Who is accessing sensitive data and why?
How to use data auditing
With a software solution developed by Software Competence Center Hagenberg, the Upper Austrian health insurance company (Gebietskrankenkasse) will be able to inform its customers exactly who accessed their personal data, when and why. This ensures not only cross-application compliance with the Austrian privacy act but also internal data security via company-wide data auditing.
Overview
The subject of data security is of great importance to the Upper Austrian health insurance company (OÖGKK). For OÖGKK the issue is not only strict compliance with the Austrian Privacy Act, which requires a protocol of access to sensitive data and also prescribes that customers have the right to get information who accessed their data. Beyond legal compliance, OÖGKK puts utmost priority on protection of sensitive data.
Challenge
In its project Integrated Data Auditing, SCCH developed a software prototype in cooperation with OÖGKK; this prototype enables the collation of all business transactions of OÖGKK with the protocol data. Previously these data could be analyzed only with extensive technical knowledge. In the development of an enterprise-wide solution that is independent of applications and transactions, the various access patterns of the applications in the various system landscapes posed a great challenge. Furthermore, the transparency of every access to these data and their processing was of utmost importance. The new software continuously protocols every access to the personal data across application boundaries. Enterprise-wide access patterns with respect to all data bases are derived from these protocols and assigned to the business processes in the company. “Our new data auditing solution can be compared to a network firewall. Now we have central monitoring of all data access. Beyond ensuring security in applications, our ‘data firewall’ guarantees enterprise-wide data security. A further advantage is flexible extensibility combined with economic maintenance,” states Manfred Schöneborn, assistant manager of the IT development department of OÖGKK.
Solution Key benefits of the implemented solution are that hardly any changes had to be made in the various applications and that their performance is not encumbered. Furthermore, the access protocols encompass not only the technical information (such as the file or database table) but also the underlying business transactions (e.g., a sick certificate). The cross-application auditing architecture developed in the course of the project was implemented for the network with the help of event stream processing technology (i.e., Esper and an Open Source data warehouse). Thereby the system handles data auditing with complete application independence. Furthermore, it affords the potential for business performance measurement, intrusion detection and performance analysis.