In healthcare, managing access rights is a necessary mandate

Dean Wiech | December 08, 2014

Recent Articles

Access to critical data is paramount criteria for business success. Physicians and nurses need access to patients' records to insure proper delivery of care, and encumbering employees and internal stakeholders by placing too many restrictions or complicated access methodologies upon internal systems can have catastrophic consequences.

However, too little control or restrictions to information in internal systems can lead to violations for healthcare organizations. It can also create a potential breach opportunity, potentially leading to costly legal actions or fines.

For health systems, there are two important aspects in regard to data-access control:

assigning employee access rights
conducting regular audits to determine if any of those rights need to be revoked

The first step in the audit or review process is to determine the baseline of necessary access rights needed by specific employees in specific employee groups according to their employee type and role within the organization. Though historically a manual process, these audits can be automated with an appropriate IT solution that allow for a thorough scan of the network and applications to retrieve information on access rights.

The information collected can then be compared to user profiles in the system, extracting data points such as employee department, location, title, etc., to establish where current rights are as of today. Once this information is collected, it can further be subdivided and forwarded to the appropriate managers and system owners for review.

Once these managers receive the information, they should review it, keeping mind the following questions to determine who should keep or be granted access to certain systems and organizational information:

Do the employees who have access to particular systems and data really need it?
Will you, as the manager, attest to it?
Why should an employee's access rights be removed, or granted?”

Once the review is completed, the IT managers can set the "ideal" access for each type of employee in the facility. This task is typically handled by loading information into a role-based access control matrix to insure that new user profiles and access rights are created appropriately.

Inevitably, during this part of the process, it will be determined that some employees will need access to systems or information that differs from the norm or the ideal. For this, a procedure must be put in place to allow end users the opportunity to request access where their managers can sign off on the approved, enhanced rights.

It's good to keep in mind that any time the subject of electronic audits is discussed, there's a great deal of attention given to which employees have access to what. Equally important as granting rights, though, is insuring that rights are revoked when appropriate.

With alarming regularity, employees are transferred between departments or roles within an organization and permissions to groups and applications become cumulative. While it may be necessary to allow a transferred employee access to everything their previous role required during a transition period, it is imperative that a time limit be set for review and decommissioning of those rights be accomplished.

The next step in the process is to actually perform an initial audit.

The reassuring thing is that newly-hired employees are being given correct access rights, but employees who have been employed for a number of years may have rights and access to several disparate systems. By comparing their employee-type information and the access rights they currently have against the "ideal," it is easy to determine the delta.

Keep in mind that at this stage in the audit every discrepancy must be accounted for. Employees who are found to be outside the ideal should be able to explain why they have access to systems, and their managers need to sign off for them to maintain access. In most cases, the additional rights are the result of changes in roles that occurred at some stage without the proper revocation of system access.

Also, as an ongoing process, regular audits are a necessity. On a quarterly basis, managers and system owners should be asked to review access privileges and attest that the current rights are what is required for employees they manage.

Any potential red flags or possible system breaches should trigger another audit, no matter how recently you conducted a previous audit.

The fact that these audits occur should be public knowledge. If employees know their actions in the systems are being monitored, they are more likely to control their own behavior while accessing sensitive information, which also reduces your risk of exposed data an unapproved access to information by internal stakeholders.

To insure access to sensitive data is open enough to allow providers to perform their jobs and yet restrictive enough to avoid legal complications, it is important to set controls when employees join the organization and regularly review any changes to their profiles. These two factors will allow for easy compliance reporting at audit time.

Share this article

Recent Articles

VIEW ALL ARTICLES

Dean Wiech

Dean Wiech is managing director of Tools4ever, a global provider of identity and access management solutions. Dean has worked with businesses, educational entities and municipalities for more than 20 years, helping them identify solutions that make their businesses and operations more secure, efficient and easier to manage. He is responsible for Tools4ever's U.S. operations and has written dozens of articles about identity and access management, security, IT audits, strategy, BYOD, the cloud and managing IT solutions for small businesses to enterprise systems.

Industries

In healthcare, managing access rights is a necessary mandate

Recent Articles

Recent Articles

Dean Wiech