Controlling access, protecting patients
Healthcare organizations increased access to protected health information through electronic health records, portals and mobile devices encourages more efficient encounters and enhanced patient engagement, and it also heightens the need for secure user access.
A user access management strategy needs to address many challenges, including the management of identities associated with existing user accounts, enrollment in new accounts and ensuring access to the appropriate information by the appropriate person, all without employing cumbersome processes that discourage use.
To avoid unauthorized access or disclosure of information, an access management strategy must be in place. If the appropriate security measures are not established, organizations open the door to theft of identity, financial, medical and benefits information and the associated fraud.
Considering that stolen medical record information has a street value up to 10 times as much as a stolen credit card number, healthcare organizations are a very attractive target for fraudsters.
So how do you simplify user access, while providing strong security measures?
A strong identity management program enhances the security of user access management.
Hospital staff access controls
Clearly, hospital administrative and clinical staff often need access to protected health information. But different roles require different information.
Best practice (and common sense) dictates that every appropriately-privileged user, whether employed or contracted, should have a unique log-in, allowing limited access to records specifically required for their role. However, in a 2015 survey among healthcare professionals conducted by IS Solutions¹, 30 percent of healthcare workers did not have their own log-in and accessed the network through shared log-ins. This obviously presents a significant risk of private information reaching the wrong hands.
Another challenge in healthcare access management is the need for cancelling access when an employee leaves the organization. However, according to the IS Solutions report, 37 percent of healthcare employees report that they still have access to their former organization’s network. With this in mind, it may not surprise you if many of your users that have ‘information systems’ titles have multiple identities. Some synthetic identities they use for testing purposes, and others exist because they enrolled into that system with a different variation of their identity. Other users may have literally physically died while their old logins are still living and capable of helping an impersonator get access. Further, the hundreds of applications used in a health system might be managed by a single Privilege Access Management system, but alas, that’s often more aspirational than reality. The result is complex and difficult oversight of legitimate identities and which of them should have access and shouldn’t.
Managing user identities as a facet of a user access management strategy is paramount to protecting sensitive information and defending against identify theft, fraud and reputational risks.
Encouraging patient access, while protecting sensitive information
Health systems continue to expand the ways that patients can access their own health information and clinical support. Significant and measurable financial benefits are increasingly associated with patient portal utilization, and maximizing enrollment is crucial to increasing overall utilization and reaching the desired benefits. Patient apps are increasingly being used to foster increased access to self-care suggestions and guidelines and make it easier to interact with clinicians. Contact centers are becoming a one-stop shop for patients to call and get information about primary care physicians and specialists in an area, navigate between care settings and answer questions about a course of treatment.
The right information security tools make it easier for patients to get and maintain access to their data and clinical support while adding layers of defense against account takeover, impersonation and fraud.
To balance patient privacy and security, a comprehensive plan for patients to securely access protected health information through a patient portal, mobile device, or via a contact center should involve:
- Minimizing the information the patient/consumer is required to provide
- Verifying that the patient identity is real
- Assessing the fraud risk associated with that identity
- Using authentication methods that adjust to the risk associated with the identity
- Meeting a level of assurance appropriate for risk associated with the information being accessed
- Addressing all patient channels and varying your approach by channel, as necessary
No system is impenetrable, but a well-thought out plan will encourage patient engagement and safeguard patient privacy and security.
Layered access management plan
Layering identity management solutions is the most effective approach to develop a Risk-based model for identity management processes.
As you develop your plan for identity and access management, you first need to assess your current system and define the gaps that could allow fraudulent access. How do you currently:
1. Verify that an asserted identity is real and accurate?
2. Authenticate new users?
- Patient portal
- Employee applications
- Highly sensitive systems
3. Reset passwords?
4. Trigger periodic re-authentication for users?
5. Detect identities that may have been compromised?
6. Increase the Identity Assurance Level when a user requests increased privileges?
7. Periodically audit your User Access Management system?
8. Assess the fraud risk associated with valid, accurate identities?
9. Ensure that mobile devices accessing your network are not problematic?
Once you identify any gaps and vulnerabilities, you can develop a plan to trigger a combination of identity and fraud risk decisioning tools.
Attackers have numerous ways of gathering intelligence. Phishing, spoofing, vishing and impersonation have become major threats to the protection of sensitive information. From impersonating an employee or patient, utilizing deceased or synthetic identities, exploiting weaknesses in an organization’s user access management system or by taking over accounts, attack vectors continue to evolve.
A strong identity management and user access management plan defends against these threats and helps to ensure identities accessing healthcare data are real, accurate, complete and unique; improve user access management efficiency; and reduce exposure to security vulnerabilities and fraud.