Traditionally, implementing RBAC for the care setting can be daunting, but there are efficient ways to bring a system on board that allow health system leaders to track, audit and allow who has access to what information and when.
While Role-based Access Control (RBAC) has uses in every industry, the healthcare provider can benefit enormously from a proper implementation. The potential to save exists not only by reducing potential fines in HIPAA and/or Sar-Box audits, but also from conceivable lawsuits if sensitive patient data is exposed to the wrong personnel.
RBAC Overview
RBAC is a technique for implementing authorization account management across organizations. This technique involves assigning access privileges to certain files and sets of data on the basis of an employee’s role rather than assigning access privileges to individual users. These roles in turn comprise the department, function, location and cost center associated with an employee, also allowing all of an employee’s interactions with the system to be captured, in essence creating an audit trail for the organization in case one is ever needed.
Implementation Difficulties
Typically, one of the difficulties in implementing RBAC is the enormous investment of time that can be required to populate the matrix. This task can be a daunting one as the combination of locations, departments, employee types and roles – and the access rights they should be entitled to — can require a tremendous initial effort to accurately define. However, there is an easier way to get started.
The human resources (HR) system is an excellent source for determining these combinations. This will pave the way for a role model on the organizational level. As an example, a hospital in Location “A” has a surgery department that includes the functional role of “nurse.” The organizational role can be created on the basis of the function, department and location found in the HR system. These are “nurse,” “nurse in Location A” and “surgery nurse,” respectively. After “nurse” and “surgery” have been defined, a nurse in the surgery department will automatically be identified as “nurse + surgery” and assigned the appropriate access privileges and applications.
Using this method, it becomes very easy to populate more than 80 percent of the RBAC table. A major benefit of this approach is that new employees can start being productive on their first day while time is freed up for the assignment of specific privileges on an application and system level.
A subsequent step is to translate these organizational roles into application or system roles, which will comprise the remaining 20 percent of the RBAC table. The basis for this is already present and now further stacking will take place. The assignment of the system roles can easily be handled by the relevant manager. After all, managers rather than HR personnel are responsible for the access privileges of their employees. On the basis of a workflow, the relevant manager will be prompted by an e-mail notification and/or web form to specify the access privileges and applications for the employee concerned.
The RBAC software can subsequently record the manager’s choices to further populate the empty sections of the RBAC table and eventually achieve a fully populated table. This means it is possible to have a manager handle all the translations of roles within her department, with an option to delegate tasks to a colleague. An action triggered by the manager may also result in a workflow notification to a license manager. This allows managers to exactly determine and manage what happens within their department or cost center.
Inevitably, an employee’s location, position or role will change over time. A properly implemented RBAC system allows for a transition of the access and application rights, as well. When the employee changes jobs within the organization, the RBAC matrix ensures he has the proper rights for his new role. The workflow component can notify the previous manager about the transition to insure access to systems and data no longer required are revoked in a timely manner, and also the new manager will be notified in case any special privileges are required for the new role.
By using the method described above, implementing RBAC does not have to be a long, painful and drawn out process. Implementation can be handled in weeks rather than years and the healthcare facility can start reaping the benefits of proper data access control quickly.
Fore more information, please visit our website.
Friday, July 26, 2013
Friday, July 12, 2013
Benefits and Risks of BYOD
The “bring your own device” (BYOD) trend continues gaining speed across many industries . Plainly put, BYOD is when employees have the ability to bring their own technical devices—like smart phones, tablets and laptops -- and use the company’s network instead of a company-provided device. BYOD has many benefits and risks, though, that each organization’s IT department needs to consider.
Benefits
Increased Productivity
The use of technology at work has increased significantly over the past few years as using paper and manual processes continue to decrease. In education, for example, schools have increasingly taken to using technology in the classroom by providing students with tablets and computers. Recent research has shown that this type of learning allows students to be more interactive and engaged in the learning process. In business, the use of technology has increased because of green practices and organizations realizing that by positioning themselves as environmentally friendly they are saving money and generating external support of their efforts. Though technology increases overall productivity, research also shows that employees are even more productive if the device they use is their own.
Lower Cost to the Company
Though the use of technology is a benefit to employers as it without a doubt makes employees more productive, the cost to companies that purchase a large number of computers or tablets is a tremendous financial commitment. Most of the technology used by organizations is only current and up to date for a certain, limited period of time and then becomes obsolete and in need of replacement. By allowing employees to bring, and use, their own devices, they can always have up-to-date technology without the company constantly incurring the costs for new models. For many, this practice has been extremely beneficial as many budgets are being cut and organizations are forced to trim spending.
BYOD shift costs from the company to the user and allows employees to use their own devices. BYOD policies also allow employees to use the technology that they are comfortable with and that they prefer, rather than what the company dictates they them. Users also may upgrade their devices to the newest features more frequently than what the company can afford to budget for on an ongoing basis.
Risks
Support of many different devices
Though there are many benefits to allowing BYOD, there are several risks that concern the IT staff. First of all, since it is not one standard device that everyone is using, the IT department will need to support many different types of devices and operating systems. This makes it very difficult to mitigate an issue with a device when the user needs assistance.
No control over what is on device
Organizations have no control over what types of applications are put on the device, which makes it very difficult to enforce security. Though employees probably would not download games or other entertainment applications on their work computer, in the case of BYOD, since the device is their own and also used for pleasure, they will certainly download numerous types of personal applications on the device.
