While role-based access control (RBAC) has uses in every industry, healthcare systems in particular can benefit from a proper implementation of these solutions. The potential to save not only exists by reducing possible fines in HIPAA and Sar-Box audits, but also from prospective lawsuits if sensitive patient data is ever exposed or allowed to be accessed by the wrong personnel.
By developing and using a completed RBAC matrix -- a relational database that contains information such as departments, locations, titles and the requisite baseline access requirements -- during initial employee account creation, an organization’s leadership can be assured that the access rights to systems and data is appropriate for each new hire.
The potential for chaos that can ensue if a healthcare professional is inadvertently given access to the financial system is one thing, but a non-medical staff member receiving access to health records is another risk altogether.
Take for instance, the recent case of a billing technician having access to medical records at a facility in Florida. The individual allegedly scanned emergency room records over the course of several months looking for car accident victims. He then sold this information to an attorney who, in turn, contacted the victims offering them legal representation. Once the hospital’s leadership detected this practice, the employee was terminated immediately; however, the potential litigation risk to the hospital still remains.
While a completed RBAC matrix can take time to finalize, even starting out with a basic implementation can reduce time spent by the IT staff creating user accounts and reducing overall risks. It is feasible to start this undertaking with a partially completed matrix and begin reaping the benefits in short order.
Most hospitals and health systems already have the basic information in their HR system to get started populating the matrix -- such as location, department, job title, etc. – and the next step in the process is to link this data with the appropriate access rights. Access rights are often easy to locate as they are most likely known by the IT staff, the help desk that creates user accounts or the employee’s manager.
For example, they know that an ER nurse needs access to certain systems and data, but there is usually no programmatic approach to enforcing the real requirements. Over time, the remainder of the RBAC matrix can be completed and fine-tuned. This can be accomplished by having managers review rights for existing employees and assisting in creating the “ideal” templates.
As illustrated, the RBAC matrix is useful in setting initial access rights and is also extremely useful for conducting ongoing audits. By implementing an RBAC system, organizational leaders can see who has access to certain systems, and they can see who has accessed any system at any time.
Over time, employee access rights tend to compound themselves. Employees change departments or are granted temporary access for a special project or are filling in for someone on leave, and these permissions are rarely removed, leaving the systems and data vulnerable to breech. Running audits on a regular basis to determine who has what access above and beyond the norm can assist in removing these rights and insuring ongoing compliance.
Some facilities have elected to make managers and system owners part of this process. By using the “managed by” field in Active Directory, it is possible to automatically provide a list of members of security and distribution groups to the owners for review on a periodic basis. A web-based portal can easily be provided to allow removal of members that should no longer be part of the group. In this manner, a quarterly audit can be performed and documented on members of all groups in Active Directory without overburdening one individual or group.
Regardless of whether a hospital implements a fully automated access control provisioning and reporting system or one with human intervention, it is imperative that controls be put in place to insure that new employee accounts are created with the proper set of system access and data rights and that they remain accurate over the course of the employee’s tenure with the facility.
Not having appropriate controls and reporting in place leaves the organization exposed to expensive litigation and potential fines.