Getting EHR Governance Right is Challenging for Healthcare Security Teams, Requiring a Balance Between Ease of User Access and Security of Patient Data.
Thanks to Electronic Health Records (EHR) systems such as Epic and Cerner, patients are receiving better care and hospitals are seeing greater cost savings. EHR systems standardize and centralize patient data. Patient information is searchable and easier to share with other clinicians, which results in better and faster care. Healthcare organizations are using EHR systems to do more than just manage patient care. EHR systems are also being used for critical business functions. For example, most hospitals use EHR systems for their revenue cycle functions, including billing, appointment-making, scheduling, and referral management.
The importance of EHR systems is clear, but there’s a challenge involved as well. The increased data portability and accessibility EHR systems provide can inadvertently increase the ease with which patient information can be stolen by unauthorized persons or unscrupulous users. Healthcare data is highly prized by hackers. These records can include not only personal health information, but can also include addresses, social security numbers, credit card data, and more. In the first half of 2022, healthcare organizations suffered about 337 breaches, according to Fortified Health Security’s mid-year report. More than 19 million records were exposed in healthcare data breaches during that time.
Another cause for concern involves accidentally restricting access that prevents end users from getting the information they need, slowing patient care delivery.
The Many Challenges of EHR Access Control
Controlling access to EHR systems is a complicated prospect. They’re not like other systems where you’re either giving “on or off” access, or managing a short list of licenses that users are getting. Security personnel must often deal with permissions managed on a very fine-grained level that may be combined into a role-based access structure that allows a person to gain access to one of hundreds or thousands of different permissions with access throughout the enterprise.
Another challenge is that healthcare organizations must follow strict regulations in how they handle patient data. For example, one of the requirements of HIPAA is an adherence to the principle of least privilege, in which users are only given the access needed to do their jobs and nothing more. Yet it’s often difficult to get all the necessary information about the person requesting access, such as confirming that they’ve been credentialed at the hospital, and that they have completed the required training to get the access that they need. Hospitals also often use external contractors and third-party vendors, making access control an even greater challenge.
Most important is the high sensitivity of protected health information (PHI). Keeping it safe is the top priority.
Three Best Practices for Optimizing EHR Governance
When optimizing EHR governance, there are three best practices to employ: automating the provisioning workflows and controls, limiting risk, and demystifying access. I’ll discuss each of them in greater detail below.
Automate Provisioning Workflows and Controls
This approach can be summarized by doing what you can to eliminate human error. As we all know, manual processes tend to introduce errors and encourage the taking of shortcuts. Another advantage of automation is 24/7 processing, which eliminates delays, reduces access friction, and frees up time that personnel can then spend on patient care.
Reduce SLAs – Make it easier to get access to lower-risk resources by establishing risk-driven policies and workflows. This involves classification of applications and resources, establishing risk based on user type and contextual risk scoring. You can use intelligent risk scoring – based on usage data, behavioral analytics, and peer group analysis – to optimize access certification, requests, role management, and other access management assignments and processes.
Use ABAC – Using birthright and user update rules that leverage attribute-based access control (ABAC) tools and time-based access allow you to manage access more precisely. These tools incorporate intelligent analytics to create attributes such as user, object, action, or environment characteristics and dictate how a role can operate.
Control Enforcement – Set up technical controls to enforce your policies rather than putting enforcement solely in the hands of people. For example, if you have a rule that a person needs to have a specific license to request a certain access, you can set up and enforce those types of controls automatically.
Remove Human Error – Look for ways to increase the use of automation and machine learning. These will inherently reduce the risk of human error.
The second best practice is to limit risk. There are several ways that you can do this. One of them is by fine-grained permissions analysis or access controls to make sure that none of the access that you are giving creates separation of duty violations (SoD).
Analyze Data Sensitivity and Risk – Think about the sensitivity of the data that you’re giving access to. Even within a healthcare organization, not all patient care data is equally sensitive. What can you do differently to protect more highly sensitive data within your environment? You can institute separate controls for this access such as requiring additional approvals or more frequent certification of access.
Reduce Standing Privilege – Put emergency access workflows in place so personnel can quickly have access only when they need it and make it limited to just the time they need to get into the EHR to do their job.
Use Peer Group Analytics – Peer analysis is another way to limit risk. Use analytics and machine learning to identify if what a person is requesting or getting access to is aligned with their cohorts, or if this person is attempting to get access that is beyond that expected of somebody with their job title or HR data or department, etc.
Make Governance Accessible
The final best practice is to make it easier for end users, managers, and administrators to actually work within the framework. This involves three techniques.
Simplify the User Experience – Look for ways to simplify and standardize processes to decrease frustration so that people will follow best practices instead of looking for shortcuts..
Speak Plainly – A common practice is to use esoteric role names that rely on a level of understanding of jargon and abbreviations. This practice just makes it more complicated for others to understand. A better approach is to use easily understood names so that the system is more user-friendly.
Demystify Access Reviews – Access reviews are an important part of ensuring users have only the access they need to do their jobs. But such reviews can be complicated and tedious, which can result in managers using the “Select All, Approve All” technique. Looking for ways to make them simpler, including choosing intuitive role naming conventions, can help reduce this phenomenon. It also helps to make it easier for users to request the right access. And managers need better access to information on what access the user has, and how it is different from others.
One of the foundational tenets of identity security is “Simpler is More Secure.” This is especially true for healthcare organizations where highly sensitive patient data is an attractive target for hackers and complications in user access can get in the way of nothing less than a provider’s ability to care for a patient.