Information security is a key concern for hospitals today. Not only does security impact HIPAA compliance, but security failures can also impact a hospital's reputation. Here are five ways for hospitals to improve their information security.
1. Eliminate shared accounts and their security risks. It is common practice for physicians and nurses to use shared accounts with one set of credentials for everyone. This is especially common in emergency rooms where employees use one PC to access vital information. To avoid spending valuable time logging into Windows and launching applications, one generic user account is often used, which is not secure as users can gain access to virtually any information on the machine. This also makes it difficult when it comes time for compliance audits.
To alleviate this issue, physicians and nurses will need their own credentials for each application, but requiring them to remember all new credentials for each of the applications proves difficult. Also, logging in and out is a time consuming process. However, a single sign on application can ease this process and requires employees to only remember one set of credentials, making the process of eliminating shared accounts easy. Combining this with a smartcard is even more efficient. Once a user presents the smartcard to the reader, it is recognized by the SSO software and the user is automatically logged in and the right applications are launched.
2. Keep employees from writing down passwords. Hospitals ideally should implement strong and complex passwords because of audit requirements, but implementing complex passwords has major consequences for end users. Often, if users need to remember several different and complex passwords, which also need to be changed regularly, they will write them down and store them somewhere. This makes the applications and systems insecure as people can easily view the credentials. With a single sign on solution, physicians and nurses will not need to write down their credentials as they will only need to remember one combination of username and password. This will eliminate this security risk and give hospitals the opportunity to easily implement complex passwords.
3. Give employees correct access rights. To ensure security of the network and information in a hospital, employees need to be given the correct security permissions based on their job roles. Ensuring that employees have the proper access rights greatly improves security. Doing so requires setting controls that can take the IT department months to implement.
However, using a role based access control solution can assist with this process. They help the IT department easily populate the RBAC matrix and provide a simple overview of network resources available to an employee based on their position or access clearance.
4. Implement automatic user provisioning. Often, when employees leave employment at a hospital, the IT staff is not notified right away, and the employee's accounts are left open, allowing them the ability to access confidential information. This leaves the systems and information vulnerable and can have serious consequences. With an automated account management solution in place, the IT department can quickly and easily disable accounts as soon as an employee leaves to ensure security and compliance with audit standards.
5. Store information on user access. With a single sign on solution, information can be stored about who is logging into each application and what they are doing. This allows the IT department to easily review who has access to what and if their applications and systems are secure. This also allows them to comply with audit standards.
Dean Wiech is U.S. managing director at Tools4ever. Tools4ever supplies a variety of software products and integrated consultancy services involving identity management, such as user provisioning, RBAC, password management, SSO and access management, serving more than five million user accounts worldwide.
1. Eliminate shared accounts and their security risks. It is common practice for physicians and nurses to use shared accounts with one set of credentials for everyone. This is especially common in emergency rooms where employees use one PC to access vital information. To avoid spending valuable time logging into Windows and launching applications, one generic user account is often used, which is not secure as users can gain access to virtually any information on the machine. This also makes it difficult when it comes time for compliance audits.
To alleviate this issue, physicians and nurses will need their own credentials for each application, but requiring them to remember all new credentials for each of the applications proves difficult. Also, logging in and out is a time consuming process. However, a single sign on application can ease this process and requires employees to only remember one set of credentials, making the process of eliminating shared accounts easy. Combining this with a smartcard is even more efficient. Once a user presents the smartcard to the reader, it is recognized by the SSO software and the user is automatically logged in and the right applications are launched.
2. Keep employees from writing down passwords. Hospitals ideally should implement strong and complex passwords because of audit requirements, but implementing complex passwords has major consequences for end users. Often, if users need to remember several different and complex passwords, which also need to be changed regularly, they will write them down and store them somewhere. This makes the applications and systems insecure as people can easily view the credentials. With a single sign on solution, physicians and nurses will not need to write down their credentials as they will only need to remember one combination of username and password. This will eliminate this security risk and give hospitals the opportunity to easily implement complex passwords.
3. Give employees correct access rights. To ensure security of the network and information in a hospital, employees need to be given the correct security permissions based on their job roles. Ensuring that employees have the proper access rights greatly improves security. Doing so requires setting controls that can take the IT department months to implement.
However, using a role based access control solution can assist with this process. They help the IT department easily populate the RBAC matrix and provide a simple overview of network resources available to an employee based on their position or access clearance.
4. Implement automatic user provisioning. Often, when employees leave employment at a hospital, the IT staff is not notified right away, and the employee's accounts are left open, allowing them the ability to access confidential information. This leaves the systems and information vulnerable and can have serious consequences. With an automated account management solution in place, the IT department can quickly and easily disable accounts as soon as an employee leaves to ensure security and compliance with audit standards.
5. Store information on user access. With a single sign on solution, information can be stored about who is logging into each application and what they are doing. This allows the IT department to easily review who has access to what and if their applications and systems are secure. This also allows them to comply with audit standards.
Dean Wiech is U.S. managing director at Tools4ever. Tools4ever supplies a variety of software products and integrated consultancy services involving identity management, such as user provisioning, RBAC, password management, SSO and access management, serving more than five million user accounts worldwide.
More Articles on Information Security:
3 Considerations for Evaluating Data Breach Insurance Policies
Crisis Communication During a Data Breach: 5 Best Practices
8 Ways Henry Ford Health System Improved Its Data Breach Response Plan