Editor’s Note: Dean Wiech is the Managing Director of Tools4ever, a global provider of access management and governance solutions. Dean has worked with healthcare organizations, educational institutions, municipalities for more than 20 years, helping them identify solutions that make their businesses and operations more secure, efficient and easier to manage.
The ever growing impact of the Health Insurance Portability and Accountability Act (HIPAA) is having a tremendous impact on healthcare organizations, pushed by the implementation of the HITECH Act that came to life at the end of the last decade. While much has changed in the last half decade or more to technology that serves those in healthcare, the impact of the regulation still is very much impacting and affecting health systems throughout the US.
HITECH is no new arrival and has been highly cited and referred to since 2009 when the bill passed. As you know, HITECH was designed to promote the adoption and meaningful use of health information technology. One portion of the HITECH Act, Section D, addresses the privacy and security concerns associated with the electronic transmission of health information through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.
While most organizations in healthcare have taken steps to protect themselves, there is still opportunity for them to continue to improve their security operations and improve their stance on HIPAA. Organizations can use the framework of the HITECH Act as an occasion to implement an access governance framework and modernize the way they protect access to information and who is able to view or access systems and files; especially where patient and other organizational information resides. With such a strategy, most nimble organizations will quickly find they face a decreased operational burden and can streamline operations and create processes that lead to better access risk management.
Each of these should lead to improved organizational value and improved information security. In the plainest terms, access governance strategies are central to this approach. Insider security threats have long been a point of conversation for health system leaders. Going back nearly a decade to the 2008 HIMSS Conference, 64 percent of audience members said that user access was their top IT security concern. Little has changed, as organizations continue to face problems because of phishing and hacking.
When reviewing HIPAA history, it was largely a toothless bill passed in 1996. Its privacy and security components were not put into effect until 2005 and enforcement did not begin until 2006. Even more than a decade later, as enforcement of HIPAA has begun in earnest, there is still confusion about the law and what organizations must do to increase security and protect privacy of data.
This is where access governance comes in. The philosophy and solutions provide a consistent approach across information resources to govern user access. To establish such protocols, a complete review of individual roles must be created to do away with incomplete or fragmented roles in the health system. Reasons for this disparity is generally because of the sheer volume of change in the user population of a large health system. User relationships and roles constantly evolve as employees move into and out of varying job functions and operational groups.
As in life, change becomes an overwhelming force for most organizations that govern access. Change means many organizations are unable to keep up with the reality of ongoing situations, and because of multiple movements within organizations – like those joining, those leaving and those moving into other roles — frequently do not do a sufficient job controlling access requests. An example of this in a health system setting, when new patient billing processors don’t have access to the information resources they need, they are certain to raise the issue to appropriate resolution.
Users that leave the organization are usually more difficult to manage. There is usually a lack of a standardized process for how to change or terminate access. This leads to orphaned accounts that can create a number of security issues, especially if the access is not revoked in a timely manner. If these are manual process documented on spreadsheets, they can be laden with errors and create time-intensive work for those involved – ultimately, not the ideal. This is a detective approach.
HIPAA is an opportunity to implement a framework leveraging the requirements of a healthcare environment. In regard to ongoing HIPAA compliance efforts, initiating an access governance program perhaps is the best place to begin with readiness assessment followed by an exercise to determine roles and responsibilities of all employees in their departments, called a role-based access control matrix. Without such a matrix, it’s impossible to manage authorization requests in a timely, automated manner. Such a matrix provides a comprehensive view of enterprise access reality— understanding who has what access to what information resources and what can they do with it.
Access governance technology allows you a way to examine all activity in any information system. HIPAA requires organizations to provide the ability to correlate any single user identifier with all instances of access to information resources for that same user. Unfortunately, rubber stamping access or copying and pasting access permissions of a similar employee in the organization is the common course of action, especially for new users in a department.
With access governance technology implemented on the foundation of a role-based access control matrix, you should be able to reduce administrative burden involved with access delivery, and fewer orphaned or undue access credentials will go unnoticed. Also, access reviews and risk management efforts become much less labor intensive. Likewise, role-based access rules can be developed and used to automatically create an approval process at the point of request origin, providing a preventive control for the entire process before access gets out of hand or goes unmitigated. This substantially reduces organizational risk and data exposure.
With such a framework in place, your healthcare organizations can better manage the business and regulatory risks of inappropriate access while also creating some internal HIPAA controls. Insomuch, such a solution means you must take appropriate strategic action to access governance, be able to audit your processes and provide visibility into use action and data permissions.