Introduction
The flow of information in healthcare organizations is a crucial component of the entire information system. Access control refers to the ability of healthcare organizations to maintain the confidentiality, integrity and availability of information within their systems. The main reason of enacting access control strategies is to ensure that unauthorized persons do not access or alter the information. The type of access controls employed by a healthcare organization are largely dependent on the threats, vulnerabilities and the risks suffered. This study will focus on the element of access control as one of the major security domains. The study will identify the challenges faced in the process of gaining access control as well as the proposed solutions for the identified challenges.
Use your promo and get a custom paper on
"Monitoring For Access Control In Healthcare Organizations".
Access control process, challenges and solutions
The process of access control constitutes four major steps. These are; identification, authentication, authorization and accounting. Identification is the attachment of a special user ID on individuals. In most healthcare organizations, the user ID is obtained from the users’ names. In most cases, the names used involve the first letter of the user’s first name integrated with the last name. The element of confusion exists in organizations where there are more than one user with the same initial first name and last name. In such cases, it is recommended that a different user identification system be employed. For instance, employee number can be used instead. The use of generic user IDs makes it difficult to identify the user that might have accessed the data. This further calls for the need of the use of unique user IDs.
Authentication constitutes the second step. In this step, the users are required to input their identification details before they are sanctioned to enter a data or information system. This is a crucial component of the process of access control. It is during this step that unauthorized users are identified and not allowed to access the system. User authentication is based on three primary techniques. These are the main authentication strategies currently being employed in healthcare organizations.
The first one is based on something that the user knows. This can either be a Personal Identification Number, a pass code, a password or just a phrase. In this case, the user is required to enter any of the above details as applicable before they can be allowed to access the information system. If the computer is familiar with the user’s code it will let him or her access the system and vice versa. The second technique is the use of something unique a user possess. This can either be a smartcard, ATM card or a token. The latest developments in the field of technology and security systems have seen the advent of advanced methods of carrying out user authentication. Today, most healthcare organizations have set their systems in such a way that they conduct a voice scan, fingerprint scan and in some cases, retina scan. So far, this has been found to be the most effective technique available.
Authorization constitutes a list of privileges accorded to a user in regards to the extent that he or she is allowed to go by the application or system. Primary users are restricted to data viewing only. Secondary users on the other hand are allowed to not only view the data but to also make changes to it. Authorization should take into account the job description of the users. There is no need to give a user the privilege of making changes to the data when his or her job description satisfies that viewing the data only will enable that user to effectively perform his or her duties.
The final step is accounting. This stage holds every user accountable for their actions. This is done through tracking every step followed by the user in the use of the system. In this phase, the main challenge arises in trying to create boundaries to what specific users can access in the information systems (Karimi, Alencar and Cowan, 2016). A proposed solution to this problem is the use of audit controls. These enable every user to be held accountable for what they do with their privileges of accessing the information systems.
There is the need for authentication frameworks to be easily maintained and updated. Frequent updates are required given the changes that might occur due to deficiencies identified in the algorithms. In response to this problem, experts have come up with two major frameworks. Their essence is to allow systems and applications to implement diverse identification models. These frameworks are Generic Security Service Application Programming interface (GSS-API) and the Pluggable Authentication Module (PAM).
Other challenges that currently face access control in healthcare organizations are an increasingly distributed workforce, distributed applications, productive positioning and Bring Your Own Device. A solution to the first challenge is to eradicate the constraints of geographic location and provide a flexible work environment in the healthcare sector. The application of the provisions of an IAM network offers solutions to the above identified challenges. IAM allows for the consolidation, control and simple access of privileges by users.
Conclusion
The challenges affecting access control in healthcare organizations continue to multiply every day. Perverts are consistently coming up with new techniques to go round the security networks of information systems in order to gain unauthorized entry. System developers should be more aggressive in coming up with counter measures. They should diversify their strategies for combating these challenges. Access control is a crucial element in the running of any healthcare organization and thus the essence of getting rid of any flaws that might threaten the credibility of access control techniques.
- Karimi, V. R., Alencar, P. S., C., & Cowan, D. D. (2016). A uniform approach for access control
and business models with explicit rule realization. International Journal of Information Security, 15(2), 145-171. doi:http://dx.doi.org/10.1007/s10207-015-0275-z.