To help prevent breaches involving insiders, Health System's IT team works closely with the organization's human resources
department and various business managers. Together, they determine who needs access
to patient information and other sensitive data based on their precisely
defined role.
Partner with human
resources department to clearly establish job roles and titles that are
consistent across our enterprise. That
helps ensure that, for instance, someone in the job category of "nurse
level 1" in one part of the organization has exactly the same job and
function as someone in the same category who works in another section of the
organization especially if they encompasses several medical centers as well as
a variety of specialty care clinics.
Work closely with HR
and clearly define those job roles, then it's a much easier proposition to
enact role-based access control. So, when someone is hired at a
"nurse-1" level, the access they get "is pre-defined, embedded
in the business, that is appropriate for a nurse 1". Any additional access outside of that has to
be requested from their manager. That request is then passed on to the identity and
access management team, which logs any
additional access granted into the organization's systems as an exception.
Taking all these steps
helps avoid situations we've had in the
past, where someone's hired and the hiring manager asks for the new hire to
have the same level of data access as a more senior or higher level nurse who's
been working at the organization for many years. Carefully controlling data
access based on pre-determined job roles can help avoid, for example, a new
hire gaining access to patient data that's more appropriate for a nurse manager.
Security professionals
also must work with various business unit managers to adjust data access
privileges based on a workers' changing roles. In the past that was viewed as an IT activity.
We're starting to pivot on that now, and partner with the business and make
them understand that they are responsible for the access levels of their
employees.
Managers now must, on
a periodic basis, conduct data access reviews for each of their employees. If
any data access is determined to be inappropriate, the IT provisioning team
takes action to make access commensurate with actual job duties.
No comments:
Post a Comment