The OCR released their Summer Cybersecurity Newsletter highlighting the importance of Information Access Management and Access Control. This would lead us to believe that the OCR will be focusing on this in their coming investigations.
The OCR Newsletter defines Access Control, “The Access Control standard is a technical safeguard that requires covered entities and business associates to implement access controls for electronic information systems to allow access to ePHI only to those approved in accordance with the organization’s Information Access Management process.”
Below are items the OCR suggests for implementation along with a few of our own:
- Role Based Access
- Role based access ensures that employees only have access to information that is needed to perform their duties. This helps to keep sensitive information in as few hands as possible.
- On-Boarding and Off-Boarding Procedures and Documentation
- Having detailed procedures for when users are given access and when their access is removed is a very important step in on and off boarding. Old credentials that sit in your environment opens the risk of those credentials being comprimised without notice.
- Unique User Identification
- All users must have their own user ID and password and shared credentials should not be utilized. Shared credentials make it harder to tell which user is responsible for actions of an account.
- Implementing MFA can provide an additional level of security that could stop an attacker with credentials from gaining access to the environment.
- Automatic Logoff/Session Locks
- There may be an emergency, or someone forgot to logoff when leaving their workstation. Anyone walking by would be able to access the information on the workstation leaving the organization and its patients’ information at risk.
- Encryption and Decryption
- Encryption will protect the sensitive information on a device should it be lost, stollen, or if an attacker attempts to extract data from your environment.