Healthcare Compliance through Contextual Access Management
Compliance without tying doctors’ hands
Here’s the problem: Access restrictions strong enough to ensure compliance tend to lock doctors in a box. They can’t do their jobs in a box. To do their jobs, healthcare professionals need painless, expansive access to Electronic Protected Health Information (ePHI). The ongoing struggle for IT has been to find a way to empower healthcare professionals without giving up on compliance (or vice versa).
The culprit may be the outdated concept of role-based access. After all, EPHI now travels beyond the firewall to the home, the pharmacy, the coffee shop; beyond the internal hardware to the laptop, the tablet, the smartphone. More and more IT managers and software producers are losing confidence in roles to handle the data access challenges of today.
And as with most of the big problems in IT, the future isn’t a new product—it’s a perspective change.
Contextual Access Management
To protect necessary access and satisfy modern compliance regulations like HIPAA, you need to see beyond the role of a user and take in a broader range of data for each access request—beyond the who to the what request, when, where, which device and what network of access requests.
The emerging answer is Contextual Access Management, a new way of combining functionality between existing technologies to gather comprehensive contextual data about each request and to build an automatic system to grant or deny each request.
A Contextual solution will register the time, place, device and network associated with the user’s request and give each circumstantial factor a risk score. Final decisions are made based on the overall score, effectively closing the loopholes of traditional access while expanding compliance.Watch: Contextual Access Video Get the deeper details: Download the Contextual Access Whitepaper
How does Contextual Access Management work in healthcare?
First and most simply, context provides stronger enforcement. Currently, it is too easy for users to reach beyond their role without alerting anyone.
- What if a nurse from the ICU accesses information in the ER?
Normally, you might miss suspicious circumstances. With Contextual awareness, you can see the exact location of ePHI access—not only which terminal, but the nurse's geo-location in the building. You will be able to set up automatic actions based on risk—to deny or grant access, or even request for further credentials.
- What if a doctor logs into access ePHI in the cafe across the street?
You don’t have to go far to get outside the secure, internal network. But more than being location-aware, CAM will also allow you take the familiarity of a network before making a decision.
- What if an intern is logging in after their shift?
Taking the time of a request into account makes it easier identify suspicious behavior. The risk associated with an intern viewing ePHI after hours is probably too great to allow, and your CAM system will deny their access—even though the intern’s role would let their request through.
- What if a nurse makes a request for ePHI on her personal phone, not an already trusted laptop?
A CAM solution will be able to make a decision based on the escalated risk of an untrusted device to automatically prompt the user for another level of authentication—whether this is 2-factor token or further details unique to the user—in a customizable process.
Contextual Access Management allows you to follow a Doctor through an entire engagement with a patient. This means easier access to ePHI and greater compliance without rigid walls of access restriction.
- From the ER
Access isn't very complicated in the ER, when the Doctor logs in to view records.
- To the hospital
If the same Doctor follows a patient into a hospital visit, he or she will still be able to easily access the patient's ePHI. The change of position and possibly network will be recorded, but the access can be as easy as with the first request.
- Into Surgery
As the patient enters surgery, your records will follow the surgeon's access.
- And to the Pharmacy
Even off-site, away from the expected network, your Doctor can access necessary ePHI without being shut out. You can set provisions for Doctors to be prompted for more credentials depending on their location and request.
More compliant than ever
This level of visibility into the access requests for ePHI can dramatically boost compliance with HIPAA and other compliance frameworks. Automatic monitoring and reporting can make it easy. See selected HIPAA regulations specifically satisfied by contextual awareness here.
Forget about struggling for balance between security restrictions and handicapping your healthcare professionals. With Contextual Access management, we can show you how to have your cake and stay compliant too.