Question

The practice of least privilege grants users access permission to information based on their duties. Within a healthcare facility, differentiate between what information the receptionist and doctor should have based on least privilege. As the security specialist at this facility, what do you think would be the best way to handle instances where one or the other position may need additional information?

Answer 1

The practice of least privilege granting of permissions based to user access to information is a necessary step to mitigate the high risk of data security breach or violation of individual privacy rights especially in vulnerable sectors like healthcare including insurance and financial services.

Previous self regulation autonomy in the private healthcare and insurance sector failed in monitoring and regulating privacy and data security breaches of patients rights.

Thus, in this context, the US passed a federal law governing such policies and practices called the Health Insurance Portability and Accountability Act (HIPAA). This is one such law which governs the privacy rights of patients and it is mandatory for companies to comply with it or else they can face prosecution and penalties apart from negative publicity and embarrassments. What is essential is that information must be on a 'need-to-know' basis and not otherwise.

A receptionist is a basic or starting level position in an organization having no role or involvement in the medical treatment or case history of a patient and as such must be given very limited online system access or patient file access to check records.

A receptionist can be given access to patients name, contact information, date of last visit/appointment, whether any outstanding payments/bills are pending and details of next appointments in order to schedule or modify/cancel any appointments. Their 'need-to-know' basis is minimal and limited in nature and accordingly such restricted access must be provided.

A receptionist does not need to have access to the doctors examination reports, diagnosis, prescription, medical test reports, etc.

On the other hand, a doctor would require maximum access to study and analyse a patients case history and accordingly requires greater access rights and privileges in the system. A doctor isn't interested in the payment and accounts history of a patient and expects the accounts and receptionist teams to address that while scheduling appointments and tests.

In the event of any unauthorized access it must be reported immediately as a breach and disciplinary action against the violator taken immediately.

As such, the threshold for such breaches must be extremely strong with rare and the security system designed with user-based strong passwords, external firewalls, installation and regular automated updation of anti-virus and anti-tracking software. A system check could be a password requiring bio-metric identification like fingerprint or facial recognition.

In the event of any unauthorized person seeking access permission to any records of any patient stored online or for any offline/hard copy files, they must send a prior email request along with their requirement and the reasons for this access to their head of department. If the head of their department approves this request then the systems administrator can issue access for limited time and restricted to this particular requirement only. This request would be monitored and recorded in written/email so the concerned staff member seeking further permission access would know there are security compulsions and regulation in place which could go against them in case of any misuse of the data. This would be a great systemic check to ensure compliance and regulation while mitigating the risks involved. In turn if the head of a department needs extra access to any data then they should obtain prior permission from the head of the organization in the same procedure for a team member.

This procedural systemic check and balance must be clearly outlined and detailed in a Standing Operating Procedure (SOP) with prior training and awareness to all staff to ensure compliance to the company security policy. This SOP would be created and made by the company's security expert as a single point of contact to streamline monitoring and compliance with minimal security breaches.