​Establish An Audit Trail for Access Management

By Dean Wiech

Access to critical data is paramount criteria for organizational success. Doctors and nurses need access to patient’s records to insure proper delivery of care. Too many restrictions or complicated access methodologies to internal systems can have potentially catastrophic and life-altering consequences. But there’s another side to the story. Too little control or too few internal access restrictions can lead to HIPAA violations and data exposures.

There are far too many examples to cite and the list grows by the day, but one instance continues to stay in my mind: A hospital employee recently sold the names of patients who had been involved in auto accidents to a law firm. This obvious breach only is not only disturbing for many reasons, but underscores the need for proper governance of an organization’s data within an electronic system. This breach – caused by an internal agent, a rising trend – also proves the need for regular and ongoing audits. So, how can health system leaders insure that procedures and policies minimize the risk for both sides of this issue?

The following piece examines the two most important aspects of data access control: access rights and regular audits.

Determining who gets access to what and when

Determining the baseline of necessary access rights needed for your employees, and those currently allowed by type or role of employee, is the first step of the process. This information can be gathered through user profiles -- department, location, titles, roles -- to establish who is able to access what and when according to permissions granted currently in your system. Once you have collected this information, the data can be forwarded to each of the respective employee’s managers for review.

During this portion of your internal audit, your department managers and team leaders (those who received the data you forwarded to them regarding their employee’s access) should be asking themselves the following questions (these are meant as seed questions only; you can come up with others or variations of these):

“Do the employees that have access to particular systems and data really need it?”

“Will you attest to their need for the access?”

“Why should an employee’s access rights be removed, or granted access to the system?”

When the employee access review is complete, you are ready to create the actual access for each type of employee in the organization. This can be done through a role-based access control matrix so that new user accounts are created appropriately as needed. You will find that some of your employees will need access that is different from the norm for their role. For this, you must create a procedure that allows your users to request access, and managers to approve the enhanced rights either on a temporary or permanent basis.

Equally as important as granting access rights is insuring that access is revoked when appropriate. Also, you must track employees who are transferred between departments or roles and ensure their rights are appropriate for their new role. During your audit, it’s also imperative that a time limit be set to review and decommission rights on a regular occasion.

Conducting the audit

Now, perform the audit. You will likely find that employees that have been in the system for years will have access to more than one area or group, unlike your newly hired employees. By combining employee type information and the access rights they currently have against the ideal, it is usually quite easy to determine the delta between the two employee types – newly hired and those already with the organization. Every discrepancy must be accounted for, and each employee should be able to explain why he or she has access to systems outside the norm of their role, and the decision by the employee’s manager must determine if the employee can retain access to a system or if access rights should be removed. In most cases, as you will find several times during your first audit, employees often have access rights they should not necessarily have because they served in previous roles and their rights were never terminated.

As an ongoing process, regular audits are a necessity for any environment, especially those that are highly regulated, like healthcare. In the very least, on a quarterly basis, managers and system owners should be required to review access privileges and attest that the current employee rights meet established internal requirements.

Automated systems allow for on demand audits, too. You can create reports detailing accounts that are out of compliance. You also can create trigger events to allow your IT team to review specific actions like any time a user requests or is added to a certain applications or groups; however, a manual review of the reasons surrounding the request must be completed before permission can be granted.

One more word of guidance: Make sure employees know you conduct regular audits; this should be public knowledge. No one should be unaware of the process. If employees know they are being monitored they are more likely to control their own behavior when accessing the sensitive information that they view as part of their employment.

To insure access to sensitive data is open enough to allow providers to perform their jobs and restrictive enough to avoid legal complications, it’s important to set controls when employees join the organization and regularly review any changes to their profiles. These two factors will allow for easy compliance reporting at audit time.

Dean Wiech is managing director at Tools4ever.