By Dean Wiech, Tools4ever
Access to critical data is paramount criteria for success in today’s electronic world. Physicians and caregivers need access to patients’ records to insure proper delivery of care, but encumbering employees and internal stakeholders with too many restrictions to systems or complicated access methodologies can have catastrophic consequences.
However, the same can be said for the other side of the story. Too little control or restrictions to internal information can lead to violations for healthcare systems and hospitals and create exposure to potentially costly legal actions and fines.
As such, two of the most important aspects of identity and access for health systems are access rights and conducting regular internal information audits.
Assigning Employees Proper Access Rights, And Determining When To Revoke Them
The first step in any information audit process is to determine a baseline of necessary access rights needed by employee and which rights are currently allowed by type of employee group; for example, nurse, administrator, billing, physician.
This information can be compared to user profiles — department, location, titles, etc. — to establish a foundational point of view of where things stand. Then these records can easily be sent to the appropriate managers and system owners for review, who should then ask themselves the following questions to determine who should keep or be granted access to certain information:
Once this review is completed, the next step is to determine and set the “ideal” access for each type of employee in the organization. This task is typically handled by loading information into a role-based access control matrix to insure new user profiles and access rights are created appropriately. Inevitably, during this part of the process it is determined some employees will need access to systems or information that differs from the norm, or the ideal, so a procedure must be put in place to allow end users the opportunity to request access where their managers can sign off on the approved, enhanced rights. Numerous systems are available to allow this process to be handled electronically while providing a complete audit trail for the organization.
It’s also good to note any time the subject of electronic audits is discussed, there’s a great deal of attention given to which employees have access to what. Equally as important as granting rights, however, is insuring rights are revoked when appropriate.
With alarming regularity, employees are transferred between departments or roles within an organization and permissions to groups and applications become cumulative. While it may be necessary to allow a transferred employee access to everything their previous role required during a transition period, it is imperative that a time limit be set for review and decommissioning of those rights be accomplished.
Conducting The Internal Systems Audit
The next step in the process is to actually perform an audit. Be assured new employees are being given correct access rights, but for employees that have on staff for years — maybe in numerous departments or roles — by comparing their employee type information and the access rights they currently have against the “ideal,” it is easy to determine the delta.
Keep in mind at this stage in the audit every discrepancy must be accounted for. Employees who are found to be outside the ideal should be able to explain why they have access to systems, plus their manager needs to sign off for them to maintain access. In most cases, the additional rights are the result of changes in roles that occurred at some stage in their employment without the proper revocation of system access.
Also, as an ongoing process, regular audits are a necessity. On a quarterly basis, managers and system owners should be asked to review access privileges and attest the current rights are what is required for the employees they manage. Red flags or possible breeches should trigger another audit, no matter how recently the previous audit was conducted.
These audits should be public knowledge. If employees know their actions are being monitored they are more likely to control their behavior when accessing sensitive information, which also reduces your risk of exposed data and unapproved access to information by internal stakeholders.
To insure access allow providers to perform their jobs and yet restrictive enough to avoid legal complications, it is important to set controls when employees join the organization and regularly review any changes to their profiles. These two factors allow for easy compliance reporting at audit time.