Healthcare Information Security

Cybersecurity News

Granting healthcare user access rights: Audit considerations

By Dean Wlech

- In today’s electronic world, access to critical data is paramount criteria for success. Doctors and nurses need access to patient’s records to ensure proper delivery of care. Too many restrictions or complicated access methodologies to internal systems can have potentially catastrophic and life-altering consequences.

However, the other side of this story is also true; too little control or too few internal access restrictions can lead to HIPAA violations and data exposures where in hospitals and healthcare facilities face potentially costly legal actions or fines. There was, for example, a recent report detailing how a hospital employee sold the names of patients who had been involved in auto accidents to law firms. This underscored the need for proper control of the data within an electronic system, as well as the need for regular and ongoing audits. So, how can leaders ensure that procedures and policies minimize the risk for both sides of this issue?

Read Part 2 here: Organizing, automating access for internal healthcare audits

The following two-part piece examines the two most important aspects of healthcare data access control, access rights and regular audits. Here’s Part 1, which explains that the first step in the process is to determine a baseline of necessary access rights needed and currently allowed by type of employee:

  • Expanding mobile health security with secure text messaging
  • How to Search for Qualified Healthcare IT Security Personnel
  • VA Patient Data Disclosure to HIEs Permitted in Proposed Rule
  • Understanding the NIST Cybersecurity Framework in healthcare
  • West Virginia REC offers provider security, privacy tips
  • BYOD security report: Tools and budget trends
  • HIE organizations discuss non-targeted query practices
  • Necessary Skills for Healthcare IT Security Professionals
  • Understanding, Preparing for Healthcare Ransomware Attacks
  • Arc of Erie County Hit With $200K Fine for HIPAA Violation
  • Why Vulnerable Healthcare Software Must Be Patched
  • Will Interoperability Increase EHR Security Risks?
  • Avoiding 5 Common Healthcare Data Security Holes in 2018
  • Tiger Team assesses BA responsibilities for data intermediaries
  • Does the cloud provide an easier route to HIPAA compliance?
  • Halamka: Medical Device Security Essential for Hospitals
  • New York Suspends Nurse for HIPAA Violation Affecting 3K Patients
  • X-ray film scam exposes 17k patients to possible data breach
  • Scrutinizing healthcare data encryption options
  • Patient Safety Concerns Driving Medical Device Security Investment
  • Securing IoT Devices in the Increasingly Connected Hospital System
  • Why Healthcare Data Encryption Should Be Considered
  • HHS Pressed on Healthcare Cybersecurity Leadership Changes
  • Former OCR advisor David Holtzman joins CynergisTek
  • What are the 3 Key Layers in Healthcare Data Security?
  • A look at SSAE 16 SOC1 and SOC2 requirements in healthcare
  • Working through a HIPAA omnibus compliance checklist
  • Delaware Health Data Breach Potentially Impacts 19K
  • Healthcare security considerations during cloud implementation
  • 5 Critical Healthcare Data Security Implementations for Providers
  • FTC Healthcare Data Breach Case v. LabMD Continues
  • NY Proposes New Data Security Law, Includes Health Info.
  • ONC Chief Privacy Officer assesses data privacy challenges
  • Addressing HIPAA as an Obstacle to Health Data Exchange
  • Are There Cybersecurity Flaws in Medical Devices?
  • DoD Health Agency Security Flaws Put Patient Data at Risk, OIG Finds
  • Consumers Fine with Health Data Sharing, Says Survey
  • S.C. Hospital Employee Violates Patient Privacy, Steals PHI
  • Improved Patient Privacy in HHS Updates to Research Rules
  • Are State Health Data Breach Notification Laws Needed?
  • Laptop with PHI Stolen from Brigham and Women’s Doctor
  • How IoT Impacts Medical Device Cybersecurity Considerations
  • Possible Health Data Breaches for Ohio, Wash. Providers
  • United Hospital District Reports June 2018 Breach from Phishing Attack
  • NH-ISAC Cybersecurity Warning Shows Importance of Regular Updates
  • Staying HIPAA Compliant in Patient Health Data Access Process
  • Healthcare Privacy Concerns Still Exist with Gov. Site
  • IT Security Workers Expect IoT Cybersecurity Attack Increase
  • How Implementing Secure Messaging Can Benefit Facilities
  • Ark. BCBS Sends Data Breach Notification After Computer Theft
  • Healthcare Ransomware, Connected Devices Top Security Issues
  • Preparing for the 2017 Healthcare Cybersecurity Threats
  • Reviewing California’s Mobile App, PHR Privacy Regulations
  • Are Insurance Companies Liable for Possible HIPAA Violations?
  • Incorporating risk analysis into your HIPAA strategy
