Study: Make access control workable to improve security, privacy

Setting access controls for electronic health records--determining who can get in and what they can do there--isn't that easy. And once set, such policies can devolve into an "unmanageable spaghetti" of shared passwords, Post-It notes and other circumvention, note Dartmouth College researchers who set out to explore how hospital workers feel about access controls.

Their work was presented at the 3rd Usenix Workshop on Health Security and Privacy earlier this week.

A policy that's too loose might allow inappropriate access, while one that's too strict could encourage circumvention, which might carry regulatory and legal consequences.

So the researchers recruited volunteers at a hospital from a variety of roles. They included clinicians--doctors, nurses, residents, and medical students--and others--administrative workers and IT staff. The 164 participants were randomly assigned to a control group (86 people) or an experimental treatment group (78). In a 15-minute online survey, they were presented 13 common EHR scenarios. Subjects were told the situations were hypothetical and in particular that they were not subject to their employer's current policy.

Subjects were asked whether a certain action should or should not be allowed in each scenario, based on a Likert scale, from 1 to 5, with 1 corresponding to a more restrictive policy and 5 to a more open one.

In the control version, the scenarios were phrased in an abstract, role-based way (according to teachings of HIPAA on EMR access-control best practices), more or less how access should be assigned. The experimental version put participants in the user's role. Significantly different answers between the two groups would indicate problem areas, the researchers said.

They found that in seven of the 13 scenarios, the policies made were deemed by users to be overly constraining. If administrators feel these policies are correct, they might require more education, stronger controls and more auditing, since users are likely to feel frustrated, the authors said. More ambivalent administrators might allow users to take action they feel is necessary, but require those users to later justify it.

In four of the 13 scenarios, users encountered controls they deemed reasonable and in two scenarios, policy was found to be looser than users required.

The authors noted that in their test, some of the policy makers in real life were end users, so the answer is not as simple as involving more users in drafting policy. They also said administrators should not shy away from enforcing controls based on fear of pushback from frustrated users.

While those portraying users tended to allow looser policy, the authors said that identifying and reducing those gaps between best practice and practical use could help improve usability and security of medical IT.

Proper access controls are essential for privacy and security--reports routinely pop up of celebrities' medical records being accessed by snoopers on staff. The proliferation of mobile devices--and the aftermath when they're lost or stolen--can put access-control policy in an unflattering spotlight.

To learn more:
- read the research