- In today’s electronic world, access to critical data is paramount criteria for success. Doctors and nurses need access to patient’s records to ensure proper delivery of care. Too many restrictions or complicated access methodologies to internal systems can have potentially catastrophic and life-altering consequences.
However, the other side of this story is also true; too little control or too few internal access restrictions can lead to HIPAA violations and data exposures where in hospitals and healthcare facilities face potentially costly legal actions or fines. There was, for example, a recent report detailing how a hospital employee sold the names of patients who had been involved in auto accidents to law firms. This underscored the need for proper control of the data within an electronic system, as well as the need for regular and ongoing audits. So, how can leaders ensure that procedures and policies minimize the risk for both sides of this issue?
The following two-part piece examines the two most important aspects of healthcare data access control, access rights and regular audits. Here’s Part 1, which explains that the first step in the process is to determine a baseline of necessary access rights needed and currently allowed by type of employee:
This information can then be compiled against user profiles — department, location, titles, roles — to establish a foundation of who is able to access what and when according to permissions granted currently in your system. Once these records are collected, they can easily be sent to the appropriate manager and system owners for review.
During the internal audit, department managers and team leaders should be asking themselves some of the following questions:
- “Do the employees that have access to particular systems and data really need it?”
- “Will you attest to it?”
- “Why should an employee’s access rights be removed, or granted?”
When the initial review is complete, create the “ideal” access for each type of employee in the facility. This is a process that typically can be loaded into a role-based access control matrix to ensure that new users are created appropriately. Inevitably, though, some of the employees will need access that differs from the norm so a procedure must be in place to allow end users to request access and managers to sign off on the enhanced rights. Again, numerous systems are available in the marketplace to allow this process to be handled electronically while providing a complete audit trail.
During the audit, it’s crucial to remember that equally as important as granting access rights is insuring they are revoked when appropriate. With alarming regularity, employees are transferred between departments or roles within an organization and permissions to groups and applications become cumulative. While it may be necessary to allow a transferred employee access to everything their previous role required during a transition period, it is imperative that a time limit be set for review and decommissioning of those rights be accomplished.
Check out Part 2 next week on HealthITSecurity.com.
Dean Wiech is managing director at Tools4ever, a global provider of identity and access management solutions.