Hospitals and clinics have to find the right balance between security and accessibility for their staff and patients. Statistics show workplace violence is on the rise in healthcare settings, and according to IBM’s annual Cost of a Data Breach Report, data breaches cost healthcare organizations nearly $11 million per incident on average in 2023.
“Access control is paramount for securing sensitive and protected resources,” says Wes Gyure, executive director of product management for identity and access management at IBM Security. “Failure to properly manage access can have a huge impact on costs, brand damage or even operational downtime.”
What Is Access Control?
Access control systems regulate and restrict access to resources, systems and physical areas within an organization or computer system.
Only authorized users with the proper permissions may access controlled materials; for instance, access to a medicine dispensary might be limited to pharmacists, and only certain employees should have access to electronic medical records.
“Granting access is just a piece of the process,” says Carla Wheeler, vice president and CISO at Ochsner Health. “You need to continuously monitor for changes, verify users and remove access when it is no longer needed.”
What Are the Types of Access Control?
There are three types of access control systems health IT teams should be aware of:
1. ROLE-BASED ACCESS CONTROL
For this control type, access is based on which resources are needed to perform a job. “Role-based access control can reduce administrative overhead because permissions can be assigned to roles rather than individuals,” Gyure says.
“For example, we created a third-floor nurse template,” explains Melissa Rappl, CISO at Children’s Nebraska in Omaha, Neb. “When we hire a new person for that team, we already know which systems and resources they’ll need access to, and that’s what they are assigned.”
Role-based access control is also useful for detecting suspicious activity, Rappl adds. “When we run an audit log, let’s say Bob from the 5th floor cardiac unit accessed a third-floor patient’s chart, and that’s not his role. That’s going to be a flag.”
2. DISCRETIONARY ACCESS CONTROL
In a discretionary access control system, information is shared on a need-to-know basis. This method decentralizes access control decisions because the data owner controls who has access to it.
Think of your personal OneDrive — you can share it with others or revoke access instantaneously, at your own discretion.
3. MANDATORY ACCESS CONTROL
Mandatory access control is most common in government and military settings. Access rights are organized into tiers such as “restricted,” “confidential” and “secret.” Access to the resource is determined by the user’s clearance level.
Privacy functions for children’s medical records may fall under mandatory access control. Access may be granted only to certain providers and restricted to other hospital staff.
How Access Control Helps Overall Hospital Security
Access control is layered in with physical and cybersecurity efforts. “Knowing where your critical data and systems are located — and who accesses them, when and how — are must-haves,” Wheeler says.
“Having appropriate visitor management processes, biometric controls and a vetting process for vendors” helps support physical security, Rappl says, “and access control is the backbone of cybersecurity. Breaches occur when people are able to subvert that access and escalate privileges.”
Gyure adds that “connecting physical and digital access controls helps to simplify the administrative burden to ensure security and compliance.”
What Are the Primary Challenges of Access Control in Healthcare?
“Privilege creep” is a common challenge, explains Rappl. She says access control teams should resist granting privileges as a one-off instance. “You may hear, ‘this person only needs this resource for this one time.’ That’s rarely the case,” she says.
To deal with such situations, Rappl advises speaking with department leaders to determine whether everyone on that team needs expanded privilege or if the individual’s role has changed.
Keeping track of job changes within the organization is also critical, she says. At her organization, identity and access management analysts review role changes and adjust staffers’ privileges.
You may hear, ‘this person only needs this resource for this one time.’ That’s rarely the case.”
This type of oversight is especially critical for vendor management. Hospitals rely on hundreds or thousands of external vendors, and research shows a majority of data breaches involve third-party entities.
A thorough vetting process must be completed before allowing a vendor into the hospital or granting them access to digital resources, Rappl says. Then, access should be granted only to the exact resources needed to complete the task.
Access control teams also need to consider context when deciding how to bolster hospital security. “In a hospital where doctors and nurses are wearing masks and gloves, the use of biometrics for secure authentication is not feasible,” Gyure says.
What Can Healthcare Organizations Do to Improve Access Control Measures?
The first step to enhancing access control is to do an internal audit. “Once you have an understanding of who is already accessing your environment and why, you can start working on administrative policies to define and clarify what IT’s role is in granting and revoking access,” Rappl says.
Wheeler says bringing in a “third party for fresh eyes with industry experience” can be beneficial for this type of internal assessment. She also recommends security awareness training for staff.
Other solutions include implementing multifactor or passwordless authentication systems to better protect digital resources and using key cards attached to an individual’s mobile device to prevent physical breaches.
“A combination of policies should be deployed to reduce administrative fatigue, and ultimately make security measures more pervasive and effective,” Gyure says.