Diagnosis of Information Security issues & Best Practices to implement Role Based Access Control in Healthcare Premises

Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within an enterprise. Usually, users have the access privileges to the systems based on the roles that they perform in those systems. RBAC policies in general ensure that users who come under these policies have the right access to the right resource at the right point of time. In recent times Healthcare industry has been giving significant importance to RBAC, for example, if a RBAC system was used in a hospital, each and every person who is allowed access to the hospital’s network has a predefined role (doctor, nurse, lab technician, administrator, etc.). If a user is defined as having the role of nurse, then that user can access only resources that the role of nurse has been allowed access to. Each user is assigned one or more roles, and each role is assigned with one or more privileges in that role. In a hospital EHR Implementation process, clear non-separation of roles and chaotic access privileges to various systems would cause mayhem in the system, resulting in an implementation failure.

Security & RBAC Readiness Issues – Spotting of Symptoms

The first step before initiating an EHR Implementation process is to thoroughly assess/discover all RBAC related issues. 8KMiles looks for the following indications, as part of a discovery process, to assess whether RBAC issues exist in a Hospital/Health Care Organization and if they do, where they might exist.

1. Hospital or Health Care System has problem in defining roles for a particular user
2. Hospital or Health Care System has problem in providing access to a single user amongst a group of users within same job-title/department.
3. Department/System/ Application has to constantly rotate staff (sometimes even on a daily basis), hence keeping track of roles/access is getting very difficult.
4. There are many mini-roles which can form into a major role. There are many such major roles existing in the system.
5. Many Roles and access privileges though defined in the system have not been used for a while
6. There are no systems to address SODs (Segregation of Duties) that exists among roles/privileges
7. There is no Access Governance Solution in place to assess Role/Access privileges assigned to users
8. Audit reports were not in place to follow compliance process due to lack of Access Governance solution.
9. Users had problems in Multi-level approval
10. Roles not fitting into daily scheme of activities of a department are prevalent in the system
11. Patient Privacy Data related issues are a concern (both from a data-entry and a data-breach perspective)
12. Data Security or RBAC Security is a concern especially during bulk-data upload of patient data or during data interchange between in-house or external systems.
13. System has both Groups and Roles defined, but Groups are not mapped to roles in a way they should be.

Security & RBAC Readiness Issue – Mitigation Processes

After a detailed analysis of the issue is done, an 8KMiles RBAC Process Manager ,who will take the ownership of EHR Implementation, will define and implement the following processes/procedures, pertaining to RBAC and Security at the Hospital/Health Care Facility:

1. Study the results of the Discovery Process and understand existing Security and RBAC policies in place for each system/application in each department at every location of the Hospital/Health Care system
2. Prepare a RBAC matrix (Access Requirements of each Department’s Titles)
3. Prepare current workflows where these roles and their access privileges come into play
4. Note down any inconsistencies and inefficiencies pertaining to these roles that are obvious. For example, if a role and its access privileges are used heavily while some of them that are not being used at all
5. Note down any violation of Segregation of Duties (SODs) as per the access privileges entitled for the current roles. For example a clerk in the records department should not have access to a copier or print functions in their system so they can print/copy EHRs and distribute
6. Note down the critical and sensitive roles and access privileges that one needs to be careful about. These could be roles and privileges wherein employee has a direct read/write access to patient’s privacy data
7. Plan to address any gaps relating to these critical and sensitive roles and access privileges before/during EHR Implementation
8. Prepare plans to address the inconsistencies and SODs before the transition to the new EHR Implementation. If the EHR Preparation time is very short, at least have plans to address these during the EHR Implementation. Note: SOD Violations are caused by Pairs of Roles with Access Privileges that if an individual were to possess, would have a potential to directly compromise the integrity of both the systems, where these roles function
9. Prepare future workflows of Roles after the EHR Implementation. Note down the inconsistencies that were there before and how it has been solved during or because of EHR Implementation
10. Assess whether the critical and sensitive roles and access privileges were addressed effectively during EHR Implementation
11. Assess whether micro-roles or mini-roles have been effectively rolled under major Roles efficiently (i.e. Roles within Roles)
12. Perform a RBAC Data-Owner Certification Process every month after EHR Implementation wherein each of the Data Owners of each application/system attests for the need of these roles to be in the system. As a pre-cursor to this process identify all systems/applications and their Data Owners
13. Perform a RBAC Access Certification Process, every month after EHR Implementation, wherein you ask the Managers, Supervisors to attest where employees who work under them do need the roles they are performing on these systems. As a pre-cursor to this process identify all the managers and supervisors (if not already done) of each employee
14. Address orphaned/redundant roles and access privileges that come out of the above certification process
15. Find the relationship between the Groups and Roles present and see if the mappings of Groups with Roles are not out of synch
16. Assess any HIPAA/SOX related RBAC compliance issues that occur prior/during/post EHR Implementation and address them
17. Apprise of the Hospital System leadership/Stake Holders the major findings and changes made to be compliant

Security & RBAC Readiness – Best Practices

Following are some of the best practices that 8KMiles RBAC Managers/Personnel follow in order to address RBAC related issues:

1. Establish formal Business Relationship with the prospect
2. Understand the Business needs and requirements

a. Compliance with HIPAA, SOX, SAS70, HL7, requirements
b. Workflow Management (Establish Flow of Identities, Establish Roles – Access Control in relation to each other)
c. Interoperability (Explore Identity Federation with External Parties, Use REST APIs)
d. Security (Plan for Identity/Data Security at Rest and in Motion)
e. Medical Records Synch (HL7, HTTPS/Encryption, Multi-Factor Auth)
f. Integration Issues – For Example, integration of the hospital EMR with subsystems like Identity and Access Management and Access Governance systems

3. Understand Role Hierarchy, relationships between groups, roles and access permissions
4. Study the requirement systematically and come up with solutions based on agile methodology for the above pain-points

By following all of the above processes and RBAC best practices, organizations can secure Healthcare data and also identify redundant roles, inefficient access privileges, employees who were not granted right roles i.e., Mismatched roles, disparities between groups and roles, and access permissions of employees who were no longer part of the system.

Author Credits: Raj Srinivas, VP Technology at 8KMiles, You can connect with him here for more information