​

LAST YEAR, 27 healthcare workers were suspended for peeking at George Clooney’s health records. Earlier this year, when a hospital worker was fired for publicly sharing Britney Spears’ records, it turned out that the employee had been previously reprimanded for similar privacy violations.

Hospitals are a principal electronic hacking target. But when it comes to data breaches, a number of recent surveys say the greatest threat comes from within. When it comes to controlling electronic record access, health organizations have relied mainly on logging, using random audits to get an after the-fact view of which workers have seen what. But under growing pressure to comply with regulations and avoid bad publicity, hospitals are turning to user-provisioning applications to protect record privacy.

“Security is now down to the document level,” says Mary Beth Haugen, director of information management services at Denver Health. About a year ago, the healthcare provider implemented a new user provisioning application called Sourian, from Malvern, Pennsylvania-based Siemens Medical Systems.

Previously, the hospital had two basic levels of access: “behavioral health” and “other.” Behavioral health encompasses psychiatry, therapy, and treatment for addiction. Access to such records is stringently controlled by federal and state law, Haugen says.

But access controls are now far more granular, creating “as many roles as we want,” she says. Typically, all healthcare workers in a unit have been given access to the records of every unit patient. Now, certain workers, such as nurses or visiting physicians, can only access patient data they need to see.

Role-based templates can be created specific to the job, rather than the person. Then, if someone leaves and a new hire takes over, the role-based template applies to the new person in that position; it does not have to be re-created.

This is important, as hospital employees frequently come and go. Many staff are part-time, students come in waves, and visiting workers are common. Certain workers might need to access multiple systems. Under older access control systems, it could take a couple of weeks to grant these workers access, says Gartner analyst Barry Runyon.

“During this time, they tend to use generic passwords and do all kinds of nefarious things.”

The hospital can now block access to certain parts of a patient’s visit, such as a meeting with a healthcare worker on behavioral health. Another example could be a child-abuse case, says Haugen. For the child’s safety, the hospital might prohibit access to records that mention the child’s new residence.

Increased protection of records isn’t just a legal requirement—it’s good business. Patients want to feel that their information is secure, Haugen says. “The only people patients want looking at their records are their own care providers.”

The greatest challenge in implementing the system is defining roles, explains Haugen. The problem is that while a restrictive approach will best protect privacy, the best medical decisions require comprehensive knowledge. She says she tries to avoid being overly restrictive.

Physicians working in the emergency room are automatically given the highest level of access, with the ability to see psychiatric records. “We want to make sure they have access to anything that could be relevant,” says Haugen. But, she notes, adjustments can be made if access levels need changing.