Diagnosis of Information Security issues & Best Practices to implement Role Based Access Control in Healthcare Premises

Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within an enterprise. Usually, users have the access privileges to the systems based on the roles that they perform in those systems. RBAC policies in general ensure that users who come under these policies have the right access to the right resource at the right point of time. In recent times Healthcare industry has been giving significant importance to RBAC, for example, if a RBAC system was used in a hospital, each and every person who is allowed access to the hospital’s network has a predefined role (doctor, nurse, lab technician, administrator, etc.). If a user is defined as having the role of nurse, then that user can access only resources that the role of nurse has been allowed access to. Each user is assigned one or more roles, and each role is assigned with one or more privileges in that role. In a hospital EHR Implementation process, clear non-separation of roles and chaotic access privileges to various systems would cause mayhem in the system, resulting in an implementation failure.

Security & RBAC Readiness Issues – Spotting of Symptoms

The first step before initiating an EHR Implementation process is to thoroughly assess/discover all RBAC related issues. 8KMiles looks for the following indications, as part of a discovery process, to assess whether RBAC issues exist in a Hospital/Health Care Organization and if they do, where they might exist.

1. Hospital or Health Care System has problem in defining roles for a particular user
2. Hospital or Health Care System has problem in providing access to a single user amongst a group of users within same job-title/department.
3. Department/System/ Application has to constantly rotate staff (sometimes even on a daily basis), hence keeping track of roles/access is getting very difficult.
4. There are many mini-roles which can form into a major role. There are many such major roles existing in the system.
5. Many Roles and access privileges though defined in the system have not been used for a while
6. There are no systems to address SODs (Segregation of Duties) that exists among roles/privileges
7. There is no Access Governance Solution in place to assess Role/Access privileges assigned to users
8. Audit reports were not in place to follow compliance process due to lack of Access Governance solution.
9. Users had problems in Multi-level approval
10. Roles not fitting into daily scheme of activities of a department are prevalent in the system
11. Patient Privacy Data related issues are a concern (both from a data-entry and a data-breach perspective)
12. Data Security or RBAC Security is a concern especially during bulk-data upload of patient data or during data interchange between in-house or external systems.
13. System has both Groups and Roles defined, but Groups are not mapped to roles in a way they should be.

Security & RBAC Readiness Issue – Mitigation Processes

After a detailed analysis of the issue is done, an 8KMiles RBAC Process Manager ,who will take the ownership of EHR Implementation, will define and implement the following processes/procedures, pertaining to RBAC and Security at the Hospital/Health Care Facility:

1. Study the results of the Discovery Process and understand existing Security and RBAC policies in place for each system/application in each department at every location of the Hospital/Health Care system
2. Prepare a RBAC matrix (Access Requirements of each Department’s Titles)
3. Prepare current workflows where these roles and their access privileges come into play
4. Note down any inconsistencies and inefficiencies pertaining to these roles that are obvious. For example, if a role and its access privileges are used heavily while some of them that are not being used at all
5. Note down any violation of Segregation of Duties (SODs) as per the access privileges entitled for the current roles. For example a clerk in the records department should not have access to a copier or print functions in their system so they can print/copy EHRs and distribute
6. Note down the critical and sensitive roles and access privileges that one needs to be careful about. These could be roles and privileges wherein employee has a direct read/write access to patient’s privacy data
7. Plan to address any gaps relating to these critical and sensitive roles and access privileges before/during EHR Implementation
8. Prepare plans to address the inconsistencies and SODs before the transition to the new EHR Implementation. If the EHR Preparation time is very short, at least have plans to address these during the EHR Implementation. Note: SOD Violations are caused by Pairs of Roles with Access Privileges that if an individual were to possess, would have a potential to directly compromise the integrity of both the systems, where these roles function
9. Prepare future workflows of Roles after the EHR Implementation. Note down the inconsistencies that were there before and how it has been solved during or because of EHR Implementation
10. Assess whether the critical and sensitive roles and access privileges were addressed effectively during EHR Implementation
11. Assess whether micro-roles or mini-roles have been effectively rolled under major Roles efficiently (i.e. Roles within Roles)
12. Perform a RBAC Data-Owner Certification Process every month after EHR Implementation wherein each of the Data Owners of each application/system attests for the need of these roles to be in the system. As a pre-cursor to this process identify all systems/applications and their Data Owners
13. Perform a RBAC Access Certification Process, every month after EHR Implementation, wherein you ask the Managers, Supervisors to attest where employees who work under them do need the roles they are performing on these systems. As a pre-cursor to this process identify all the managers and supervisors (if not already done) of each employee
14. Address orphaned/redundant roles and access privileges that come out of the above certification process
15. Find the relationship between the Groups and Roles present and see if the mappings of Groups with Roles are not out of synch
16. Assess any HIPAA/SOX related RBAC compliance issues that occur prior/during/post EHR Implementation and address them
17. Apprise of the Hospital System leadership/Stake Holders the major findings and changes made to be compliant

