nationwide, that it is recognized as one of the most used apps in the entire healthcare industry. But with users accessing these systems for a variety of reasons, monitoring the user actions within McKesson is vital. McKesson Homecare comes with a tool that notices if users are visiting patient information they shouldn’t be viewing. However, this falls short on two fronts. First, this doesn’t cover the danger of entitlement changes within the application. Any administrator within a McKesson application, such as Homecare, can edit the access levels of any user. Thus, a user whose entitlement changes have enabled them to view all accounts will not be caught by this tool within McKesson Homecare, simply because the action would appear to be credible based on the account’s access level. Second, the tool on focuses on who is viewing each patient’s account, and NOT on what the user is doing with that account’s information. Understanding who accessed data improperly doesn’t answer the more important question of what was done with the data.


Meditech specializes in EHR solutions. Their EHR system was designed by physicians in order to maximize productivity and encourage evidence-based decision-making. With a patient-centric approach, Meditech works across hospitals, ambulatory care, home care, hospice, long-term care and behavioral health.

  • Meditech offers an EHR system under its own name. The solution optimizes sharing information, financial transactions and reporting, and centralizes workflow. Staff uses the home care aspect of their solution across departments such as hospice staff, billers, hospital staff, and hospital administrators. Their solution comes with customizable role-based access, encryption, and detailed audit logs. Their mobile application is incredibly flexible and can be used on any tablet or smart device.

Why Monitor?: Meditech has its own monitoring capabilities within its EHR application, so there is no need to monitor right? Wrong. Although Meditech does monitor and report on certain actions, it doesn’t cover a key area within applications; entitlement changes. When administrators promote their own entitlements within Meditech, the action will go unnoticed. This is a major concern, especially within HIPAA regulations, as application administrator access is now within the scope of HIPAA. Furthermore, HIPAA compliance audits can be incredibly in-depth. Without proper monitoring in place, these audits can be incredibly tedious. Companies need to be able to retrieve application audit logs in a timely fashion, and the logs need to be easy to understand in order to save time reviewing them.


Until recently, there was a common misconception amongst many healthcare providers that the responsibility of protecting patient data falls under the EHR vendor and not the healthcare organization. This is simply not true.

The HIPAA Security Rule, which went into full effect in 2005, outlines how healthcare providers who transmit health information in electronic form need to protect PHI. The basic guidelines of the security are separated into four parts:

1. Ensure the confidentiality, integrity, and availability of all PHI they create, receive, maintain or transmit;

2. Identify and protect against reasonably anticipated threats to the security or integrity of the information;

3. Protect against reasonably anticipated, impermissible uses or disclosures; and

4. Ensure compliance by their workforce.

The Security Rule also outlines that uses and disclosures of PHI should be limited to the “minimum necessary.” Healthcare providers need to implement policies and procedures for authorizing access to PHI only when such access is appropriate based on the user or recipient’s role.

There are numerous technical safeguards within The Security Rule healthcare providers need to adhere to in order to be considered compliant with HIPAA:

1. Access Controls: A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information.

2. Audit Controls: A covered entity must implement hardware, software and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use PHI.

3. Transmission Security: A covered entity must implement technical security measures that guard against unauthorized access to PHI that is being transmitted over an electronic network.3

Monitoring user actions on applications is the only way healthcare providers can stay inline with The HIPAA Security Rule requirements. Furthermore HIPAA outlines healthcare providers who operate EHR systems must track the actions of external vendors, such as GE, McKesson and Siemen U.S. When these companies access EHR information, all of their activity must be monitored in order to meet HIPAA compliance.


2009, President Obama signed a $789 billion dollar economic stimulus package called The American Recovery and Reinvestment Act (ARRA). Within ARRA is the Health Information Technology for Economic and Clinical Health (HITECH) Act. HITECH allocates $19 billion to hospitals and physicians who demonstrate “meaningful use” of EHRs.

HITECH qualifies physicians for up to $44,000 in Medicare bonus incentives if they demonstrate “meaningful use” of an EHR. This also includes healthcare providers such as hospitals, clinics, nursing facilities, pharmacists, and many more.

