One of the most basic practices in developing a network security strategy is better managing user privileges and deploying the minimum necessary rule. The minimum necessary standard suggests a covered entity makes reasonable efforts to limit the scope of PHI it uses, discloses, or requests to be the minimum necessary to accomplish the intended purpose. Below are three tips for better managing user privileges:
New Hires: When a new employee is hired, Tom Walsh of tw-Security suggests giving the new employee their network username and password in a Terms Agreement that the new employee must agree to. Walsh also suggests HR communicates with IT so that new employee login credentials are created prior to hire. This will eliminate the need for managers to share their own login information with new hires until the new hire has their own. It is also crucial to establish role-based access so that organization can streamline employee’s access to patient data based on job role and is aware of who has access to what.
Avoid Dormant Accounts: As soon as a healthcare organization doctor, manager, or network users leaves the organizations all of their user accounts need to be closed. For this to happen seamlessly, it’s very important that the HR and IT department communicate. Dormant accounts pose a huge security threat to the network as they allow past users to gain entry into the system or a criminal can use these accounts and gain the same access to patient data as the previous user.
System Administrators: Walsh explained that many healthcare organizations also have issues with their system administrators – they are the king of kings and have access to every piece of data on the system which sometimes means they don’t follow the rules that everyone else follows. Walsh suggests holding system administrators accountable to the same controls as everyone else to help reduce risk.