Segregation of Duties in Healthcare: Treating the Growing Cancer

Healthcare, one of the most highly regulated industries, struggles with cloud migration because data privacy and security compliance requirements do not translate easily. While incorporating Electronic Health Record (EHR) platforms streamlines compliance with the Health Information Portability and Accountability Act (HIPAA) in some ways, these integrations create additional vulnerabilities as more patients access their information from more locations. Moreover, with healthcare increasingly relying on short-term contract workers to fill the talent gap, the industry needs to incorporate fast-paced Identity Governance and Administration (IGA) practices that go beyond the traditional role-based and access-based policies currently used and apply Segregation of Duties (SOD) to maintain the security and compliance of clinical environments.

Where Role-Based Access Control (RBAC) Alone Fails

Health information systems (HIS) require healthcare organizations to set tightly controlled access to EHR. Unfortunately, legacy RBAC does not align with digital migration strategies that incorporate new cloud computing, grant delegation, emergency provisioning, and multiple-cloud architectures.

In short, legacy RBAC focuses on a combination of static, or permanently defined, roles and groups while cloud migrations strategies require dynamic, or constantly changing, identities to maintain governance over access.  This is especially true in healthcare where EHR applications have very complex access permission models coupled with people who need very different access depending upon the clinic, shift, floor, research project, or other dynamic criteria.

Cybersecurity Capabilities

Although often viewed as an external vulnerability concern, cybersecurity risk increasingly arises from internal access and misuse. The 2019 Verizon Data Breach Investigations Report noted a significant increase in system administrators as threat actors and indicated that internal data misuse – accidental or malicious – was a primary cause of data breaches. When a breach happens in healthcare, the average cost of resolution is $408 per record stolen, so the stakes are high to have adequate security to prevent account misuse.

Emergency Provisioning

Hospitals need to extend access to EHR systems to enable healthcare workers to access the necessary information for providing patient care. However, RBAC lacks the speed necessary to delegate access rapidly. In other words, it fails to provide real-time access on an as-needed basis with interconnected cloud systems.

High-Level Access Controls

High level, or coarse-grained, access controls allow healthcare organizations to enable access to applications. Cloud migration creates interconnected relationships between applications and often requires finely detailed access controls. Legacy RBAC lacks the needed context to maintain data privacy and security.

What Are the Key Segregation-of-Duties (SOD) Problems

Research indicates that RBAC lacks the necessary ability to adapt to the evolving cloud ecosystem. Best practices for governance over EHR must evolve to meet these changing needs.

Assess Risk

Assessing risk across the organization becomes burdensome as healthcare organizations migrate to the cloud. Healthcare organizations need to continuously assess the risk staff pose and needs to be focused on each application, endpoint, user, and job function. However, it also needs to become more detailed in how users access information. For example, regional home healthcare providers need access to patient data, but their access must be segregated from the business functions within the regional offices.

Define Privilege Level

Not all privilege is created equally. The information that an administrative role requires to access the Enterprise Resources Platform (ERP) differs from the information that doctors and nurses in the EHR system require. The access they need within Infrastructure-as-a-Service IaaS) or Platform-as-a-Service (PaaS) ecosystems also differ. For example, business processes such billing need access to claim and payee information but also need to be segregated from the financial platform to prevent fraud.  Unfortunately, these different cloud environments rarely have consistent role definitions. These inconsistencies and inability to integrate users based on the principle of “least privilege necessary” lead to SOD violations.

Review Ancillary Services

Access to and from diagnostic, therapeutic, and custodial services need to be incorporated into the cloud-migration SOD violation review. Increasingly, the healthcare industry incorporates a variety of lab tests, radiologies, physical therapy, occupational therapy, hospice, and long-term acute care that support the primary physician. While these services use their own architectures, healthcare organizations need to integrate with those solutions while also maintaining compliance with their internal SOD policies.

Auditability

Healthcare organizations currently monitor for SOD violations manually. Internal audit functions must gather information from the EHR owner and then gather information from their business applications. Without a single source of documentation, the human error involved in manual processes often lead to SOD violations.

How to Set Best Practices for Governing SOD in EHR Systems

Setting best practices for maintaining SOD within healthcare EHR systems requires organizations to continuously monitor access and access requests to prevent violations. Violations can be misuse of patient data, illegal activities such as prescribing and dispensing drugs, or even fraud in the revenue and billing cycles.

Who Accesses What Information

Successful and secure cloud migration starts with existing access data. Healthcare organizations need to create internal policies that control and govern who has access to what client center, financial, and clinical resources and whether it’s the appropriate access. Establishing internal controls and creating a series of checks and balances starts with understanding risk.

Analyze Segregation of Duties

After setting access rights, the healthcare organization needs to establish SoD rules based on their EHR system. Then it needs to review SOD violations by business process. After working through the SOD policies for EHR and ERP, the healthcare organization needs to engage in a cross-application SOD evaluation. Best practice for analyzing segregation of duties needs an internal control process for employee access to financial information within the health information system.  Many organizations focus on the patient data and neglect the controls to secure financial transactions from fraud.

