- Last week, we discussed some best practices in granting healthcare user access rights. The next step in the process is to perform an initial audit. Most new healthcare employees are being given correct access rights, but what about employees that have been in the system for years? Perhaps some of these employees may have served in numerous departments or roles with access to more than one area.
By combining their employee type information and the access rights they currently have against the “ideal,” it is usually quite easy to determine the delta. At this stage, every discrepancy must be accounted for. The employee should be able to explain why he has access to systems outside the norm and the decision by his manager must be made to determine if the employee may keep access to a system or if access rights should be removed. In most cases, as will be found several times during the first audit, employees often have access rights to areas they shouldn’t necessarily have because they served in previous roles and their rights were never terminated.
As an ongoing process, regular audits are a necessity for any environment, especially those that are highly regulated, like healthcare. In the very least, on a quarterly basis, managers and system owners should be asked to review access privileges and attest that the current rights meet established internal requirements.
The ease of automated systems on the market can also allow for “on demand” audits. This allows the immediate creation of reports detailing accounts that are out of compliance. Some organizations also set up trigger events to allow a senior manager or IT persons to review specific actions. For example, any time a user requests or is added to a certain application or group, a manual review of the reasons surrounding the request must be completed before permission can be granted.
The fact that internal audits are conducted should be public knowledge, and no one should be “caught unaware” of the process. If employees know their actions in the systems are being monitored, they are more likely to control their own behavior when accessing the sensitive information that they view as part of their employment.
Another item that can be reviewed monthly by the group owner is the “direct reports,” also completed through the web-based application, which allows managers to view every employee listed as being under their purview in the network. Again, a simple check box allows a manager to remove an employee from her list.
After completing the review, the owner electronically signs the form and submits his approvals. Alerts are sent on a regular basis to remind the owner that the review is coming due and a workflow process allows for escalation to the owner’s manager if the work is not completed within a timely fashion.
Regarding orphaned groups (those without an owner as a result of someone having left the organization) numerous screens are made available to appropriate personnel to allow them to easily identify them. An admin portion of the system allows super users the ability to assign a new owner to a group and also assign an employee to a new manager. These capabilities exist on a one-off basis or contain the ability to assign multiple groups to a new owner in one pass.
The final component of the system is reporting. To be able to satisfy auditors, numerous reports are available on demand including reporting based on specific individuals, groups and group owners. One of the side benefits is that these reports can be run for any time frame desired eliminating the need to dig through stacks of paper or comb through unwieldy log files.
To ensure access to sensitive data is open enough to allow providers to perform their jobs and restrictive enough to avoid legal complications, it is important to set controls when employees join the organization and regularly review any changes to their profiles. These two factors allow for easy compliance reporting at audit time.
There are numerous vendors offering commercially available solutions for every aspect of a provisioning and audit solution. Some are complicated, expensive propositions that can take months or years to become fully operational. Others offer inexpensive, quick to implement, point solutions that can attend to specific areas of concern that need to be addressed immediately.
Read Part 1 here.
Dean Wiech is managing director at Tools4ever, a global provider of identity and access management solutions.