WALTHAM, Mass. – While hospitals and healthcare providers are on a constant lookout for cyber-based attacks from without, the threat from within is just as real.

For instance, John Halamka, chief information officer for the Boston-based CareGroup Health System, says his network fires two to three people a year who illegally gain access to medical records.

To determine who within a healthcare organization gets to look at what records, hospitals are deploying access governance solutions. Among the vendors providing such services is Waltham, Mass.-based Aveksa, Inc., which recently launched Aveksa Access Request and Change Manager.

According to Brian Cleary, Aveksa's vice president of marketing and products, the company's enterprise access governance platform creates a database of parameters for every employee or position in the healthcare organization. The idea, he said, is to create a set of rules that can be referenced for every single foray into the provider's database.

"We ensure that compliance can be streamlined and repeatable," he said. "We're really a process and policy administration technology."

Analysts say the access management field is complicated, but vital.

"Understanding the relationship of people to responsibilities (and) responsibilities to roles and how entitlements satisfy the responsibilities that roles signify is a significant challenge. Without this understanding, however, it is difficult to resolve an organization's access-related security and policy vulnerabilities," said Kevin Kampman, senior analyst at Burton Group.

"Leveraging automated solutions that are designed to identify and maintain these policies and relationships helps to mitigate vulnerabilities," Burton said. "The organization can reduce the risk associated with inappropriate access privileges and institute the discipline needed to limit or prevent their recurrence. The organization also benefits by clearly articulating relationships, a perspective that contributes to business transparency and effectiveness."