Security & RBAC Readiness – Best Practices

Following are some of the best practices that 8KMiles RBAC Managers/Personnel follow in order to address RBAC related issues:

1. Establish formal Business Relationship with the prospect
2. Understand the Business needs and requirements

a. Compliance with HIPAA, SOX, SAS70, HL7, requirements
b. Workflow Management (Establish Flow of Identities, Establish Roles – Access Control in relation to each other)
c. Interoperability (Explore Identity Federation with External Parties, Use REST APIs)
d. Security (Plan for Identity/Data Security at Rest and in Motion)
e. Medical Records Synch (HL7, HTTPS/Encryption, Multi-Factor Auth)
f. Integration Issues – For Example, integration of the hospital EMR with subsystems like Identity and Access Management and Access Governance systems

3. Understand Role Hierarchy, relationships between groups, roles and access permissions
4. Study the requirement systematically and come up with solutions based on agile methodology for the above pain-points

By following all of the above processes and RBAC best practices, organizations can secure Healthcare data and also identify redundant roles, inefficient access privileges, employees who were not granted right roles i.e., Mismatched roles, disparities between groups and roles, and access permissions of employees who were no longer part of the system.

Author Credits: Raj Srinivas, VP Technology at 8KMiles, You can connect with him here for more information

Steps to HIPAA Compliance for Cloud-Based Systems

The rapid growth of cloud computing has also led a rapid growth in concerns pertaining to security and privacy in cloud-based infrastructure. Hence, such fears create a huge requirement to understand and implement cloud computing for healthcare organizations, while being compliant with the Health Insurance Portability and Accountability Act (HIPAA).

The benefits offered by cloud-based technology are too good to let go. The agility and flexibility that can be gained by utilizing public, private, and hybrid clouds are quite compelling.  We need cloud based environment that can provide secure and HIPAA compliant solutions.

But, how do you achieve HIPAA compliance with cloud?


Image Source: Mednautix

Follow below steps to better understand how to ensure HIPAA compliance and reduce your risk of a breach.

1.      Create a Privacy Policy

Create a comprehensive privacy policy and make sure your employees are aware of it.

2.      Conduct trainings

Having a privacy policy in place wouldn’t be enough. You would require to make sure that they are implemented as well. For that employees must be given all required trainings during the on-boarding process. You should also require this training for all third-party vendors. Develop online refresher courses in HIPAA security protocols and make it mandatory for all employees and vendors to go through such courses at regular intervals.

3.      Quality Assurance Procedure

Make sure all the quality assurance standards are met and are HIPAA compliant. Conduct surprise drills to find out loopholes, if any.

4.      Regular audits

Perform regular risk assessment programs to check the probability of HIPAA protocol breach and evaluate potential damage in terms of legal, financial and reputational effects on your business. Document the results of your internal audits and changes that need to be made to your policies and procedures. Based on your internal audit results, review audit procedure and update with necessary changes.

5.      Breach Notification SOP

Create a standard operating procedure (SOP) document mentioning details about what steps should be taken in order to avoid a protocol breach. Mention steps to be followed in case a patient data breach occurs.

Most often you would have a cloud service provider who will take care of your wide range of requirements ranging from finding resources, developing apps & hosting them to maintenance of cloud based infrastructure. While the primary responsibility of HIPAA compliance falls on healthcare company, compliance requirements can extend to the cloud service provider as “business associates”.

Are your cloud service providers HIPAA business associates?

Figuring out if your cloud service provider can be considered as HIPAA business associate can be tough. The decision may vary depending on the type of cloud usage. Considering that the cloud provider agency is an active participant, it must also adhere to security requirements, such as including encryption, integrity controls, transmission protections, monitoring, management, employee screening and physical security.

Investing in HIPAA compliance procedures can save you from many hassles. Follow these steps and minimize your risk of being found noncompliant.

Ransomware on the Rise: What You Can Do To Protect Your Organisation From The Attack

Ransomware is malicious software used by the cyber criminals to hold your computer files or data and demand for a payment from you to release the data back. This is the popular method used by malware authors to extract money from organisations or individuals. Different ransomware varieties are used to get on to a person’s computer, but the most common technique is to install a software or use social engineering tactics, like displaying fake messages from law enforcement department, to attack on a victims computer. The criminals do not restore the computer access until the ransom is paid.

Ransomware is very scary as the files once damaged are almost beyond repair. But you can overcome this attack if you have prepared your system. Here are a few measures that will help you to protect your organisation from the attack.

Data Backup

To defeat ransomware, it is important to regularly backup your data. Once you get attacked, you will lose all your documents; but if you could clean your machine, restore your system and other lost documents from backup then you need not worry. So backup the files to an external hard drive or backup service, then you should can turn off your computer and start over with a new setup after attack.

