What are healthcare organizations doing to ensure employees have only the necessary access to sensitive data?
Access to personal data can be life-dependent when it comes to the healthcare industry. Doctors and nurses need to access medical files promptly without complicated processes in order to ensure proper delivery of care. However, at the same time, maintaining confidentiality of data records is of prime importance.
Both HIPAA and the DPA require that individuals handling patient data have access to the degree that is necessary for them to perform their role – no more, no less. Now firstly it’s going to be very difficult to meet this requirement without the unique user identification controls we went through in the last section, but there are further levels of access control.
Access to patient data
As part of the healthcare industry, it was no surprise to see that the majority of healthcare workers with 82% (US) and 69% (UK) have access to patient data. In the UK, under section 7 of the Data Protection Act 1998, responsibility for access control lies with the ‘data controller’ who essentially is the authorised entity that determines the purpose where and how the personal data will be processed. This means that each organisation should have policies and procedures in place for access control.
The degree of access necessary
Although the majority, with 84% (US) and 86% (UK), thinks that the data they have access to is necessary for their role, it was concerning to see that 18% (US) 13% (UK), thinks that the level of access they had was greater than necessary. HIPAA guidelines state that authorised uses should only have access the minimum necessary information needed to perform job functions.
File and folder access
When asked more directly, 57% (US) and 42% (UK) said that they can only access the files and folders they need to do their job. The research also showed that 41% (US) and 30% (UK) have a specific level of user access that restricts their access to certain files and folders. So while overall they feel the level of access they have, if asked more specifically it sounds like organisations are not defining this on a granular level. HIPAA outlines that organisations should have an emergency access procedure in place so that employees can obtain necessary electronic protected health information during an emergency.
Monitoring file access
To take the issue of necessity a step further, in order to prove to regulators that employees are only accessing the files they need to to perform their role, comprehensive monitoring of that access must take place. We found that 50% of US and 34% of UK healthcare workers are aware of their organisations monitoring network access. Monitoring of specific files and folders is lower (38% US and 20% UK) and actions (copying, moving, deleting) slightly higher than that (41% US and 19% UK). Once again, it is possible that organisations will be monitoring without employee knowledge, but transparency in this regard will encourage good behaviour.