When speaking with information technology leaders in hospitals and healthcare systems about identity and access management issues, our discussions almost certainly focus on the regulation their organizations face, especially as it relates to access of information and data protection.
Ongoing regulation and reform faced by those in healthcare typically has a significant impact on the organization’s internal processes and procedures. But, at the same time, also bears a significant amount of weight for the IT department especially concerning the management of access rights.
Though healthcare leaders face many common issues in this regard, and much of their time is currently consumed by managing electronic health records and their implementation, there are other priorities they face.
Three of the most common issues include:
Workflow and Validations on Access Rights
Requests and validations concerning regular active directory user accounts, directory groups, e-mail or access right authorizations must comply with internal business policy and procedure; SarBox is a good example of this.
What this means for the internal account management and creation process is that to create one user account, the IT department needs the signature of the requester, the validating manager and the IT director. This trail, though good for gatekeeping, can be used to track account activity of all individuals in your system and allows you to see the information they access.
Many businesses, including those in healthcare, continue to manage this process entirely by paper-based processes. Unfortunately, each time an information audit occurred, members of the IT department spent weeks digging through the records with an auditor. An automated workflow and identity management system, on the other hand, automates these validation steps and makes the audit much quicker and much less painless for the IT department, let alone anyone even peripherally involved in the process.
Instead of papers getting lost in the process and having people waiting for their access rights to be administered, electronic access systems automatically alert the appropriate managers when approvals are needed and, with a simple action on their part, the manager can validate a request before it is sent automatically to the next person in the process for access rights granting.
Traceability
Naturally, all requests and granting of access rights should be traceable in the identity and access management solution. This is important because any electronic solution should be able to provide detailed audit reports including who made the request, who approved it and when, and finally, if the permission was revoked appropriately when the employee left or was transferred to a different department.
Also, these systems allow for the tracking of data accessed. If something is viewed without permission or data is breached, the electronic identity and access management solution should allow practice leaders the capability of determining who, when and what was viewed.
Segregation of Duty
Segregation of duty during compliancy requires that certain tasks cannot be performed by just one individual. For example, to illustrate the point, an order for system access rights may be placed by person X, but this request must be validated by person Y. The consequences here for access management is that it requires that access to certain data or the access rights within an application, must be tightly controlled. Again, this sets the precedent that access to pieces of information can be more tightly controlled because there are additional steps in place to be able to view the information.
In terms of access management and authorization management, this means that the access management system must block or alert the appropriate individuals whenever two such authorizations are being granted to one and the same user. For organizations looking to implement an electronic identity and access management system or to move their practice from a paper-based audit process, this is easy to realize with the reporting and provisioning mechanisms in the many of the commercially available solutions. During the set-up it is important to know which of the authorizations cannot be combined and then the solution will manage and audit the requirement automatically.