Security Risks
BYOD increases the risk of having a security breach of important data. When an employee leaves the company, they do not have to give back the device, so company applications and other data may still be present on their device. This can lead to some company data being unsecure. There are also certain compliance regulations that businesses have to follow, such as HIPPA or GLBA, which are difficult to enforce when a device is not owned by the company.
Infrastructure Issues
Different types of devices operate at different speeds and with different operating systems. This can be difficult for an IT department to set up and maintain infrastructure to support different device needs. Also, if employees are able to bring their own devices, there will be many more devices used than what would be if the company was providing them. Employees might bring all of their phones, tablets and computers to work, meaning there will be much more strain on the company’s Wi-Fi and network.
Solutions
Easily setup new devices
With an influx of devices the IT department will need to add them all to the network, which can be extremely time consuming. Solutions such as Tools4ver’s User Management Resource Administrator (UMRA) allow IT staff to easily add these new devices by adding them in Active Directory. End users will even be able to register their devices themselves if required.
Only allow certain devices to be registered
Since there are many different types and brands of devices that employees can use, an organization will have to decide which ones it is going to allow and support. This allows it to focus on a narrower selection of devices and be able to solve issues that arise with those devices. When a user tries to register a device, UMRA can be set up to only allow supported devices to be registered, thus not allowing unsupported devices to be registered on the company network.
Ensure Security
Security is a big issue with allowing BYOD at a company. When an employee leaves, he takes the device with him, so it is important that each departing employee does not still have access to important company data. With UMRA, once an employee leaves the company, his account can automatically be disabled, thereby deactivating his access to the network and any secure data. This ensures that when an employee leaves he will not be able to continue accessing important company data. This can also help to comply with regulations and audit needs. No one will have access to applications and data that they are not supposed to have access.
For more information, please visit our website.
Benefits
Increased Productivity
The use of technology at work has increased significantly over the past few years as using paper and manual processes continue to decrease. In education, for example, schools have increasingly taken to using technology in the classroom by providing students with tablets and computers. Recent research has shown that this type of learning allows students to be more interactive and engaged in the learning process. In business, the use of technology has increased because of green practices and organizations realizing that by positioning themselves as environmentally friendly they are saving money and generating external support of their efforts. Though technology increases overall productivity, research also shows that employees are even more productive if the device they use is their own.
Lower Cost to the Company
Though the use of technology is a benefit to employers as it without a doubt makes employees more productive, the cost to companies that purchase a large number of computers or tablets is a tremendous financial commitment. Most of the technology used by organizations is only current and up to date for a certain, limited period of time and then becomes obsolete and in need of replacement. By allowing employees to bring, and use, their own devices, they can always have up-to-date technology without the company constantly incurring the costs for new models. For many, this practice has been extremely beneficial as many budgets are being cut and organizations are forced to trim spending.
BYOD shift costs from the company to the user and allows employees to use their own devices. BYOD policies also allow employees to use the technology that they are comfortable with and that they prefer, rather than what the company dictates they them. Users also may upgrade their devices to the newest features more frequently than what the company can afford to budget for on an ongoing basis.
Risks
Support of many different devices
Though there are many benefits to allowing BYOD, there are several risks that concern the IT staff. First of all, since it is not one standard device that everyone is using, the IT department will need to support many different types of devices and operating systems. This makes it very difficult to mitigate an issue with a device when the user needs assistance.
No control over what is on device
Organizations have no control over what types of applications are put on the device, which makes it very difficult to enforce security. Though employees probably would not download games or other entertainment applications on their work computer, in the case of BYOD, since the device is their own and also used for pleasure, they will certainly download numerous types of personal applications on the device.
Security Risks
BYOD increases the risk of having a security breach of important data. When an employee leaves the company, they do not have to give back the device, so company applications and other data may still be present on their device. This can lead to some company data being unsecure. There are also certain compliance regulations that businesses have to follow, such as HIPPA or GLBA, which are difficult to enforce when a device is not owned by the company.
Infrastructure Issues
Different types of devices operate at different speeds and with different operating systems. This can be difficult for an IT department to set up and maintain infrastructure to support different device needs. Also, if employees are able to bring their own devices, there will be many more devices used than what would be if the company was providing them. Employees might bring all of their phones, tablets and computers to work, meaning there will be much more strain on the company’s Wi-Fi and network.
Solutions
Easily setup new devices
With an influx of devices the IT department will need to add them all to the network, which can be extremely time consuming. Solutions such as Tools4ver’s User Management Resource Administrator (UMRA) allow IT staff to easily add these new devices by adding them in Active Directory. End users will even be able to register their devices themselves if required.
Only allow certain devices to be registered
Since there are many different types and brands of devices that employees can use, an organization will have to decide which ones it is going to allow and support. This allows it to focus on a narrower selection of devices and be able to solve issues that arise with those devices. When a user tries to register a device, UMRA can be set up to only allow supported devices to be registered, thus not allowing unsupported devices to be registered on the company network.
Ensure Security
Security is a big issue with allowing BYOD at a company. When an employee leaves, he takes the device with him, so it is important that each departing employee does not still have access to important company data. With UMRA, once an employee leaves the company, his account can automatically be disabled, thereby deactivating his access to the network and any secure data. This ensures that when an employee leaves he will not be able to continue accessing important company data. This can also help to comply with regulations and audit needs. No one will have access to applications and data that they are not supposed to have access.
For more information, please visit our website.
Subscribe to:
Posts (Atom)