Healthcare News & Insights

How to improve access management to reduce breach risks

Do you know how many workers have privileged access to your networks? Your cyber security could depend on the answer. 

Login-boxAs hospitals expand their use of health IT and implement new devices and endpoints for patient data, facilities have to crack down on who has access to sensitive information and when.

However, many facilities’ IT staffs struggle to control access credentials with current and former employees and business associates.

If IT isn’t kept up to date on workers who are fired or quit, it can’t revoke their access and prevent them from logging on at a later time.

Risk of wide-spread access

To this point, Bobby Stokes, the AVP of identity access management at Tennessee-based HCA, outlines why identity access management is so important to guarding facility data and patients’ protected health information (PHI) in a recent article for Healthcare IT News.

Stokes oversees the organization’s sign-on system that has 130,000 users every month.

HCA has implemented a Caradigm identity access management platform to help manage the task of adding users when employees are hired, and revoking their access when they leave.

Performing these kinds of actions promptly can help bring new hires onboard quickly and protect data in case a former employee attempts to access the system.

Poor identity access management could put facilities at higher risk for phishing schemes which exposes systems to cyberattacks.

The more employees who have privileged access to PHI, the more targets hackers have, and the higher the chance someone will make a mistake and expose your system to a breach.

Accounting for each user

Facilities should consider designating IT staff to specifically tackle access management, like the Henry Ford Health System in Detroit did.

The key to this approach is to take time to establish clear roles and standard processes for the team, says Meredith Philips, the system’s chief information security officer.

To help your IT staff tackle this task, it’s important that your human resource department gives IT notice when staff, clinicians or contractors enter or leave your organization.

Another method is to make sure users have one username and password to log on to different systems, instead of having multiple usernames and passwords for each user.

Also, consider auditing your facility to see who currently has and needs access to sensitive data, and who has access, but shouldn’t. Performing this kind of evaluation at regular intervals can help identify any long-dormant accounts that need to be deleted from your networks.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.