I was chatting with a group of hospital CIOs recently and we were discussing network security and what makes their networks vulnerable. I was surprised by the difficulty each was having with remote access by physician office staff. It was unanimously one of the greatest concerns. While we know they have some longstanding, awesome partnerships with physician offices, there are three main vulnerabilities that have surfaced with remote network access:
1) Unknown terminations
2) Inappropriate access discipline
3) Access after termination
When it came to unknown terminations, we realized that in the midst of all this technology, hospitals are providing access to physician office staff, but they are not getting timely feedback when a staff member resigns or is let go.
While the office may have terminated access to the ambulatory EHR, the access to the hospital’s EHR might still be active. In many cases, the physician’s office rescinds access locally but there is no reliable model for communicating the change to its partners. This is a critical gap and should not be left to good faith and word of mouth to report these important changes.
Inappropriate Access Discipline:
Another challenge is physician office staff accessing records of patients associated to the office, but for services that were not relative to the office. This was not an isolated case in our group of 15 CIOs.
There were reports of access that were proven to be inappropriate, and while the hospitals swiftly removed access and reported the breach to the office, they had no further recourse.
In two instances, the office refused to terminate the employee. The hospitals have now changed their physician office access agreements to require that an employee who breaches confidentiality while utilizing the hospital’s EHR, will be terminated.
Access After Termination:
Access after termination is difficult to manage when there is no link between the hospital’s EHR and the staff member’s current status at the office. Some of the CIOs reported that they run reports for inactive accounts over X number of days and then inactivate the account. It struck me that it’s not these rule-following terminated employees that are making hospitals the most vulnerable.
Instead, it's those bold ex-employees of whom we should be most scared. They continue to use the account with confidence after termination and they don’t show up on ANY report because we’re only looking for inactive users. The joke is on us. We need a way to shut down the most brazen of ex-employees.
With all of our fancy technology, it seems we have to tighten the reigns on partner access to your networks. Relying on word of mouth will no longer cut the mustard and it’s time to automate processes and mitigate your risk.
It’s not just your Physician Offices access that you need to be concerned about. There's actually a lot more to consider if you truly want to make sure your network is secure when being accessed by all third parties, or even by remote employees.
You can take this quick Assessment to help you determine if your networks might be vulnerable.
Drop me an email if you want to talk about your challenges with secure remote access, or if you want to learn more about how we can help make your networks more secure.