Security is a critical part of EHR solutions. While security often gets little focus in the design phase, compliance and regulatory requirements are driving organizations to think more about EHR security. Whether it’s for HIPAA compliance, business continuity, or to keep healthcare information secure — it’s important that systems are protected from unauthorized access. We’ve broken it down to give you in-depth insight into role-based access, the importance of an RBAC in an EHR application, and one of the best practices for managing RBAC.
First, we must define role-based access which is simply access that is granted based on your role. Each person within an organization should be granted access to the tools, applications, and data they need for the role(s) they hold in an organization; access to only the information they need and nothing more. If they have access to more information than is essential, compensating controls need to be in place. The principle of least privilege addresses access control in which an individual should only have the minimum necessary access privileges to perform a specific job or task.
This can get tricky in organizations that do not have specific, defined roles or where a person’s role can cross over to others’ with little runway prior to the change. Even the National Institute of Standard and Technology (NIST) explains that roles “were developed by a variety of organizations, with no commonly agreed upon definition or recognition in formal standards.”
Ensuring that users have the correct access to the tools they need is managed through User Lifecycle Management (ULM). Managing the process of onboarding, offboarding, and transitions can be quite complicated, Additionally, to scale efficiently requires the right tools that can take data from a source system, identify the role and assign or remove permissions promptly. Ideally, users are granted access to all the tools they need on day one and when they leave an organization their access is revoked within 24 hours. Granting access at the right time ensures the workforce is productive immediately. If that fails to happen, it affects the bottom line and patient care. Revoking access at the right time reduces risk to the organization by removing access to sensitive data or systems from those with potential malintent.
Role-based and least privileged access are especially important when it comes to access to Protected Health Information (PHI). Everyone by now has hopefully heard of HIPAA. The Health Insurance Portability and Accountability Act is a 1996 Federal law that restricts access to individuals’ private medical information that generally prohibits healthcare providers and healthcare businesses, called covered entities, from disclosing protected information to anyone other than a patient and the patient’s authorized representatives without their consent.
Granting access to various tools, modules, and data within an EHR application, applying guardrails, and implementing segregation of duty controls are vital. Guardrails prevent users from performing an action that they aren’t supposed to do from a role, regulatory, or licensure perspective. For example, those who shouldn’t have access to PHI are unlikely to break any HIPAA rules if they don’t have access to the data.
Segregation of duty restrictions provides an additional layer of protection. They set the checks and balances in the system. Auditors will want to know not only who accessed the system and who has access to PHI, but also who can modify master files and financial information. The person counting the money shouldn’t be able to modify what’s in the till.
Managing RBAC, in the Epic application specifically, starts with basic best practices. This is where Ellit Groups shines. We have seasoned professionals who can help you stand up a model to ensure that: 1) your user base has the appropriate, least privileged access, 2) the build is collaborative across Epic modules, and 3) access to sensitive information or the ability to perform certain functions are in compliance with state and federal regulations.
The most effective way to ensure that users have role-based access control is by creating Security Templates AND standardizing the provider/resource configuration (the latter item is an important yet entirely different discussion). Templates are like wrappers for a user’s role. The Template provides the tools a user needs by having their account linked to the Template. The big perk of Templating users is if a role changes you only need to change the Template. All users who are linked will instantly receive the update. Of course, changing a Template itself must be managed through stringent change control processes because there is also the chance that an untested change can affect a great number of users.
The first step to creating a standardized build is to form a Security Governance Committee. The following items help form the foundation of a solid committee:
Establishing the people and process from the start helps pave the road for standardized build and controls that ultimately reduce the risk of error, inappropriate access, and potential breaches down the road.
At Ellit Groups, we meet our clients where they are on their journey. With our professionals and vendor partners, we are changing the landscape of EHR Security and SER Management. We have worked with healthcare organizations across the country and can help you identify build gaps to develop a Role Based Access framework.
Talk to us today about how we can develop an EHR Security solution that fits your needs!
Name | Role | Email Address | Phone |
Aaron Adams | Lean Consultant | 916.204.4776 | |
