Such is the case in one recent example of a Florida hospital employee selling the names of patients who had been involved in auto accidents to law firms. This example underscores the need for proper control of the data within an electronic system, as well as the need for regular and ongoing audits of the information in the electronic system. But, how can a hospital or healthcare facility insure that its procedures and policies minimize the risk for both sides of this issue?
The following examines the two most important aspects of data access control: access rights and regular audits.
Granting access rights: Determining who gets access to what and whenThe first step in the process is to determine a baseline of necessary access rights needed by employees and those that are currently allowed by type of employee. There are numerous products commercially available that allow a thorough scan of the network and applications to retrieve information related to who has which access rights. This information can be compared to user profiles — department, location, titles, roles — to establish a foundation of who is able to access what and when according to permissions granted currently in system.
Once these records are collected, the information can easily be forwarded to the appropriate manager and system owners for review so they can best determine if it is accurate. During an internal systems audit, an organization's department and team leaders should be asking themselves some of the following questions:
• Do the employees that have access to particular systems and data really need it?
• Will you attest to it?
• Why should an employee's access rights be removed or granted?
Once this initial review is completed you are ready to create the "ideal" access for each type of employee in the facility. This is a process that typically can be loaded into a role-based access control matrix to insure that new users are created appropriately.
Inevitably, some employees will need access that differs from the norm, or the ideal, so a procedure must be in place to allow end users to request access and managers to sign off on the enhanced rights. Again, numerous systems are available in the marketplace to allow this process to be handled electronically while providing a complete audit trail.
Any time the subject of electronic audits is discussed, there's a great deal of attention given to who has access to what, but equally as important as granting rights is ensuring that they are revoked when appropriate. With alarming regularity, employees are transferred between departments or roles within an organization and permissions to groups and applications become cumulative. While it may be necessary to allow a transferred employee access to everything their previous role required during a transition period, it is imperative that a time limit be set for review and decommissioning of those rights be accomplished.
Conducting the audit cycleThe next step in the process is to perform an initial audit. During the audit, you can be assured that new employees are being given correct access rights, but you need to give careful consideration about how to address employees that have been in the system for years. There's a good chance that your internal environment has several employees who have served in numerous departments or roles and have access to more than one area.
By combining their employee type information and the access rights they currently have against the "ideal," it is usually quite easy to determine the delta. At this stage, every discrepancy must be accounted for. The employee should be able to explain why he or she has access to systems outside the norm, and the decision by his manager must be made to determine if the employee may keep access to a system or if access rights should be removed. In most cases, as you'll find several times during your first audit, employees often have access rights to areas they shouldn't because they served in previous roles and their rights were never terminated.
As an ongoing process, regular audits are a necessity for any environment, especially those that are highly regulated, like healthcare. In the very least, on a quarterly basis, managers and system owners should be asked to review access privileges and attest that the current rights meet established internal requirements. The ease of automated systems on the market can also allow for "on demand" audits. This allows the immediate creation of reports detailing accounts that are out of compliance. Some organizations also set up trigger events to allow a senior manager or IT person to review specific actions. For example, any time a user requests or is added to a certain application or group, a manual review of the reasons surrounding the request must be completed before permission can be granted.
Also, it's good practice to announce audits. The fact that internal audits are conducted should be public knowledge, and no one should be "caught unaware" of the process. If employees know their actions in the systems are being monitored, they are more likely to control their own behavior when accessing the sensitive information that they view as part of their employment.
SummaryTo ensure access to sensitive data is open enough to allow providers to perform their jobs and restrictive enough to avoid legal complications, it is important to set controls when employees join the organization and regularly review any changes to their profiles. These two factors will allow for easy compliance reporting at audit time. And, regular audits are the key to long-term success once you have a process in place.
To support your audit and information management needs, there are numerous vendors offering commercially available solutions for every aspect of a provisioning and audit solution. Some of the solutions are complicated, expensive propositions that can take months or years to become fully operational. Others offer inexpensive, quick to implement, point solutions that can attend to specific areas of concern that need to be addressed immediately.
Dean Wiech is managing director at Tools4ever. Tools4ever supplies a variety of software products and integrated consultancy services involving identity management, such as user provisioning, RBAC, password management, SSO and access management, serving more than five million user accounts worldwide.