Role Based Access Control - RBAC
What happens when information leaks?
Well... a “leak” implies that things are not all well. Since a medical office has; in figurative terms, a boatload of personal information residing within its walls, it is of course important to keep it as secure as possible without impeding workflow. The owner (usually a physician), who may not have planned a career in IT, but rather helping people, can be tasked with technical minutia to adhere to regulations, and to watch for more common office misdemeanors.
With regard to RBAC, larger businesses have used it for years. It simply means that everyone doesn’t have access to everything on your computer system. There are simple ways to accomplish this, but most follow the same format. Some basic components of this may include:
· Computer passwords
· Unattended computer sign-off
Password protecting programs or files
While more detailed components may include:
· Office and medical software settings for certain persons (roles for access rights), which allow/disallow access to other persons.
· Automatic sign-off of unattended programs or files
· Reporting of who accessed certain data
· Network Cabinet access control
· Printer access control
· Medicine cabinets
· Medicine sign-out forms
What might these role assignments do for the business?
Help in regulatory adherence
· Act as a forensic pathway in investigation into “what happened” if an unfortunate event should occur
· Contribute as a roadmap in disciplinary action
· Formally informs each employee of their abilities and limitations with regard to data access
Helps to avert employee morale problems, with regard to payroll, office promotions, etc.
Though there may be some involvement required from an IT or computer support company (you likely use one) to set up file protection, the concept of setting things up isn’t that complicated, and can be started by your office manager, who is probably Microsoft Office Excel literate.
The order of set up might be:
· Take account of all software being used in your business.
· If no formal employee titles exist, it’s best to assign them.
· Assign Access Roles, and Rights to each Role
· Begin, or have your Office Manager begin an Excel workbook to map out the Role Based Access Control designations for your office. Link to EXAMPLE
· The next step is to decide who gets access to certain data. This will likely be a discussion between the Office Manager and you, though they begin the process.
· After the roles have been established and decisions made about who needs access to certain data, it’s time to set up the equipment and software.
Each type of software will have a specific setup method and some are more intuitive than others, but most all offer some way of accomplishing the task.
Have employees use “strong passwords”. There is a recommendation from Microsoft following this link. https://support.microsoft.com/en-us/help/4026406/microsoft-account-how-to-create-a-strong-password
Some valuable ground rules for RBAC are:
Have one person in charge of it. Typically, this would be the Office Manager, though if you have an IT person, they would be a good choice, working in conjunction with the Owner and Office Manager.
Anytime something changes with regard to personnel, position title, or when new software is introduced, review how it might affect Access Role Rights.
Explain what you’re doing...This will help employees to understand what is expected of them, and help ward off morale concerns.
Add Access Role Rights to employee responsibility forms and have each employee sign it.
If you haven’t added Access Controls to sensitive areas within the office, it would be a good idea. This acts in addition to, RBAC by restricting access to sensitive information via the entry points to areas where it resides, such as computers and file rooms. We go more into detail on this in our “Medical Clinic Physical Records Security” blog.
1PointUSA would like to help you maintain records security within your clinic. We’ll be pleased to have a discussion with you about a strategy to use different methods of approach to do so.
· Access Controls
· Security Cameras
· Audio Video & Intercom
· Security Strategy Mapping
1PointUSA has you covered