Health systems today are more vulnerable than ever to data breaches and malicious cybercrime. Regular user access reviews are a key part of securing critical data, but it comes with challenges, costs and potential roadblocks.
During a virtual roundtable session sponsored by SecureLink as part of Becker’s 6th Annual Health IT + Revenue Cycle Conference, Daniel Fabbri, chief data scientist at SecureLink, spoke with a group of healthcare leaders about the current state of access reviews, challenges they face and how they plan to move forward. Here are the three major insights:
1. Security risks to healthcare systems remain high.
“Attacks on healthcare organizations continue for a number of reasons,” Mr. Fabbri said. “Healthcare organizations are targeted because they are critical infrastructures in our society and data stored on electronic medical records can be used for identity theft. Ensuring these systems operate effectively and securely is paramount.”
Balancing security concerns with staff and patient needs must be considered. Regular access reviews for large organizations can quickly become overwhelming, considering that hundreds or thousands of employees may require varying degrees of access and permission in multiple systems.
“One question is how do we deploy a good review process to make sure we limit exposure to phishing and cyberattacks without killing our IT staff,” Mr. Fabbri said. “Some employees are also overworked, so adding one more thing on the security side can feel like too much.” As a result, sometimes access is just granted to help make jobs easier and more efficient.
A CEO of a major health system in the southeast supported Mr. Fabbri’s statement, adding that “you don’t want to negatively impact patient care because you’ve shut somebody out of a system,” although he believes that artificial intelligence can help streamline the access review process.
2. Appropriate scheduling of access reviews, consistency in process and vendor management are key challenges for health systems.
While many organizations have some level of access review, they face different roadblocks. According to a chief security officer at a Midwest health system, determining frequency of reviews can be a challenge. “We use a risk-based approach that elevates our superusers to more frequent reviews,” she said. “We also have thousands of general users, and trying to decipher how much to audit or review those users becomes our challenge.”
A health system in the Southeast uses single sign-on reviews on a periodic basis, which solves and creates problems at the same time. “Not all our applications are single sign-on applicable, which forces us to create different sets of credentials,” he said. New vendors with their own applications add to the consistency problem. Another health system executive from the Southeast emphasized the importance of vetting all third-party vendors; this includes vetting not only the vendor as an organization but also each individual working in a specific area.
3. Distributing access review responsibilities throughout an entire organization makes security part of a daily process.
Instead of putting the burden of access reviews entirely on IT, healthcare organizations must divide and conquer. Each manager or data owner should regularly review access rights and update as necessary. “We need to make security and privacy something we don’t have to remember,” Mr. Fabbri said. “If it’s just part of our process, we’ll have tighter controls and a greater likelihood for success.”
With healthcare-focused cyberattacks expected to continue, or even increase, for the foreseeable future, organizations must take appropriate steps to improve their security. Access control must be a top security priority for any healthcare organization.
To learn more about the importance of regular user access reviews, visit our Access Intelligence product page.