Access to critical data is paramount criteria for organizational success. Doctors and nurses need access to patient’s records to insure proper delivery of care. Too many restrictions or complicated access methodologies to internal systems can have potentially catastrophic and life-altering consequences. But there’s another side to the story. Too little control or too few internal access restrictions can lead to HIPAA violations and data exposures.
There are far too many examples to cite and the list grows by the day, but one instance continues to stay in my mind: A hospital employee recently sold the names of patients who had been involved in auto accidents to a law firm. This obvious breach only is not only disturbing for many reasons, but underscores the need for proper governance of an organization’s data within an electronic system. This breach – caused by an internal agent, a rising trend – also proves the need for regular and ongoing audits. So, how can health system leaders insure that procedures and policies minimize the risk for both sides of this issue?
The following piece examines the two most important aspects of data access control: access rights and regular audits.
Determining who gets access to what and when
Determining the baseline of necessary access rights needed for your employees, and those currently allowed by type or role of employee, is the first step of the process. This information can be gathered through user profiles — department, location, titles, roles — to establish who is able to access what and when according to permissions granted currently in your system. Once you have collected this information, the data can be forwarded to each of the respective employee’s managers for review.