“Meaningful use” has had a changing definition since the Act was signed into action in 2009. Currently, demonstrating and executing “meaningful use” of an EHR has many requirements. However, in 2012 when the “meaningful use” definition was most recently updated, many new expectations were added to Measure 7 out of 16: Protect Electronic Health Information. Some of the most important EHR standards within this measure are:

1. EHR technology must be able to record actions related to electronic health information

2. EHR technology must be able to detect whether an audit log has been altered or not

3. EHR technology must enable a user to create an audit report for a specific time period and to sort entries in the audit log

4. EHR technology must be able verify against a unique identifier(s) (e.g., username or number) that a person seeking access to electronic health information is the one claimed

5. EHR technology must be able to establish the type of access to electronic health information a user is permitted based on the unique identifier(s), and the actions the user is permitted to perform with the EHR technology.

While some EHR providers do meet some of these requirements, proper monitoring software fully covers ARRA HITECH’s standards. It is especially important for healthcare providers to start meeting ARRA HITECH, as starting this year (2015), physicians who elect to not use an EHR will be penalized, starting with a 1% Medicare fee reduction.


Now, it’s time for some bad news and some good news. The bad news is that even if you were to implement every practice outlined above, your organization would still not be fully protected. While we strongly recommend the serious consideration of every suggestion we’ve described, none of them are iron-clad.

For example, profiling business users and data is difficult, especially as businesses are dynamic and frequently changing; gaps will inevitably remain. Restricting unnecessary access to data is critical, but ultimately, many business users will still need access to the company’s most sensitive data. Restricting the use of dangerous applications is also crucial, yet dangerous applications will always be needed by some users, while other users will be able to find alternative applications not on your “block list.” And no matter how complex your passwords are, and how well you train your employees to protect them, they will always be vulnerable to the most sophisticated and determined hackers.

Now, the good news: User Activity Monitoring is a comprehensive user-focused security solution that covers all the gaps left after you’ve done everything else you can. This is because when you know exactly what every user is doing in critical applications and on every desktop in the organization, you will be able to immediately detect dangerous, unauthorized and out-of-policy user activity – and you will be able to stop it in its tracks. You will also be able to quickly and accurately determine, after the fact, exactly who did what with your sensitive data and applications, when and how.


Proofpoint is the world’s leading provider of user behavior monitoring software. The software can detect and alert on abnormal behavior that indicates insider risks becoming insider threats. This provides an early warning system via user behavior analytics, activity alerting and visual forensics proven to reduce data misuse and unnecessary access, accelerate forensics investigations, and cut internal auditing efforts in half. Proofpoint ITM provides screen-recording technology to capture all user activity across all applications, even applications that do not generate logs and converts screenshots into user activity logs that makes it easy to search, analyze, audit and act upon alerts for suspicious application users, admins and external vendors who have authorized access to an organization's data. Proofpoint has more than 1,200 customers in over 70 countries.


Playing back a user session shows exactly what occurred on screen during the session. However, Proofpoint ITM goes far beyond simply recording the on-screen activity to video: the software transcribes every session into an easy-to-read user activity log so that watching the video isn’t necessary to know what the user did. Clicking on any particular event in the log launches the video playback from that exact moment. This activity analysis is also used to generate real-time user activity alerts and reporting.


When a user-based attack occurs, every second counts. The longer a threat goes undetected, the more damage a company will incur in terms of both financial costs and brand reputation. Without the ability to monitor user activity in real-time, companies will continue to suffer from undetected user-based threats for extended periods of time. Proofpoint ITM’s user activity analytics instantly alert IT security teams to abnormal, suspicious or malicious user activity. The fully-customizable alerts are integrated throughout the system and are even overlaid into session replay. Furthermore, each alert can be assigned a notification policy that designates who gets notified and at what frequency.


Proofpoint ITM captures detailed session activity data and makes it immediately available for alert generation and free-text keyword searching. Administrators, IT security officers and auditors can search for specific mouse or keyboard actions matching:

  • Names of applications run
  • Titles of windows opened
  • URLs accessed via browsers
  • Text typed, edited, pasted, selected, auto-completed, etc.
  • Checkboxes and radio buttons clicked
  • Commands and scripts run in the CMD console

Every resulting search hit is linked directly to the portion of the video where that action occurred. This makes it incredibly easy to find the exact moment that any particular action was performed from among thousands of hours of user activity!