The recent tragedy in Tucson, AZ has gripped the nation in more ways than one. There are so many different story lines unfolding out of that single tragedy – about politics, about rhetoric, about immigration, about dreams. Significantly less visceral, but important from an identity management perspective is this avoidable but all too common story – Hospital personnel fired for accessing records of Tucson victims.
How many times have we heard stories of hospital personnel getting into trouble for accessing patient information for the wrong reasons. Broadly classified under VIP Privacy Protection, we usually hear about it when it involves a celebrity like George Clooney. But having spent some time talking to folks in the IdM and privacy protection practices at healthcare organizations, I have come to understand that it actually covers a much larger set of cases than just entertainers and politicians. For instance, it has to cover cases where people who work at the hospital have to get their own medical treatment there and want to keep it private from co-workers (has been described as an interesting use case for having pseudonymous identities). It must also cover situations where relatives of hospital personnel need medical treatment, but don’t want their family to find out (I heard an extremely interesting, bizarrely tragic, anecdote that I won’t share here, but will tell you over a drink if interested). There are many more such use cases. A side effect of this is that when a major hospital did a review of their records, they found that there were a very high number of cases that were classified as VIP cases. This meant that it couldn’t be handled on an ad-hoc basis.
Now, the prevailing thought has often been that these situations can be handled by putting in strong access controls that prevent privacy violations by restricting access. But in a hospital environment, such preventive controls are anathema, since you do not want a life-and-death situation running up against a case of access denial because the policies are too tight. So, unlike the policies you encounter in financial institutions where you err on the side of being more restrictive, healthcare institutions prefer to err on the side of being more permissive, relying more on trust than security.
This is why Detective Controls take on a far greater role in such environments. The ability to analyze behavior to raise alerts and initiate audit investigations takes on added importance. You can add in additional factors of authentication and notification that not only verify the identity of the individual, but also let them know that what they are doing is being scrutinized more diligently. This can both increase trust in the transactions taking place and also deter folks who may be nosing around in places they shouldn’t be. You also need an analytical system behind the scenes that is intelligent enough to handle “break the glass” situations while also being adaptable enough to be fine tuned and evolve over time – reducing the number of false positives, thereby avoiding the “ignore the fire alarm” mentality that can set in.
There are a few solutions trying to address this challenge, including our own Oracle Security Governor for Healthcare. The best practice is a good blend of both preventive and detective controls, one that has been tuned to fit the operational, regulatory and security needs of your organization. And that is a good lesson no matter which industry you are in.