Additionally, many healthcare organizations need to comply with the Payment Card Industry Data Security Standards (PCI DSS) and Sarbanes-Oxley Act (SOX) compliance as well. Managing SOD across the interconnected platforms can often lead to violating these compliance requirements placing healthcare organizations at risk of fines.

Review Critical Access

Critical access, or the access of most importance, in EHR systems traditionally applies to medical professionals such as doctors, nurses, and clinicians. However, within the cloud, critical access may shift as individuals change roles, needing more or less access. A doctor who moves into an administrative role no longer needs full patient health record access, or as the organization adds more applications these professionals may require additional access. Risk-based access reviews in conjunction with usage analytics can help maintain appropriate access.

Review/Certify Access

To ensure the organization maintains compliance with internal SOD policies, it needs to continuously monitor access. Legacy systems overwhelm healthcare organizations, especially as they increase the number of applications needed to care for patients. These increased alerts lead to managers, resource, and process owners allowing all access without engaging in meaningful review. Using intelligent analytics based on peer-usage activity, peer requests, and business policies/attributes can streamline the review/certification process to ensure appropriate, continuous compliance.

Streamline the Access Request Process

As the healthcare organization’s staff and medical professionals require more access to more applications, the number of access requests can become overwhelming. Healthcare organizations need to find automated solutions that streamline the process and use intelligent analytics that can monitor requests for SOD violations. Moreover, since healthcare is a 24 hour a day, 7 day a week operation, the administrators need easy-to-access mobile applications that allow them to maintain security and privacy while also enabling them to do it from anywhere, at any time.

Why Saviynt? Assured Compliance-as-a-Service for Healthcare

Intelligent Identity. Smarter Security.

Saviynt works with the Centers for Medicare and Medicaid Services (CMS) to ease identity governance challenges around clinicians, patients, and vendors. As part of our Assured Compliance-as-a-Service, cloud-based platform, we offer a solution for easing the burden of SOD monitoring for the healthcare industry.

Out-of-Box Controls

We provide native integration with EHR platforms such as Cerner, Epic, and McKesson while also integrating with the most business-critical ERP, IaaS, PaaS, and Software-as-a-Service (SaaS) solutions used in the healthcare industry.

Our platform provides a single location for managing HIPAA, HITECH, and other compliance requirements and connects across cloud-based infrastructures so that the organization can maintain compliance with internal SOD policies as well as external governmental and industry standard requirements.

To enable healthcare organizations struggling to apply SOD in the EHR financial modules, the Saviynt platform provides controls that enable healthcare organizations to prevent fraudulent activity such as Issuing a Refund at a POS and Voiding a Transaction at the same POS.  This out-of-box capability strengthens compliance, security, and privacy across the ecosystem’s complex identities, something often lacking in legacy solutions.

Intelligent Analytics for Integrated Access

Using peer analysis and usage analytics, the Saviynt platform increases visibility across the cloud infrastructure so that approvers make informed decisions. With our intuitive user interface, approvers can view outliers and ensure a risk-based certification process so that they can prove governance over their data access policies. High-risk clinician access can be reviewed and certified more frequently, while the low-risk access can be given less frequent review cycles to ease clinician fatigue.

Extend Security to Non-Clinical Applications

The Saviynt platform integrates across critical applications such as Azure, Office 365, Box, and PeopleSoft, providing Data Access Governance and Intelligence across the entire cloud infrastructure. When storing documents such imaging or consent paperwork in a cloud collaboration platform, Saviynt can extend governance controls to protect patient privacy in these diverse endpoints.

Single Pane of Glass/Single Source of Information

Saviynt’s platform provides a dashboard experience that increases visibility and removes the multiple sources of documentation that limit auditability in legacy solutions. Extending that further, the Saviynt platform integrates logging information across the ecosystem to provide the necessary documentation for internal audit functions, while also providing cross-application SOD management.

Identity Lifecycle Management

Ensure SOD compliance by creating identity stores that include all employees, credentialed providers, contractors, students, researchers, business partners, and temporary workers, such as interns. Our continuous monitoring streamlines the onboarding process and ensures that healthcare organizations deprovision accounts as necessary for joiner/mover/leavers to protect patient privacy and security.

For more information about how Saviynt secures access to patient information and protects organizations from SOD violations, contact us for a demo today.

To read more about how Saviynt enables healthcare organizations to shift their focus from “privacy” to “access,” read our whitepaper, “Role of Identity Governance and Administration with Healthcare.”

 

Diana Volere

About author

Diana is a strategist, architect and communicator on digital identity, governance and security, with a passion for organizational digital transformation. She has designed solutions for and driven sales at Fortune 500 companies around the world, and has an emphasis on healthcare and financial verticals. In her role as a Principal Solution Architect at Saviynt she works as a technical evangelist and strategist with partners and customers to derive business value from technical capabilities. Her past twenty years have been spent in product and services organizations in the IAM space.

Leave a Reply

Your email address will not be published. Required fields are marked *