How to Improve Access Security in Healthcare

Written by

Data security is a high priority in the healthcare industry, where correct access rights for data are essential, says Dean Wiech

Data security is a high priority in the healthcare industry, where correct access rights for data are essential. Indeed, healthcare organizations are often targeted by hackers seeking to use stolen data to their advantage.

However, traditional methods of securing a network are becoming obsolete; hackers know how to breach and circumvent traditional security. Additionally, threats often come from the inside, so it is important to ensure that only the correct people have access to secure information. It sounds simple, but organizations frequently fail to realize when advanced access rights are granted to people who don’t require them.

Access Issues Facing Healthcare Organizations

Many hospitals make errors assigning access rights during onboarding. Organizational leadership needs to ensure that new employees have access to only the resources required. To save time, access rights are sometimes copied from an existing employee over to a new one, giving the new employee inappropriate levels of access. This is a potential threat to sensitive data.

Access rights can also change throughout an employee’s career as the individual changes positions, covers for vacationing colleagues, borrows credentials, and so on. This can leave an organization with no clear idea who has access to what. Figuring it out becomes a huge task, one that healthcare IT employees most likely do not have time for.

Improving Security

Organizations usually have an individual who manually creates and manages accounts and access rights. In some cases, this responsibility is delegated to the helpdesk. But manual management often leads to errors.

There are several methods for ensuring access rights are correct, including automating the account management process or implementing a workflow process with escalating levels of approval dependent on the request made. By connecting all of an organization’s systems and applications, access rights can be ensured without the need to manually go into each application separately.

For example, when a new employee arrives, HR can easily enter all information in the HR system and check off which systems he or she needs to access. This information can then be sent to the appropriate manager who can check the information and give approval. If additional approval is still needed then this information can also be automatically sent to multiple approvers.

When it comes to ensuring access rights over time, an automated solution allows system admins to generate an overview of access rights. They have the ability to see exactly who has access to what systems and applications, when they are logging in, and what types of changes they are making. It also allows them to easily make access changes if necessary and correct any issues before it leads to a problem. Additionally, with each user activity, the system automatically logs which employee performs a particular management activity, as well as the time it occurred. This is crucial for organizations that must comply with regulations including SOX, HIPAA, SEC and GLBA.

Finally, there is the issue of disabling accounts. When an employee leaves it is important that his or her account gets disabled in a timely fashion. Often, healthcare organizations accidentally overlook the disabling or deletion of accounts for ex-employees. This occurs because a manager needs to go into each application the employee had access to and manually disable their account. This is extremely common for temporary or contract employees who only require access for a short period of time. Neglecting this critical task means that an employee who is no longer with the company could still have access to sensitive information.

With an automated solution, a manager can simply disable the account in the source system and all other connected accounts are automatically disabled. This ensures that once the employee leaves, he or she no longer has access to secure data.

Case in Point: South Jersey Healthcare

South Jersey Healthcare is a nonprofit healthcare organization consisting of three major hospitals and more than 60 outpatient care locations. With this many locations, and more than 6000 employees, account management was becoming a tedious, error-strewn task.

South Jersey Healthcare wanted to ensure that all employees had appropriate access rights. With an automated account management solution, the health systems’ IT leaders easily assigned rights to the correct people starting with the team that manages the servers for Active Directory all the way to customer service who reset passwords. This increased the overall security of its systems by reducing the number of users with full access to secure data. With a solution in place, South Jersey Healthcare knows that all its account information is correct.

To ensure that human error is eliminated from manual processes, newer methods, such as automated solutions are being implemented in many areas of the business world. An automated account management solution ensures that access rights are correct so that there is no breach of secure company data.


About the Author

Dean Wiech is managing director of Tools4ever US, a division of the global supplier of identity and access management solutions for organizations small to large in a variety of market sectors.

What’s hot on Infosecurity Magazine?