- Failure to lock down access is compromising data security at U.S. healthcare organizations, according to a newly released report from software provider IS Decisions. The research points to concurrent logins, manual logoffs, password sharing and lack of unique logins as having a direct effect on data integrity by putting patient records at risk.
The report, “Healthcare: data access compliance,” finds that despite HIPAA’s security rules imposing restricted access to electronic patient health information, 63 percent of healthcare staff can sign on to different devices and workstations concurrently, 49 percent have to sign off manually and 30 percent do not have unique logins.
The report asserts that a set of basic security practices would not only help to safeguard sensitive patient data but would also satisfy overlapping compliance requirements.
“Access to personal data can be life-dependent, but there has to be a reliable access management procedure and system in place,” the report states. Further:
“82 percent have access to patient data, which is worrying considering 30 percent do not have unique logins for this access, making proper user identification impossible. A surprising 37 percent are restricted from concurrent access, a requirement given attribution is difficult when users can be logged in from multiple devices and locations.”
In response to these potential security shortfalls, the report proposes five areas in which organizations can take action to safeguard data:
1) Onboarding new employees. HIPAA calls for healthcare organizations to implement a security awareness and training program for all workforce members; however, only 29 percent of healthcare professionals received such training. Adherence to security policies should be included in employee contracts and be acknowledged in writing by new workers. Background checks for new staff members are also recommended.
2) Implementing security procedures. Password policies should force users to change their login details on a regular basis. Employees should know how to apply appropriate data-protection protocols for passwords and shredding of sensitive documents. Organizations should provide regular refresher sessions and sanction employees who violate policies and procedures.
3) Securing network access. User actions must be identifiable to an individual. Each user on the network should have a unique ID, and shared logins should not be permitted. In addition, workers should be automatically logged off from a network after a set period of inactivity, and concurrent logins should be disabled. Taking identification a step further, network access can be limited by device, department or time of day. Also, informing workers that network access will be monitored encourages compliance with policies.
4) Defining data access. Authorized users should only be able to access the minimum necessary information needed to perform job functions. In the event of an emergency, however, an access procedure should be in place so that employees can obtain necessary information. Moreover, specific files and folders should be monitored, as should employee actions (e.g., copying, moving, deleting data).
5) Accommodating job changes. Training sessions should be tailored to job roles; a worker moving to a new position should be treated as a new employee and be given immediate training. Access rights should also be reviewed when employees change roles. A formal de-registration process should be established and maintained for employees who leave the organization so that they no longer have access to sensitive data.
Click here to access IS Decision’s checklist guide for ensuring data security.