Epic Systems

Healthcare Applications

Epic Systems - Leading healthcare software for managing electronic health records (EHR).

Detection Rules for Epic Systems
These detection rules will focus on various aspects of Epic Systems such as leading healthcare software for managing electronic health records.

Provider: Epic Systems

App : Epic Systems MITRE Tactic MITRE Technique Criticality
Suspicious EHR Access Patterns Credential Access T1078: Valid Accounts High
Investigation Actions (APIs) Check access time and frequency using EHR API

Analyze location/IP of access events

Review user permissions
Incident Creation Criteria Create an incident if the same account accesses EHR records frequently or from unusual IPs, indicating unauthorized access.
Unauthorized Record Modification Defense Evasion T1070: Indicator Removal Critical
Investigation Actions (APIs) Review change logs for modified or deleted records

Query changes in high-value fields (e.g., diagnoses)
Incident Creation Criteria Create an incident if records are modified or deleted without proper authorization, especially in restricted fields.
Data Export from EHR System Exfiltration T1020: Data Exfiltration High
Investigation Actions (APIs) Use data export API to monitor bulk export attempts

Analyze export destination and size.

Cross-check with user permissions
Incident Creation Criteria Create an incident if a large volume of data is exported by a user without proper privileges.
Privileged User Account Creation Persistence T1136: Account Creation Medium
Investigation Actions (APIs) Review account creation logs

Validate access levels assigned to new accounts

Check creator’s role
Incident Creation Criteria Create an incident if privileged accounts are created without admin authorization, indicating persistence tactics.
Suspicious Access to Patient Data Lateral Movement T1210: Exploitation of Remote Services Critical
Investigation Actions (APIs) Query API for patient data access logs

Verify unusual or unauthorized patient data access events
Incident Creation Criteria Create an incident if patient data is accessed without a valid reason, especially for high-profile patients.
Unusual EHR System Access Times Command and Control T1071: Application Layer Protocol High
Investigation Actions (APIs) Monitor access outside standard hours

Check for frequent access attempts during off-hours
Incident Creation Criteria Create an incident if a user frequently accesses the system at irregular hours, suggesting compromised credentials.
Suspicious Script Execution on EHR Execution T1212: Data from Information Repositories Medium
Investigation Actions (APIs) Track high-frequency access to patient records

Validate user role and access permissions
Incident Creation Criteria Create an incident if an account frequently accesses multiple patient records without authorization, indicating possible snooping.
Credential Sharing Detection Credential Access T1078.004: Valid Accounts - Cloud Accounts High
Investigation Actions (APIs) Review account usage logs

Check for simultaneous logins from multiple locations
Incident Creation Criteria Create an incident if the same account is used from different locations, indicating potential credential sharing.
Access from Blacklisted IP Command and Control T1071.001: Web Protocols Critical
Investigation Actions (APIs) Use IP reputation lookup API

Verify whether access was legitimate or malicious
Incident Creation Criteria Create an incident if an access attempt is made from a blacklisted IP, especially for privileged user accounts.

APIs and Their Scopes

App : Epic Systems Required API Scopes Required Usage
Suspicious EHR Access Patterns User Access Logs API read:access_events, read:user_activity Retrieves logs of user access times, IP addresses, and access frequency for detecting abnormal patterns.
Unauthorized Record Modification Record Modification Logs API read:record_modifications, audit:changes Monitors records for unauthorized modifications, especially in sensitive fields like patient diagnoses.
Data Export from EHR System Data Export API export:patient_data, read:export_logs Tracks large data export attempts and verifies that exports match user access privileges.
Privileged User Account Creation Account Management API admin:manage_users, read:account_creation Provides logs of account creation events, including privileged accounts and their access levels.
Suspicious Access to Patient Data Patient Data Access API read:patient_data, audit:access_logs Monitors unauthorized access attempts to patient records, especially for high-profile cases.
Unusual EHR System Access Times User Access Logs API read:access_events, read:unusual_activity Checks user access outside standard business hours for possible credential compromise.
Suspicious Script Execution on EHR Scripting Activity API read:script_activity, admin:system_events Captures execution of unauthorized scripts on EHR systems, particularly in critical modules.
Unusual Patient Record Access Volume Patient Access Logs API read:patient_data, read:access_frequency Detects high-frequency access to multiple patient records to identify potential unauthorized snooping.
Credential Sharing Detection Account Activity Logs API read:access_events, read:login_history Monitors simultaneous logins from multiple locations, indicating possible credential sharing.
Access from Blacklisted IP IP Reputation Lookup API read:access_events, network:ip_reputation Uses IP reputation services to identify access attempts from blacklisted IP addresses.

Reports and Widgets for CISO

Report Name Widgets Description
Access Patterns and Anomalies User Access Heatmap Visualize high-frequency access times and unusual login patterns.

SUnusual Activity Alerts Widget

Geo-Access Map

Login Failure Trends

Alerts based on deviations from standard access patterns.

Map of geographic locations for access, highlighting unusual or restricted areas.

Track login attempts and failures over time.
Data Modification Activity Record Modification Log List of recent patient data modifications with details on user, time, and location.

High-Sensitivity Field Changes Widget

Comparison of Authorized vs Unauthorized Changes

Focus on modifications to fields with sensitive information (e.g., patient diagnoses).

Visual chart showing ratios of authorized vs unauthorized data modifications.
Data Export Monitoring Large Export Attempts Log Log of recent export events, including file size and type.

Export Reason and Frequency Dashboard

High-Volume Data Export Alerts

Graph showing the frequency of exports by department or role, with reasons.

Alerts widget to flag unusually large data export attempts.
Privileged Account Management Privileged Account Access Log Log of privileged account activities, including account creations and updates.

Access Elevation Alerts

Comparison of Privileged vs Standard User Actions

Alerts for sudden or unscheduled privilege elevation requests.

Chart comparing access patterns of privileged vs regular accounts.
Patient Data Access High-Sensitivity Patient Data Access Log Tracks access to sensitive patient data, highlighting frequency by role and department.

VIP Patient Access Widget

Flags access to VIP or high-profile patient records for further review.
Compliance & Audit Logs Audit Log Overview Provides an overview of all audit events within a specified period.

Compliance Violations by Department

GDPR/PHI Compliance Alerts

Chart detailing compliance breaches categorized by department.

Real-time alerts for potential violations of GDPR and patient health information (PHI) requirements.