Access Risk Management for Healthcare
The healthcare industry is modernizing — the use of electronic mechanisms to store and transmit information is rapidly becoming the norm across healthcare organizations. As the United States moves to comprehensive healthcare reform, paper records and forms are being replaced by electronic forms and applications that transmit patient information, electronic medical records, enrollment verifications and claims both internally and externally to the organization.
The use of electronic mechanisms potentially offers cost savings through improved efficiency of business processes and enhanced quality of healthcare due to the ability of healthcare professionals to share and access patient information in a more timely and accurate manner.
The greatest challenge for healthcare organizations that emerges from the shift to electronic records is securing and protecting sensitive patient information as it is captured, stored and transmitted. Healthcare organizations have to deal with several compliance mandates, such as HIPAA, HITECH, PCI DSS, MA 201 and state data breach notification laws.
These mandates impose an obligation on healthcare organizations to ensure that only authorized personnel with a need to know have access to patient information and that mechanisms are in place to manage accountability in the event of a breach. They also require patient care organizations to periodically review and certify that their employees’ access privileges are consistent with their functional role in the organization.
This is becoming increasingly critical as regulations require primary healthcare providers (i.e., physicians and hospitals) to ensure that business partners (payors, insurance companies, etc.) also implement security processes and procedures designed to protect sensitive patient data against disclosure.
As a result, the adoption of digital medical records requires healthcare organizations throughout the country to implement comprehensive data security programs.
Courion in Healthcare
Courion’s Access Risk Management solutions — deployed at some of the largest, most prestigious healthcare institutions in the world — deliver stronger security by ensuring only the right people have the right access to the right resources. Healthcare customers who deploy Courion also significantly reduce overhead expenses and accelerate core business processes by making make it much easier for demanding healthcare personnel to manage their own identities.
Some of the Access Risk Management Suite features that healthcare organizations rely on include:
Identify Unknown Accounts: Courion’s IdentityMap process locates user accounts on internal systems and associates those accounts with a known individual identified in a designated system of record, such as Peoplesoft HR. The initial IdentityMap scan can identify and resolve zombie accounts, which are accounts associated with someone who is no longer with the organization. Subsequent IdentityMap scans may reveal previously unknown accounts, which may indicate an attack. Courion can then alert the appropriate personnel to take remedial action.
Access Certification: Courion ComplianceCourier™ is used by line-of-business managers, security professionals, or IT administrators to review access rights of users they supervise and certify that access complies with policy. When a user’s access rights are out of compliance with policy or industry regulations, ComplianceCourier provides a range of options to block or restrict unauthorized access. Audit tracking capabilities also make compliance reporting and analysis faster, easier and cheaper.
Protect Sensitive Data: Courion’s Sensitive Data Manager module works in conjunction with industry-leading data loss prevention (DLP) technologies to verify that access is not being misused to cover up illegal or unethical activities. Integration with DLP technologies enables your organization to find sensitive patient or employee data, identify who has access to that data, determine how they obtained that access, and correct access that is inconsistent with the individual’s business role.
Identify Suspicious Activity: Courion’s User Activity Manager module leverages leading security incident and event management (SIEM) technologies to perform deep analysis of prior user activity. Integration with SIEM technologies enables you to identify patterns of suspicious behavior — after-hours access, large data downloads, access from a previously unknown account, etc. — captured in system log files, and combine that data with information concerning the user engaged in that behavior, such as name, title, department, manager, location, etc. You can then determine if the individual’s behavior is consistent with the needs of the business, and take the appropriate steps to terminate access to key applications if it is not.
Manage Employee Access Rights: Healthcare organizations must often cope with high employee turnover and meet the challenge of providing new employees with access to the systems they require to be productive on Day One, and automatically removing their access when they leave the organization. They use Courion’s RoleCourier® solution to manage the role definition process, which ensures that users within a particular role – such as a physician, nurse, or billing clerk – only have the access rights they require to be productive. AccountCourier® then automates the process of account creation and termination, using either pre-defined roles, or enforcing the existing access request and authorization process your organization uses. These solutions ensure that users have the appropriate access rights, prevent separation of duties violations, and significantly reduce the time, effort and cost of managing employee access rights.
Secure Passwords: Courion’s PasswordCourier® reduces potential access vulnerabilities by enforcing strong password policies, while also dramatically reducing costs associated with help desk calls because of its secure self-service password reset capability.
Courion solutions allow organizations in the healthcare sector to:
- Improve productivity: create accounts for new permanent and contract employees (interns, residents, nurses, per diem staff, attending physicians, allied health personnel) quickly and easily, giving them immediate access to core clinical and administrative applications, while ensuring they have the minimum access to sensitive data required for their jobs.
- Manage access in dynamic environments: Modify access rights as employees change roles due to transfers, promotions, demotions or reorganizations.
- Improve security: automatically suspend or discontinue access when employees are terminated or go on leave. Transparent synchronization technology allows users to use the same username/password combination for all systems, reducing the potential that they will be tempted to write down their password.
- Reduce costs: enable users to securely reset a password if they forget it or it expires from their Windows workstation, over a web browser, or via a telephone, without having to call the help desk. Provisioning enables substantial reductions in IT staff overhead dedicated to managing the account creation, management and termination process.
- Improve convenience: deliver single sign-on (SSO) solutions for healthcare professionals who demand the ultimate in convenience and time-savings.
- Demonstrate compliance: quickly and easily attest that employees have access rights that are consistent with organization policy, HIPAA, Sarbanes-Oxley, and other relevant industry or government requirements.