Access Management for Clinicians

In a time where information is constantly being stolen and systems hacked, access management is extremely important, especially in the healthcare industry.

While healthcare organizations need to ensure security of their network and patient data, their security measures cannot interfere with efficiency. Clinicians need to be able to easily gain access to patient data and information, especially in the case of emergencies.

When ensuring against access issues, one part that organizations tend to forget is that often these threats are not from outside intruders, but often from the inside. Additionally, government laws and regulations, such as SOX, HIPAA, SEC and GLBA, provide guidelines for security that healthcare institutes need to follow. Any solution that the organization wants to implement needs to fit with these guidelines.

So what are the top issues that healthcare organizations have with access, and which solutions can they implement? Access management can be thought of in two different ways: 1) ensuring that employees have the correct access to only the applications and data that they are supposed to have; and 2) preventing employees or others from gaining access to applications they shouldn’t.

Ensuring Correct Access

Healthcare organizations need to first ensure that access is correct at the beginning of the employee enrollment process. From the first day of employment, the healthcare organization needs to ensure that the new employee has access to only the resources that are necessary for their position.

Often, because of the efficiency and time crunches, access rights are copied from an existing employee over to the new employee. This is because organizational IT leaders often have an individual who manually creates and manages accounts and access rights. In some cases, this responsibility is delegated to the helpdesk. While this might be a time saver, it often causes errors, since the new employee can gain access rights that they should not have.

This not only includes the onboarding process, but also the many changes to a user’s account during their time with the organization. Employees change positions, lend each other access while they are on vacation, borrow credentials, etc. This often leaves the IT team, and organizational leaders, with no clear idea of who has access to what and what types of changes they are making in their systems.

Then there is the issue of disabling of accounts. When an employee leaves the organization it is important that their account get disabled in a timely fashion. Often, healthcare organizations accidently overlook the disabling or deleting of accounts for employees who are no longer employed. This occurs because a manager needs to go into each application the employee had access to and manually disable their account. Neglecting this critical task means that an employee who is no longer with the health system could still have access to sensitive information.

So how can accounts easily be managed while also ensuring security?

An identity and access management system that allows for automation of the account management process easily solves this issue. By connecting all of an organization’s systems and applications, access rights can easily be ensured without an employee needing to manually go into each application separately. For example, when a new employee begins employment HR can easily enter all employee information in the HR system and check off which systems they need accounts created in and access to.

This type of solution also allows a manager to easily remove access. They simply disable the account in the source system and all other connected accounts are automatically disabled. This ensures that once the employee leaves, they no longer have any access to any data.

SEE ALSO: Physician Preparedness for ICD-10

Then there is the issue of the changing access rights throughout an employee’s career with the organization. Many IAM solutions allow for an overview to be easily generated of everyone in the network and the access rights which they have. A manager can then easily see any errors and make appropriate changes to access.

Preventing Against Stolen Access

While ensuring the safety of your network, you need to make sure that access rights are accurate, organizations also need to make sure that an employee or outsider cannot gain unauthorized access. Passwords are the main issue when it comes to access, since they are the first line of protection for access to secure data and applications.

While healthcare organizations want to ensure security, they also don’t want to make it an inconvenience for their clinicians. This is why requiring clinicians to use complex passwords for each system or application does not work. While it causes a headache for the users, it also causes a security issue, since employees will tend to write down their credentials. Though health records need to be kept secure, patient care should not suffer in the process.

An easy solution to this issue is single sign-on (SSO). With SSO, clinicians have a single set of credentials to log on to a computer or workstation. Once they log in one time, they are automatically signed into all authorized systems and applications when they are launched.

Though many healthcare organizations see the benefits of SSO, they are often hesitant to implement the software because they believe it will reduce the security of their network. IT managers assume that if an unauthorized person gets hold of that single log-in credential, that person will have access to all the account’s associated applications. Though this does appear to constitute a risk, the log-in process is actually streamlined for the user.

Having to remember just one password essentially does away with the risk that the users will scribble passwords on a piece of paper and stash them away under their keyboard. If they still feel strongly about it being a security risk, SSO can offer additional security with two-factor authentication. This allows clinicians to swipe or place their ID card on a reader in addition to entering a unique PIN. This process ensures that the user needs something physical, the card, and something from memory, the PIN, to access the network. Additionally, a second pass of the card, or removal from the reader, closes all applications and logs the user of the computer.

Overall, access management in healthcare is important and needs to be considered in two different ways: ensuring correct access rights and preventing against stolen unauthorized access. Automated account management and password solutions, such as SSO, can assist with these issues while also ensuring that employees and clinicians remain efficient.

Dean Wiech is managing director of Tools4ever, a global provider of identity and access management solutions

About The Author