Tips for Role-Based Access Control
Expert Outlines How to Overcome Implementation ChallengesRole-based access control management, which limits the access that users have to data based on their job responsibilities, can be important in efforts to prevent data breaches and safeguard patient privacy.
In an interview with Information Security Media Group, Paidhrin offers insights based on the successful implementation of an access control initiative at PeaceHealth, a healthcare delivery system serving the Pacific Northwest.
"Most role-based access control projects fail due to lack of laying the ground work," he says. "Each organization needs to evaluate whether they're ready for role-based access. A lot of work goes into effective role-based access management, and a lot more needs to go into the analysis process ... before management can be effective."
Essential Elements
Another important consideration for implementing role-based access control, Paidhrin says, is that "executive buy-in, and crucial championship of process improvement, is essential. It is an axiom of IT that many projects fail. A role-based access management initiative requires careful business case justification before scoping and planning."
But even before healthcare organizations decide whether to implement role-based access control, it's important for them to recognize that identity and access management "doesn't have an easy or inexpensive fix," he says.
"Many identity access management governance solutions have their limitations," he adds. "Many require Web-based or [Microsoft] Active Directory credential stores, and they don't play well with pre-Web and legacy applications."
Collaboration is also critical in role-based access control projects, Paidhrin says. "Bring together the application and data owners with your human resources, privacy, information security and provisioning teams. Find ways to simplify every phase and step, minimize hand-offs, delegate authority for standard changes and set boundaries and expectations for the process. Process owner buy-in will smooth the way for remarkable improvements - even if the improvements are incremental at first."
Paidhrin also suggests using log analysis tools. "Accountability comes from everyone knowing that there is a trail for all access to information," he says
In the interview, Paidhrin also discusses:
- How his organization determines users' access to various data based on their role;
- The challenges involved with role-based access controls when an organization merges with or acquires another entity, as PeaceHealth has experienced;
- Other industry best practices, guidance and technologies that can help in the implementation of role-based access control management.
Paidhrin is the security administration manager in the information security technology division of PeaceHealth, a healthcare delivery system in the Pacific Northwest where he has worked for more than a decade. Earlier, Paidhrin worked in higher education, as well as in private sector and entrepreneurial ventures, where he held a number of director-level positions.