Security is a critical part of EHR solutions. While security often gets little focus in the design phase, compliance and regulatory requirements are driving organizations to think more about EHR security. Whether it’s for HIPAA compliance, business continuity, or to keep healthcare information secure — it’s important that systems are protected from unauthorized access. We’ve broken it down to give you in-depth insight into role-based access, the importance of an RBAC in an EHR application, and one of the best practices for managing RBAC.

What is Role Based and Least Privilege Access?

First, we must define role-based access which is simply access that is granted based on your role. Each person within an organization should be granted access to the tools, applications, and data they need for the role(s) they hold in an organization; access to only the information they need and nothing more. If they have access to more information than is essential, compensating controls need to be in place. The principle of least privilege addresses access control in which an individual should only have the minimum necessary access privileges to perform a specific job or task.

This can get tricky in organizations that do not have specific, defined roles or where a person’s role can cross over to others’ with little runway prior to the change. Even the National Institute of Standard and Technology (NIST) explains that roles “were developed by a variety of organizations, with no commonly agreed upon definition or recognition in formal standards.”

Ensuring that users have the correct access to the tools they need is managed through User Lifecycle Management (ULM). Managing the process of onboarding, offboarding, and transitions can be quite complicated, Additionally, to scale efficiently requires the right tools that can take data from a source system, identify the role and assign or remove permissions promptly. Ideally, users are granted access to all the tools they need on day one and when they leave an organization their access is revoked within 24 hours. Granting access at the right time ensures the workforce is productive immediately. If that fails to happen, it affects the bottom line and patient care. Revoking access at the right time reduces risk to the organization by removing access to sensitive data or systems from those with potential malintent.

Role-based and least privileged access are especially important when it comes to access to Protected Health Information (PHI). Everyone by now has hopefully heard of HIPAA. The Health Insurance Portability and Accountability Act is a 1996 Federal law that restricts access to individuals’ private medical information that generally prohibits healthcare providers and healthcare businesses, called covered entities, from disclosing protected information to anyone other than a patient and the patient’s authorized representatives without their consent.  

Why is Role Based Access in an Electronic Health Record (EHR) application important?

Granting access to various tools, modules, and data within an EHR application, applying guardrails, and implementing segregation of duty controls are vital. Guardrails prevent users from performing an action that they aren’t supposed to do from a role, regulatory, or licensure perspective. For example, those who shouldn’t have access to PHI are unlikely to break any HIPAA rules if they don’t have access to the data.

Segregation of duty restrictions provides an additional layer of protection. They set the checks and balances in the system. Auditors will want to know not only who accessed the system and who has access to PHI, but also who can modify master files and financial information. The person counting the money shouldn’t be able to modify what’s in the till. 

Why Should you Establish an EHR Security Governance Committee?

Managing RBAC, in the Epic application specifically, starts with basic best practices. This is where Ellit Groups shines. We have seasoned professionals who can help you stand up a model to ensure that: 1) your user base has the appropriate, least privileged access, 2) the build is collaborative across Epic modules, and 3) access to sensitive information or the ability to perform certain functions are in compliance with state and federal regulations.

The most effective way to ensure that users have role-based access control is by creating Security Templates AND standardizing the provider/resource configuration (the latter item is an important yet entirely different discussion). Templates are like wrappers for a user’s role. The Template provides the tools a user needs by having their account linked to the Template. The big perk of Templating users is if a role changes you only need to change the Template. All users who are linked will instantly receive the update. Of course, changing a Template itself must be managed through stringent change control processes because there is also the chance that an untested change can affect a great number of users.

The first step to creating a standardized build is to form a Security Governance Committee. The following items help form the foundation of a solid committee:

1. The Security Team should chair the committee, and it should be led by someone who thoroughly understands Epic Security. The lead will need to guide and integrate the other members of the committee. 
2. The committee should have approval and ideally sponsorship from leadership.
3. The members or liaisons on the committee should represent each Epic module the organization has implemented, and the members should be familiar with Epic Security. It’s most efficient to assign a primary and a secondary representative. 
4. Establish a naming and numbering guide and minimum documentation requirements.
5. The committee will need to collaborate with, and in certain circumstances, obtain approval from  cross-functional teams outside of IT such as Legal, Human Resources, Credentialing, Health Information Management, Risk Management, Compliance, and Privacy. Establish important points of contact.
6. Security liaisons must work collaboratively so as not to create duplicate build or allow access outside of a role.
7. All changes must go through change control with appropriate levels of documentation, review, and approval.
8. Establish a method for communicating changes internally and externally to the user base. Partner with Training and Communication Teams.
9. Include SER experts on the committee.

Establishing the people and process from the start helps pave the road for standardized build and controls that ultimately reduce the risk of error, inappropriate access, and potential breaches down the road. 

At Ellit Groups, we meet our clients where they are on their journey. With our professionals and vendor partners, we are changing the landscape of EHR Security and SER Management. We have worked with healthcare organizations across the country and can help you identify build gaps to develop a Role Based Access framework.

Talk to us today about how we can develop an EHR Security solution that fits your needs!