How to make sure only certified users access patient data
Failing to certify user access to networks and information can have dire consequences.
A recent example is the recent jury decision to award Epic Systems Corp. $940 million in a trade-secret lawsuit against Tata Consultancy Services Ltd., an Indian multinational IT service, consulting and business solutions company.
The lawsuit alleges that a Tata Consultancy employee, working as a consultant for Kaiser Permanente, downloaded more than 6,000 documents from Epic's UserWeb, a portal through which Epic provides training and manuals to help customers with implementing and maintaining the company's products. The lawsuit also alleges that the Tata consultant gave his access credentials to other Tata employees in India and that the company used the stolen information to advance its own electronic health record software.
It can be difficult to prevent authorized users from doing bad things. One way to help thwart threats like this, especially for third-party contractors and consultants, is to have an access certification process. An access certification process is the ongoing review of who has access to what and the risk associated with that access. This validates that authorized and appropriate access rights have been granted.
An access certification process also a requirement of control frameworks such as COBIT and regulations such as the HIPAA Security Rule, which states that organizations should “Implement policies and procedures that, based upon the entity's access authorization policies, establish, document, review , and modify a user's right of access to a workstation, transaction, program or process.”
Reviewing user accounts provides healthcare organizations with periodic revalidation of the access rights granted to each user and users’ ongoing need for that access. This review reduces the window of exposure that may exist for users who have transferred between roles, left the organization’s employment, or otherwise gained greater access than is necessary to perform their job. Privileged accounts are especially important to review because they have greater access rights and are more readily abused if compromised or the employee is untrustworthy.
According to Forrester’s “Wake-Up Call: Poorly Managed Access Rights Are a Breach Waiting to Happen,” The potential for a high-impact, highly visible breach is very strong, considering:
- Employees accumulate unnecessary access to sensitive data during their tenure.
- The sheer volume of sensitive data that employees can access is forever increasing.
- Security teams often follow inconsistent schedules for access reviews.
According to Forrester surveys, 46 percent of North American and European technology decision-makers who have suffered at least one breach say that internal incidents (i.e., malicious, accidental or a combination of both) are among the most common causes of breaches, with many involving compromised accounts of legitimate users, especially privileged users and administrators.
Most identity and access management vendors provide access certification capabilities in their technology solutions as a component of their workflow and identity information store. But access certification also comes with an administrative burden on the staff administering the process and on the managers who evaluate their users’ access.
Examining the roles and responsibilities of people and their access ultimately becomes an evaluation of risk for allowing that access to remain. This process involves more than just asking for a signature or sending an e-mail saying it’s OK. It requires careful review and analysis to ensure that a user still needs the current level of access to perform his or her duties.
Best practice factors to consider:
- Review all user accounts annually, including administrative and privileged accounts, to validate the continued requirement for each account and the continued requirement for privileged accounts.
- Review with the employee or contractor’s manager to validate ongoing account access requirements and gain their approval.
- Review users to assess and validate proper segregation of duties.
- Identify all obsolete user accounts or accounts without an associated manager, such as contractors or terminated users, determine who the manager is or treat as obsolete and disable the accounts.
- Cross-reconcile privileged accounts to verify no single user has the ability to perform or mask fraudulent activities.
- Add event certifications as part of the process to handle unusual or higher risk situations such as when an individual gains sensitive, privileged access or when an individual transfers within the organization.
Healthcare organizations with an effective access certification process in place reduce the risk arising from inappropriate access to sensitive information and improve their identity and access management processes. Consider access certification as an ongoing risk analysis of who has access to what, which not only provides risk management and mitigation opportunities but also satisfies regulatory and control framework requirements.