There’s a reason user access and authentication practices are a hot topic in healthcare right now. The tech concept, which has to do with proper management and provisioning (read: granting access to various electronic systems) of user accounts, plays a significant role in many of the attacks and breaches affecting healthcare facilities today: Over 40 percent of vulnerabilities listed in a 2018 MedCrypt report came as a result of authentication-related mistakes, oversights, and problems, for one example.
Of course, nobody in a field bound by strict privacy regulations like HIPAA needs to be told how serious this concern is. Even so, learning how to recognize and thwart potential authentication-based problem is critical — a concern that only becomes more serious as the organization brings on more locums, considering their need to access sensitive data during their time with your facility.
To be clear, this is not to say your short-term staff has malicious intentions for your digital solutions or that they will behave in a digitally insecure manner. Instead, it means that every new account your facility provision has potential to introduce new risk unless it is managed properly. Keeping that in mind, here are five tips every organization can follow:
1. Deactivate User Accounts the Moment They’re Not Needed
Accounts should only have access to systems as long as their users need them. The moment they move on, the account should be deprovisioned, suspended, or duly handled in a way that removes its ability to access EHR systems and other solutions holding sensitive data. Anything less, and your facility risks housing a number of so-called “ghost accounts,” or accounts that have full access to systems despite nobody using them for a prolonged stretch of time.
What does this tip have to do with locum tenens? In short, the more temporary accounts you create, the easier it is to forget one every now and then. This, along with inactive accounts from permanent employees who have moved on, give digital attackers numerous inroads to explore when they go sniffing around your systems: Gaining access to a single system might grant them insight into patient PII, for instance, or obtaining them the info they need to access more privileged (think administrative-level) accounts.
2. Remind Locums to Use Fresh Passwords
Working in healthcare tends to require users to juggle lots of usernames and passwords, and the people juggling them tend to revert to words and phrases they remember. That, plus the startling fact that corporate/industrial espionage is alive and well in healthcare, leads to a reminder you must give every employee, temporary or permanent: Use all-new passwords and related syntax, please. Recycling the same passwords or even using similar structure — C@t57 at one facility and D0g75 at another, for example — can subject your facility to unnecessary risk, and it only takes a quick reminder to curb the problem.
3. Automate Provisioning and Deprovisioning
This is more of an IT task than a biz-admin one, but stakeholders with the ability to direct technical staff should consider it all the same. Several software solutions allow organizations to automatically provision (again: allow access to various systems) based on their group classification, then deprovision (read: remove access) based on factors like time. Your facility could create a “locums” subcategory with access to EHR, timeclock, and other relevant systems, for instance, then set each account to go inactive on the date a given locum’s contract runs out. This approach reduces the chance of human error and limits the effects of “ghost accounts” and other authentication problems. Leaders in the field include companies like Okta, and many popular platforms like Microsoft’s Azure include the capability as a standard feature.
4. Consider New Authentication Factors
Usernames and passwords are the front line of defense against malicious false logins, but has your organization ever seriously considered biometric measures like thumbprint scans for access to computers and other resources? What about two-factor authentication, a practice by which a temporary login code is sent to the user’s registered cell phone number when they access sensitive systems? An extra layer of security via measures like these can further ensure account holders are the only ones accessing sensitive systems — a big benefit when bringing on short-term help or permanent staff.
5. Perform Regular Audits
Another IT-only tip that can be mandated by non-technical stakeholders: Any field that engages in an unusual amount of account creation/provisioning/deprovisioning should also commit to regular access and activity audits. If you employ some manner of authentication software, simply reviewing account activity and the number of inactive/hibernating accounts on a regular basis can reduce risk. While this is a critical practice in any office, it becomes especially important in workplaces where temporary workers may only need access to systems for days, weeks, or months at a time — so tie a string around your finger and remind IT to look things over every now and then.
