Partnering With HR to Prevent BreachesHow St. Luke's Health System Controls Data Access
To help prevent breaches involving insiders, St. Luke's Health System's IT team works closely with the organization's human resources department and various business managers. Together, they determine who needs access to patient information and other sensitive data based on their precisely defined role, says Reid Stephan, IT security director
"We partner with our human resources department to clearly establish job roles and titles that are consistent across our enterprise," says Stephan in an interview with Information Security Media Group.
That helps ensure that, for instance, someone in the job category of "nurse level 1" in one part of the organization has exactly the same job and function as someone in the same category who works in another section of the organization, he says. Boise, Idaho-based St. Luke's encompasses several medical centers, including a children's hospital, as well as a variety of specialty care clinics.
"We've found that as we work with HR and clearly define those job roles, then it's a much easier proposition to enact role-based access control," he says. So, when someone is hired at a "nurse-1" level, the access they get "is pre-defined, embedded in the business, that is appropriate for a nurse 1," he says. "Any additional access outside of that has to be requested from their manager." That request is then passed on to St. Luke's identity and access management team, which logs any additional access granted into the organization's systems as an exception.
Taking all these steps helps St. Luke's "avoid situations we've had in the past, where someone's hired and the hiring manager asks for the new hire to have the same level of data access as [a more senior or higher level nurse] who's been working at the organization for many years," Stephan says. Carefully controlling data access based on pre-determined job roles can help avoid, for example, a new hire gaining access to patient data that's more appropriate for a nurse manager, he adds.
Security professionals also must work with various business unit managers to adjust data access privileges based on a workers' changing roles, Stephan points out. "In the past that was viewed as an IT activity. We're starting to pivot on that now, and partner with the business and make them understand that ... they are responsible for the access levels of their employees."
Periodic Access Reviews
At St. Luke's, managers now must, on a periodic basis, conduct data access reviews for each of their employees. If any data access is determined to be inappropriate, the IT provisioning team takes action "to make access commensurate with [the person's] actual job duties," Stephan says.
In the interview, Stephan also discusses:
- Steps St. Luke's is taking to guard against hacker attacks, including working with other organizations inside and outside the healthcare sector to monitor cyberthreats;
- Measures the healthcare organization is taking to protect the credentials of systems administrators;
- The cyberthreats that Stephan finds most concerning.
As director of IT security at St Luke's Health System, Stephan leads and facilitates all information security and security-related activities in support of the business and the mitigation of its risks. He is responsible for the implementation of information security policies, procedures, standards, technical safeguards and solutions in response to ongoing assessment and evaluation, as well as other identified business exposures. Before joining St. Luke's, Stephan was an IT security manager at Hewlett-Packard. He is a member of the board of directors of the National Health Information Sharing and Analysis Center, or NH-ISAC.