Imagine the issues that could arise if a nurse or physician went to retrieve medical records for a patient only to discover that their access rights had inadvertently been modified and they were no longer able to view important data?
The results could range from frustration on the part of the caregiver to more serious consequences for the patient.
This is just one of the many issues that can arise in a healthcare setting without proper access governance controls and it can affect everyone in the organization, not just caregivers. The real possibility of too many, or too few, access rights to systems can be devastating.
So what can a healthcare provider do to ensure that access rights are set correctly from the onset; and remain correct? There are many commercially available solutions that evaluate an individual's role within the organization and allocate the appropriate access rights based on a standardized model. Let's take a quick look at how access governance works.
First, you must evaluate the rights that are common for those throughout the entire organization – everyone needs email, access to the HR portal and productivity tools like word processing. These can be designated as "base" rights and automatically assigned to virtually everyone. Then the real fun begins! Next you must evaluate every position and determine what applications and data access are appropriate for that role. While this seems like an insurmountable task, software tools are available for role mining – looking at how the network and applications are currently configured, and determining what is the norm for each role.
This information is utilized to build a matrix that equates a job title, position, location or any other relevant attribute to the appropriate resources for that position. Modeling tools also are available to determine impact analysis on an individual level. These tools allow careful evaluation of what will change when access to an application is turned on, or off, for a specific role prior to the changes actually being implemented in the network. The impact analysis tools allow for minimizing the negative impact that could occur if mass changes were implemented immediately.
After completion of the evaluation, the changes can be implemented into the network. This ensures that everyone in the organization has the rights to the data they need to perform their jobs – nothing more and nothing less. Inevitably, someone will need additional access outside of the standard. This could be because of a temporary assignment, a special project or filling in for an employee out on leave. To account for these modifications, a web portal should be implemented to allow a request and approval process for any deviations.
This portal can be set up to allow your employees the ability to request the access they need. The modification is then delivered to a manager for review and approval. This manager has the ability to make the change permanent or set it to expire on a specific date. Depending on the data or application access being requested, weather one or multiple levels of approval may be required prior to implementation in the appropriate system. This also reduces the access burden on your IT department.
One of the main advantages of access governance is that these policies and solutions provide for the ability to perform IT compliance audits on demand. Instead of spending days or weeks compiling reports to determine that access rights are accurate, an access governance solution can generate an instantaneous snapshot of every user and what their access rights are, as well as displaying each security group or application role and who the members are.
Likewise, you can receive real-time notifications of changes done outside of the access governance system. For example, if a less than scrupulous person decides to grant someone "behind the scenes" access to sensitive data, alerts can be generated notifying a security officer of the change as soon as it occurs. Without this real-time tracking, it would be possible for someone to grant someone short-term access then revoke it in short order before anyone is the wiser.
Access governance systems affords health system leaders with peace of mind knowing that access to sensitive and confidential information is secured and accessible to only those employees who have the need to see it – and that is a healthy feeling.
Dean Wiech is managing director of Tools4ever.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.