  • Washington Bolsters Patient Privacy Rights with New Law
  • Florida DOH finalizing drug database security proposal
  • SANS survey analyzes health endpoint vulnerabilities
  • What Does 2016 Hold for Healthcare Data Security, Storage?
  • Google privacy case highlights lack of technical safeguards
  • Healthcare Takes Around 350 Days to Identify, Contain Data Breach
  • Calif. Patients Say HIEs Worsen Patient Data Privacy
  • OhioHealth Missing Flash Drive Leads to Health Data Breach
  • HITRUST Finds Lack of Healthcare Cybersecurity Awareness
  • Few Execs Believe Healthcare IT Security Tech Will Be Disruptive
  • UK Health reports 1,079-patient data breach
  • Healthcare data encryption methods for healthcare providers
  • NIST Seeks Comment on Remote Monitoring, Telehealth Cybersecurity
  • US Appeals Court Affirms FCA Healthcare Data Breach Case
  • Patient PHI Affected in California Facility Phishing Attack
  • 42,000 Records Breached in Cancer Treatment Center Phishing Hack
  • Ark., Md. Providers Notify Patients of Health Data Breaches
  • Crafting a Strong Healthcare Cybersecurity Action Plan
  • 326,000 Patients Impacted in UConn Health Phishing Attack
  • Patient Privacy Violation Questioned with Medical Records Dump
  • 2014 IT audit survey: Healthcare lacking in risk assessment
  • Community Health Systems Reaches Settlement over 2014 Breach of 4.5M
  • OIG Finds Medicaid Risk Management Process Lacking in S.C.
  • Creating your Enterprise Healthcare Mobility Network
  • Using Threat Intelligence to Improve Healthcare Cybersecurity
  • EHR patient portal security concerns and tips
  • HHS Final Rule Differs from HIPAA Regulations on Data Sharing
  • Proposals Made for Improved State Data Breach Laws
  • CA Data Breach Report: Healthcare Data Encryption Necessary
  • How Do HIPAA Regulations Affect Workplace Wellness Programs?
  • HIPAA Privacy Rules Considered in Recent Mental Health Bill
  • IT security consultant’s 2014 predictions: Healthcare impact
  • Research Data Privacy Regulations Updated in Final Federal Rule
  • Amazon’s Healthcare Push Could Run into HIPAA Compliance Issues
  • How to Build a Strong Healthcare Information Security Team
  • Hospital Leaders Feel Underprepared for Cybersecurity Threats
  • How to avoid healthcare data catastrophes: Breach prevention
  • ONC Tiger Team raises patient authentication issues
  • HIMSS13 Day One security takeaways
  • WEDI Outlines Tips for Improving Healthcare Cybersecurity
  • SamSam Ransomware Attacks Focus on Victims Who Will Pay Up
  • Verifying the specifics of a HIPAA-compliant product
  • Cybercriminals Target Hospitals with SamSam Ransomware Attacks
  • NIST Aims to Help Small Business Cybersecurity Measures Improve
  • Hacking Continues to Cause Majority of Reported Data Breaches
  • This information can then be compiled against user profiles — department, location, titles, roles — to establish a foundation of who is able to access what and when according to permissions granted currently in your system. Once these records are collected, they can easily be sent to the appropriate manager and system owners for review.

    During the internal audit, department managers and team leaders should be asking themselves some of the following questions:

    - “Do the employees that have access to particular systems and data really need it?”

    - “Will you attest to it?”

    - “Why should an employee’s access rights be removed, or granted?”

    When the initial review is complete, create the “ideal” access for each type of employee in the facility. This is a process that typically can be loaded into a role-based access control matrix to ensure that new users are created appropriately. Inevitably, though, some of the employees will need access that differs from the norm so a procedure must be in place to allow end users to request access and managers to sign off on the enhanced rights. Again, numerous systems are available in the marketplace to allow this process to be handled electronically while providing a complete audit trail.

    During the audit, it’s crucial to remember that equally as important as granting access rights is insuring they are revoked when appropriate. With alarming regularity, employees are transferred between departments or roles within an organization and permissions to groups and applications become cumulative. While it may be necessary to allow a transferred employee access to everything their previous role required during a transition period, it is imperative that a time limit be set for review and decommissioning of those rights be accomplished.

    Check out Part 2 next week on

    Dean Wiech is managing director at Tools4ever, a global provider of identity and access management solutions.



    SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

    HIPAA Compliance
    Data Breaches

    Our privacy policy

    no, thanks

    Continue to site...