By Dean Wiech, managing director, Tools4ever
Healthcare is currently experiencing a number of high-profile technological advancements and, as a result, a renewed focus on increasing network security by restricting access to data. Doing so allows for increased employee productivity by deploying user-friendly solutions, several of which are being rapidly adopted by health systems to assist in these arenas.
Employees of these organizations must have correct access to systems and, to ensure proper security, permissions should be based on their role or position. Proper access rights improve security, but in so doing requires setting controls that can take IT teams a tremendous amount of time to implement. This process can be automated, though, through technology such as a role-based access control (RBAC) solution. RBAC is populated with department employees, titles, locations, and other relevant information creating a proven process for defining which employee is granted access to which applications and data.
Populating the RBAC matrix can be started through a data extract from HR. Additional extracts from information system such as Active Directory, Lightweight Directory Access Protocol (LDAP), and others provide a snapshot of the way access is currently configured and how it might need to be changed. Reviewing this data and finding employees with appropriate access, in each role, can be the basis for propagating access to other employees in an identical role. Access requests can insure deviations are approved by the appropriate managers and system owners.
One problem when attempting to streamline and protect access is each user has an individual network account, but the use of shared accounts can be a systemic. For example, clinicians log into a shared workstation with a generic account and access any number of applications that are open to anyone through the generic access. In the event an application — such as an EHR — requires a second access credential, employees often use a shared account as well.
This is a major challenge, especially for IT and compliance leaders who may need to audit account access and user movements throughout the system. Obviously, this creates a major hurdle when attempting to determine who viewed what data and when. Along with the RBAC matrix, health systems employ identity management solutions linked with the HR system, providing an easy answer to creating individual user accounts and ensuring they are kept current with any changes in titles and departments. Employee departures can be easily detected to insure all network and application access is revoked in a timely fashion.
One downside of switching to individual accounts is employees will need to remember credentials — user names and passwords — for multiple systems. Another technology, single sign-on, allows users to log in once and all their credentials are cached and provided on an as-need basis. Sound like a security risk? A concept known as strong authentication — providing a piece of information you know such as a PIN code and using something you have, like possessing a card to scan, can mitigate the risk. By using an access card, users can log into computers with the card and by entering a PIN code, much like going to an ATM. Removal of the card also forces an immediate log out of the user in whichever account was open and closes the network access.
Using individual network accounts and defining access to systems and data using an RBAC matrix increases the overall security of the hospital information systems, while using an SSO solution allows users to painlessly access the network and have more productive time for patient care.