Sascha Giese, Head Geek at SolarWinds, looks at the importance of managing access rights in healthcare organisations, highlighting four steps to help illustrate how IT teams can integrate this successfully into every department
The healthcare ecosystem is very complex, and the diversity of the different departments and devices results in a highly multifaceted IT infrastructure that can be hard to manage. With increasing digitalisation, healthcare institutions and organisations are also at increased risk of becoming victims of viruses, Trojans, and a myriad other cyberattacks. The goal is usually to access the confidential data in the patient file for either financial purposes or malicious intent or damage the critical infrastructure itself.
Considering the many serious data thefts and losses in recent years, healthcare institutions and organisations are increasingly being called upon to make their growing digital networks more stable and better monitored. However, the resulting increase in data security and transparency poses challenges for IT departments.
To protect personal data and master the requirements arising from data protection laws and regulations such as GDPR, reliable and central administration of access rights is necessary. In addition, automated reports and alarms help comply with laws and regulations and create a uniform information and data basis.
Here are four simple steps healthcare administrators can follow to keep track of their organisations through a controlled assignment of access rights.
Name data owners
A solution for a clearer administration of access rights is the data owner concept: the administrator delegates the department-specific allocation of data usage rights to the department management. For example, the data owner of the HR department knows which rights a new employee must have—and which not—and thereby sensitive data can be identified and classified more easily. With standard solutions and operating systems, such a procedure is difficult to implement. A central access rights management system (ARM) creates the necessary transparency and makes it possible to keep a better eye on compliance guidelines.
It’s important for administrators to train data owners in the assignment of rights. The transfer of know-how and awareness of access rights management helps departments and the entire organisation in the long term increase their efficiency and optimise processes.
Keeping an eye on the employee lifecycle
Inadequate management of a user’s rights—from recruitment to termination—always poses security risks and major IT challenges. A typical example of this is an apprentice who starts his/her training in a specific department. Because there are many areas of responsibility to be learned, he/she is granted generous access rights to files and servers. After some time, he/she changes departments and receives additional access rights here as well, without the previous rights having been deactivated. This practice continues, until it reaches a point at which, after the two-year training period, he/she has more access rights than the head of the authority.
This example illustrates risks include unused accounts with standard passwords or employees moving to another area, collecting access rights, and causing problems in the area of separation of functions or in the sensitive area of access protection.
Additionally, user accounts of employees who have left a facility but whose user IDs haven’t been disabled provide potential entry points for bots and hackers. The automated synchronisation of the most important employee data and access rights in all systems through authorisation management is crucial to standardise the data situation at every interface of the network.
Use templates for automation
Often, the requirements of different employees coincide. This insight can be used to create templates for rights assignment and data usage, accounting for the “lowest common denominator” principle. This saves valuable time when integrating new employees. If position or tasks change over time, the administrator or data owner can assign new rights or withdraw old ones. This reduces error rates, which can occur when accounts of former employees are manually deleted—as mentioned earlier, these are potentially attractive for bots and hackers.
Ensure more transparency
If access rights are clearly defined and standardised work steps for verification, analysis, and testing are fully documented, anomalies can be easily analysed, checked, and eliminated. The advantages of fast handling, reduced workload, and time savings not only help the IT department, but also other departments.
Requirements have increased, but they’re not harassment: insufficient access management can cause enormous damage to healthcare organisations. Particularly considering their own employees may pose the highest risk factor for IT security, healthcare institutions and organisations should not only pursue stringent and effective authorisation management because of the laws, but also because it makes sense and helps them work better.