Estimated reading time: 3 minutes, 33 seconds

How Do You Tackle the Data Regulation Hurdle?

This guest column is written by Dean Wiech, Managing Director at Tools4ever.

Tools4ever supplies a variety of software products and integrated consultancy services involving identity management, such as User Provisioning, RBAC, Password Management, SSO and Access Management, serving more than five million user accounts worldwide.

When speaking with information technology leaders in hospitals and healthcare systems about identity and access management issues, our discussions almost certainly focus on the regulation their organizations face, especially as it relates to access of information and data protection.

Ongoing regulation and reform faced by those in healthcare typically has a significant impact on the organization’s internal processes and procedures. But, at the same time, also bears a significant amount of weight for the IT department especially concerning the management of access rights.

Though healthcare leaders face many common issues in this regard, and much of their time is currently consumed by managing electronic health records and their implementation, there are other priorities they face.

Three of the most common issues include:

Workflow and Validations on Access Rights

Requests and validations concerning regular active directory user accounts, directory groups, e-mail or access right authorizations must comply with internal business policy and procedure; SarBox is a good example of this.

What this means for the internal account management and creation process is that to create one user account, the IT department needs the signature of the requester, the validating manager and the IT director. This trail, though good for gatekeeping, can be used to track account activity of all individuals in your system and allows you to see the information they access.

Many businesses, including those in healthcare, continue to manage this process entirely by paper-based processes. Unfortunately, each time an information audit occurred, members of the IT department spent weeks digging through the records with an auditor. An automated workflow and identity management system, on the other hand, automates these validation steps and makes the audit much quicker and much less painless for the IT department, let alone anyone even peripherally involved in the process.

Instead of papers getting lost in the process and having people waiting for their access rights to be administered, electronic access systems automatically alert the appropriate managers when approvals are needed and, with a simple action on their part, the manager can validate a request before it is sent automatically to the next person in the process for access rights granting.

Traceability

Naturally, all requests and granting of access rights should be traceable in the identity and access management solution. This is important because any electronic solution should be able to provide detailed audit reports including who made the request, who approved it and when, and finally, if the permission was revoked appropriately when the employee left or was transferred to a different department.

Also, these systems allow for the tracking of data accessed. If something is viewed without permission or data is breached, the electronic identity and access management solution should allow practice leaders the capability of determining who, when and what was viewed.

Segregation of Duty

Segregation of duty during compliancy requires that certain tasks cannot be performed by just one individual. For example, to illustrate the point, an order for system access rights may be placed by person X, but this request must be validated by person Y. The consequences here for access management is that it requires that access to certain data or the access rights within an application, must be tightly controlled. Again, this sets the precedent that access to pieces of information can be more tightly controlled because there are additional steps in place to be able to view the information.

In terms of access management and authorization management, this means that the access management system must block or alert the appropriate individuals whenever two such authorizations are being granted to one and the same user. For organizations looking to implement an electronic identity and access management system or to move their practice from a paper-based audit process, this is easy to realize with the reporting and provisioning mechanisms in the many of the commercially available solutions. During the set-up it is important to know which of the authorizations cannot be combined and then the solution will manage and audit the requirement automatically.

Read 3274 times
Rate this item
(0 votes)

Visit other PMG Sites:

PMG360 is committed to protecting the privacy of the personal data we collect from our subscribers/agents/customers/exhibitors and sponsors. On May 25th, the European's GDPR policy will be enforced. Nothing is changing about your current settings or how your information is processed, however, we have made a few changes. We have updated our Privacy Policy and Cookie Policy to make it easier for you to understand what information we collect, how and why we collect it.