Use Reputable Security Precaution

Using both antivirus software and a firewall will prevent you. It is critical to keep the software up-to-date and maintain a strong firewall, otherwise the hacker might easily exploit through security holes. Also purchase antivirus software from a reputable company because there are many fake software.

Ransomware Awareness Training

It is important to be aware of the cyber security issues and get properly trained to identify the phishing attempts. Creating awareness to staffs will help them to take action and deal with the ransomware. As the methods used by hackers constantly change it is necessary to keep your users up-to-date. Also, it is tough for untrained users to question the origin of a well-crafted phishing email. So, providing security training to staffs is the best way to prevent malware infection through social engineering.

Disconnect from Internet

If you are suspicious about a file or receive a ransomware note then immediately stop communicating with server. By disconnecting from the internet you might lessen the damage, as it takes some time to encrypt all your files. This isn’t foolproof but disconnecting from internet is better than nothing. As you can always re-install software if you have backed up your data.

Check File Extensions

Always see the full file extension, it helps to easily spot suspicious files. If possible try to filter the files in your mail by extension, like you can deny mails sent with ‘.EXE’ files. In case you exchange .EXE files in your organisation then it is better to use ZIP files with password-protection.

Exercise Caution, Warn Authorities, Never Pay

Avoid any links inside emails and suspicious websites. It is better to use another computer to research details if your PC falls under attack. Also, inform the local FBI or cybercrime about the attack. Finally, never pay them as it would be a mistake because they may continue to further demand from you and will not release your information as well. So, taking precautions to protect your data and being alert are the best ways to prevent ransomware attack.

In reality, dealing with ransomware requires an effective backup plan so you could protect your organisation from the attack.

How Cloud Computing Can Address Healthcare Industry Challenges

Healthcare & Cloud Computing

The sustainability and welfare of mankind depends on the healthcare industry. Whereas the technologies aren’t utilized enough in the healthcare industry thus restricts the healthcare sector in the operational competence. There are still healthcare sectors which depend on paper records. As well as there are healthcare sectors that has digitized their information. The use of technology will help to coordinate care and ease between patients and physicians, in the midst of the medical community.

Cloud computing is adopted globally to reform and modernize the healthcare sector. The healthcare industry is shifted into a model which helps to collectively support and coordinate the workflows and medical information. Cloud computing helps healthcare industry in storing large data, facilitates sharing of information among physicians and hospitals and increases the data analysis or tracking features. This helps with the treatments, performance of physicians or students, costs and studies.

Overcome Challenges in Healthcare Industry through Cloud Computing

In the healthcare industry, the utmost importance should be given to the following: security, confidentiality, availability of data to users, long-term preservation, data traceability and data reversibility. Some challenges faced by the healthcare industry in IT systems are with respect to exchange, maintenance or making use of huge information. Hence, while moving healthcare information into cloud computing, a careful thought should be given to the type of application i.e., clinical and nonclinical application the organization wants to go with.

So, while moving the application into cloud deployment model, details, such as security, privacy and application requirements should be considered while setting up the healthcare digitally is required. The cloud services can be public, private or hybrid. For a clinical application, the cloud deployment will take place in private or hybrid cloud as they require the highest level of precautions. The nonclinical application will fit under public cloud deployment model. 

Cloud computing is emerging as a vital technology in healthcare industry but still they are underutilized. The persons involved in the healthcare, like medical practitioners, hospitals, research facilities, etc., could consider different cloud service models that could address their business needs. The service models includes Software as a Service (SaaS), Infrastructure as a Service (IaaS) or Platform as a Service (PaaS).

Among the three service models, SaaS, a pay-per-use business model is the most attractive option economically. Especially for the small hospitals or physicians as SaaS doesn’t need full-time IT personnel as well reduces the capital expenses needed for hardware, software or operating system.

PaaS, is a perfect option for large-scale healthcare institutions who have the resources to develop the cloud solutions further. IaaS will be feasible for healthcare industry that could seek more scalable infrastructure. As IaaS is cost-effective as well provides scalability with security, flexibility, data protection and back-ups.

Thus, cloud computing could be a permanent solution or game-changer for a healthcare industry; with respect to its service offerings, operating models, capabilities and end-user services. With cloud computing, the challenges faced in the healthcare industry with respect to managing the medical information, storing data, retrieving data or accessing could be eliminated. Meanwhile the healthcare industry can overtake other industries in use of technology with adoption of cloud services. Thus, accessing or monitoring the healthcare related information across the globe would be easier with implementation of cloud services.

Related post from 8KMiles…
How pharmaceuticals are securely embracing the cloud

Keeping watch on AWS root user activity is normal or anomaly

Avoid malicious cloud trial action in your AWS account cloud watch lamda

27 Best practice tips on amazon web services security groups