Paul Anderson | Data Analytics Manager | 937.307.4804 | |
Jeremy Arcinas | Senior Project Manager | 707.372.4863 | |
Alan Baker | Epic Analyst - Willow Pharmacist | 315.727.9735 | |
Amanda Baker | Director of Learning and Organizational Development | 720.519.9570 | |
Mark Baker | Epic Analyst - Beaker Analyst | 856.673.9972 | |
Cassy Ballard | Clinical Analyst | 417.425.0100 | |
Rodney Barker | Cadence/Prelude/GC Analyst | 931.216.6257 | |
Kenny Benjamin | Access Security Analyst | 412.552.0014 | |
Joshua Bittman | Healthcare IT Recruiter | 702.659.4154 | |
Kimberly Bobb | IAM Analyst | 313.459.6580 | |
Alison Bradywood | Lean Consultant | 206.753.8711 | |
Amy Byron | LIS Admin | 854.202.6909 | |
David Butler | Physician Advisory Consultant | 281.900.1903 | |
Joan Campbell | VP of Perfomance Improvement & Informatics | 678.382.2679 | |
Robin Carriere | ITSM Manager | 408.718.6456 | |
Karen Christopfel | Epic Principal Trainer | 513.833.1680 | |
Brian Churchill | Cerner Program/Project Manager | 617.959.1999 | |
Mark Clement | Program Manager | 608.334.3347 | |
Lucia Comnes | Digital Marketer | 415.770.2410 | |
John Sharpe | Data Conversion Lead | 208.264.8716 | |
Aneury Contreras | IT Security Analyst | 856.409.1104 | |
Emma Cooper | Epic Analyst - Beaker | 434.226.4543 | |
Cassandra Costley | Training Manager | 505.321.3515 | |
Puskar Dahal | ETL Administrator | 539.222.6195 | |
Brandon Dam | Executive Assistant | 916.533.6654 | |
Alejandro De Gouveia | Ambulatory HP Analyst | 954.809.9147 | |
Jon DeJulio | Director of Client Services | 330.207.1050 | |
Laura Del Guidice | NextGen SME | 480.332.6600 | |
Desiree Duvall | Recruiting Coordinator | 818.640.5162 | |
Mark Dynes | Director of Technical Solutions Delivery | 916.496.1935 | |
Jeremy Eades | Epic Certified Security (User Access) Analyst | 423.967.7807 | |
Charlotte Ehrlund-Potter | VP of Population Health & Revenue Cycle | 917.697.3435 | |
Cassandra Enloe | Project Manager | 916.947.7345 | |
May Esquivel | Call Center Program Manager | 916.955.7400 | |
Kira Fernandez | eCW Subject Matter Expert | 704.206.9696 | |
Charles Flint | VP of Life Sciences | 615.663.3996 | |
Gena Fouke | Program Manager | 419.708.3994 | |
Michael Froseth | Web Designer | 214.755.3132 | |
Stormy Gaines | Director, Talent Management | 972.369.6055 | |
Matthew DeFinis | Epic Analyst - HP & Ambulatory | 617.771.6555 | |
Gary Groubert | Epic Analyst - Willow Pharmacist | 330.692.0695 | |
Madhavi Guda | Bridges and Corepoint Interface Analyst | 626.710.7891 | |
Steven Murenbeeld | Cerner SME | 954-591-6424 | |
Sharon Heath | VP of Finance & HR | 508.857.9894 | |
Jason Huckabay | Chief Operating Officer | 832.425.9696 | |
Kelli Hunt | Director of Information Security and Data Analytics | 916.489.2946 | |
David Ikeh | Power BI Analyst | 615.500.3935 | |
Paul Johnejack | Project Manager | 916.579.2542 | |
Paula Jones | Epic Revenue Cycle Applications | 360.790.4346 | |
Josh Miller | Healthy Planet Analyst |
| |
Frank Jung | Epic Analyst - Ambulatory | 812.629.4331 | |
Marisa Karlheim | Senior Epic Analyst - Radiant/Cupid | 814.525.2720 | |
Noel Kilcoyne | Clinical Informaticist | 201.423.2788 | |
Aline Koch | Senior PM and Interim Director of PMO | 214.606.3229 | |
Brand Landry | VP of Client Services | 213.215.1117 | |
Justin Lopez | Client Services Delivery Manager | 954.857.6622 | |
John Lyons | Ambulatory HP Analyst | 484.678.3467 | |
Daniel Magill | ETL Administrator | 651.357.8136 | |
Thomas Maliskey | Access Security Analyst | 727.667.9820 | |
Kara Manojlovich | Epic Analyst - Hospital Billing | 219.798.8917 | |
Elliot Manuel | Client Manager - Life Sciences | 337.207.2999 | |
Jason Jones | Community Connect Program Manager | 513.478.5459 | |
Timothy Mecalis | VP of Solution Delivery | 920.342.6532 | |
Melissa Mercer | Program Manager | 714.812.6286 | |
Matt Lambert | Chief Medical Information Officer | 202.701.8028 | |
Naseemuddin Mohammed | SSRS Data Analyst | 317.712.6816 | |
Anna Muncaster | Performance Improvement Manager | 916.801.4177 | |
Niru Muralidharan | Process Improvement Engineer | 440.785.4949 | |
Christi O'Brien | Healthcare Recruiter | 513.236.3116 | |
Tolu Odeyemi | Epic Analyst - Orders/Bugsy | 404.245.3961 | |
Jen Ortiz | Optime/Anesthesia Analyst | 763.267.1565 | |
Nicholas Otero | Healthcare Recruiter | 954.907.4645 | |
William Owens | Principal Trainer | 510.798.1105 | |
Arthurine Payton | Credentialed Trainer | 504.813.7228 | |
Aaron Peterson | Epic Certified Clarity Report Writer | 801.669.6042 | |
Bruce Peterson | Senior PM | 916.960.7780 | |
Thomas Place | Epic Analyst - ClinDoc/Orders/ASAP | 315.916.2205 | |
Prem Reddy | Interface Analyst | 626.375.8336 | |
Regan Ireland | Project Manager | 253.318..0124 | |
Jennifer Riggs | Healthcare Recruiter | 513.543.5527 | |
Diana Roniger | Epic Clin Doc and Stork Analyst | 585.317.4834 | |
Pamela Saechow | Chief Executive Officer | 916.932.3686 | |
Andre Saterfield | Credentialed Trainer | 904.674.5598 | |
Michele Saunders | Access Security Analyst | 404.247.7365 | |
Nicole Smith | Epic Orders Lead Analyst | 904.323.9704 | |
David Stokes | VP of Learning | 949.280.1194 | |
Isaac Stone | Data Archive Analyst | 561.445.5077 | |
Michael Sweeney | Report Writer | 405.202.4094 | |
Stephen Tokarz | Chief People Officer | 847.275.1489 | |
Alex Velez | IT Security Analyst | 646.350.9491 | |
Sravan Devidi | Report Writer | 215-554-0499 | |
Christopher Whitfield | Epic Beaker DI Analyst | 601.307.5393 | |
Cara Winston | Access Security Analyst | 469.880.9084 | |
Katelyn Wong | Recruiting Coordinator | 916.612.8252 | |
Jeremiah Wood | Senior Epic Advisor | 317.490.4679 | |
Katy Rollins | Epic Analyst | 615.877.3917 |