By Dean Wiech
In today’s electronic world, access to critical data is paramount criteria for success. Doctors and nurses need access to patient’s records to insure proper delivery of care. Encumbering employees and internal stakeholders by placing too many restrictions or complicated access methodologies upon internal systems can have catastrophic consequences.
However, the other side of the story is also true; too little control or restrictions to information in internal systems can lead to HIPAA violations for healthcare systems and hospitals, and create possible exposure to potentially costly legal actions or fines.
A recent story about a Florida hospital employee selling the names of patients who had been involved in auto accidents to law firms underscores the need for proper control and information audits. But, how can healthcare organizations insure that procedures and policies minimize the risk on both sides, creating a balance between too strict and too weak access control?
Well, in this article we will take a look at the two most important aspects of data access control: access rights and conducting regular internal information audits.
Assigning employees proper access rights, and determining when to revoke them
The first step in the audit process is to determine a baseline of necessary access rights needed by type of employee and those that are currently allowed by type of employee. To help accomplish this task, there are numerous products commercially available to allow a thorough scan of the network and applications to retrieve information on access rights. This information can then be compared to user profiles — department, location, titles, etc. — to establish a baseline of where everything stands today. These records can easily be sent to the appropriate managers and system owners for review. These managers should ask themselves the following types of questions when determining who should keep or be granted access to certain information:
- “Do the people that have access to particular systems and data really need it?”
- “Will you attest to it?”
- “Why should an employee’s access rights be removed, or granted?”
Once the review is completed, you are ready to determine and set the “ideal” access for each type of employee in the facility. This task is typically handled by loading information into a Role Based Access Control matrix to insure that new user profiles and access rights are created appropriately. Inevitably, during this part of the process, you’ll determine that some employees will need access to systems or information that differs from the norm, or the ideal, so a procedure must be put in place to allow end users the opportunity to request access where their managers can sign off on the approved, enhanced rights. Again, numerous systems are available in the marketplace to allow this process to be handled electronically while providing a complete audit trail.
It’s good to keep in mind that any time the subject of electronic audits is discussed, there’s a great deal of attention given to which employees have access to what. Equally as important as granting rights, however, is insuring that rights are revoked when appropriate.
With alarming regularity, employees are transferred between departments or roles within an organization and permissions to groups and applications become cumulative. While it may be necessary to allow a transferred employee access to everything their previous role required during a transition period, it is imperative that a time limit be set for review and decommissioning of those rights be accomplished.
Conducting the internal systems audit
The next step in the process is to actually perform an initial audit. You can be assured that new employees are being given correct access rights, but what about employees that have been around for years – maybe in numerous departments or roles? By comparing their employee type information and the access rights they currently have against the “ideal,” it is easy to determine the delta.
Keep in mid that at this stage in the audit every discrepancy must be accounted for.
Employees who are found to be outside the ideal should be able to explain why they have access to systems and their managers need to sign off for them to maintain access. In most cases, the additional rights are the result of changes in roles that occurred at some stage without the proper revocation of system access.
Also, as an ongoing process, regular audits are a necessity. On a quarterly basis, managers and system owners should be asked to review access privileges and attest that the current rights are what is required.
Any potential red flags or possible system breeches should trigger another audit, no matter how recently you conducted an audit.
The fact that these audits occur should be public knowledge. If employees know their actions in the systems are being monitored, they are more likely to control their own behavior while accessing sensitive information, which also reduces your risk of exposed data an unapproved access to information by internal stakeholders.
To insure access to sensitive data is open enough to allow providers to perform their jobs and yet restrictive enough to avoid legal complications, it is important to set controls when employees join the organization and regularly review any changes to their profiles. These two factors will allow for easy compliance reporting at audit time.
Dean Wiech is managing director at Tools4ever. Tools4ever supplies a variety of software products and integrated consultancy services involving identity management, such as User Provisioning, RBAC, Password Management, SSO and Access Management, serving more than five million user accounts worldwide.