Much focus these days is placed on protecting EHR data from external threats, and rightly so. But assuring and maintaining proper identity management practices is of equal importance.
The Healthcare Information and Management Systems Society (HIMSS) has identified data integrity as one of three foundational components of data security, along with confidentiality and availability. And of the four implementation specifications named by HIPAA under the Security Rule Technical Safeguard Standard, unique user identification is required for proper access control.
But data integrity and user identification are often neglected, with more focus placed upon data confidentiality and availability.
Bad from the Beginning
How does poor data quality become a problem? Problems can be written into a user record from the very beginning, with a record structure/input protocol that permits creation of a record with insufficient information. Most frequently, these records will fall into one of two categories:
- Unknown User: No information is recorded other than the user ID and password
- Poorly Known User: More identifying information may exist, such as name and job title, but there’s not enough information provided to enable contacting the user through any means
Identity Intelligence involves an in-depth understanding of each user: Who the user is, their role in the organization, and the organizational assets to which the user has access. Identity Intelligence has become a foundational and crucial component in enforcing security and maintaining HIPAA compliance. Informational deficiencies such as the two noted above undermine the usefulness and effectiveness of Identity Intelligence.
Maintaining strong Identity Intelligence requires the ability to discover and correlate:
- Well-known users
- Poorly known users
- Ungoverned users
- Untrained users
When Good Data Goes Bad
It is possible, of course, for bad data to be input upon the creation of a record. But it’s also common for data which was once accurate and up-to-date to become inaccurate over time.
Many factors can contribute to this problem. Legacy application infrastructures often require manual updates to keep information current—and manual updates just aren’t performed on a regular, timely basis at most organizations.
The upheaval that’s currently a component of healthcare is also a factor. As organizations merge or are acquired, and employee blocks are combined, proper database updates are often neglected. And the mass move to cloud-based applications sometimes further contribute to a lapse in data integrity.
It’s important to ensure that employee data records are kept relevant and up-to-date. But the following common practices contribute to the proliferation of bad data within many healthcare organizations:
- Recycling user IDs
- Multiple user IDs for one user
- Not integrating uniform unique user IDs across all systems
- Failure to adopt/update role based access for users
- Generic user IDs and allowing users to share credentials
- Unestablished naming conventions to decipher between workforce members and contractors or vendors
It’s particularly crucial that employee permissions are updated in a timely manner, and that records are disabled when employees are off-boarded. Employee accounts left active after the employee has left the organization perpetuates a common security risk at healthcare organizations worldwide.
Don’t Focus Solely on External Security
Every healthcare organization on the planet faces unprecedented cybersecurity concerns. Pilfered healthcare records offer criminals a bounty that’s unequaled by any other form of data theft. That’s why healthcare is the industry vertical that is most targeted by cybercriminals.
Most healthcare executives are aware of the external threats facing their organizations, and are making efforts to counter those external threats. But the internal threats posed by bad or out-of-date patient and employee data—while equally significant—receive far less attention.
And that exposes healthcare organizations to increased risks of OCR audits and fines, and the loss of patient trust.