St. Luke's Health System works closely with its human resources and other business departments to ensure employee access to information is based on a precisely prescribed role, Reid Stephan, IT security director, says in an interview with Healthcare Info Security.
Boise, Idaho-based St. Luke's operates eight medical centers, a children's hospital and a variety of specialty care clinics. As part of its effort to prevent breaches, the process ensures that an employee at "nurse level 1" has appropriate access for that job and that access is consistent across the organization, he says. A manager has to request any further access for that employee from the access-management team, which also is logged as an exception.
That eliminates problems of making a new hire's access the same as that of a 15- or 20-year veteran who has changed roles over time and not had access from those myriad roles rescinded.
Stephan says that when he came to the job, access management was considered an IT function. Now it's part of department managers' role.
"We're partnering with the business to make them understand that just as they're responsible for the budgets, they're also responsible for the access levels their employees have," he says.
St. Luke's also has an access-management process for systems administrators, according to Stephan. Personnel must log in with two-factor authentication, check out the credentials needed to do their work, then afterward check those credentials back in. Passwords for those credentials are changed randomly, he says, to help prevent them being stolen or used inappropriately, and the system creates an audit trail of who checked the credential out and what they've done with it.
The Government Accountability Office in an April report criticized federal agencies such as the Department of Veterans Affairs for cybersecurity weaknesses including poor access controls.
What's more, the cyberattack at Anthem, which compromised records for close to 80 million people, is among the recent breaches attributed to stolen employee credentials rather than lack of encryption.
To learn more:
- listen to the interview