Role-based access control in healthcare

While role-based access control (RBAC) has uses in every industry, healthcare systems in particular can benefit from a proper implementation of these solutions. The potential to save not only exists by reducing possible fines in HIPAA and Sar-Box audits, but also from prospective lawsuits if sensitive patient data is ever exposed or allowed to be accessed by the wrong personnel.

By developing and using a completed RBAC matrix -- a relational database that contains information such as departments, locations, titles and the requisite baseline access requirements -- during initial employee account creation, an organization’s leadership can be assured that the access rights to systems and data is appropriate for each new hire.

The potential for chaos that can ensue if a healthcare professional is inadvertently given access to the financial system is one thing, but a non-medical staff member receiving access to health records is another risk altogether.

Take for instance, the recent case of a billing technician having access to medical records at a facility in Florida. The individual allegedly scanned emergency room records over the course of several months looking for car accident victims. He then sold this information to an attorney who, in turn, contacted the victims offering them legal representation. Once the hospital’s leadership detected this practice, the employee was terminated immediately; however, the potential litigation risk to the hospital still remains.

While a completed RBAC matrix can take time to finalize, even starting out with a basic implementation can reduce time spent by the IT staff creating user accounts and reducing overall risks. It is feasible to start this undertaking with a partially completed matrix and begin reaping the benefits in short order.

Most hospitals and health systems already have the basic information in their HR system to get started populating the matrix -- such as location, department, job title, etc. – and the next step in the process is to link this data with the appropriate access rights. Access rights are often easy to locate as they are most likely known by the IT staff, the help desk that creates user accounts or the employee’s manager.

For example, they know that an ER nurse needs access to certain systems and data, but there is usually no programmatic approach to enforcing the real requirements. Over time, the remainder of the RBAC matrix can be completed and fine-tuned. This can be accomplished by having managers review rights for existing employees and assisting in creating the “ideal” templates.

As illustrated, the RBAC matrix is useful in setting initial access rights and is also extremely useful for conducting ongoing audits. By implementing an RBAC system, organizational leaders can see who has access to certain systems, and they can see who has accessed any system at any time.