What Is Access Control?
Access control systems regulate and restrict access to resources, systems and physical areas within an organization or computer system.
Only authorized users with the proper permissions may access controlled materials; for instance, access to a medicine dispensary might be limited to pharmacists, and only certain employees should have access to electronic medical records.
“Granting access is just a piece of the process,” says Carla Wheeler, vice president and CISO at Ochsner Health. “You need to continuously monitor for changes, verify users and remove access when it is no longer needed.”
What Are the Types of Access Control?
There are three types of access control systems health IT teams should be aware of:
1. Role-Based Access Control
For this control type, access is based on which resources are needed to perform a job. “Role-based access control can reduce administrative overhead because permissions can be assigned to roles rather than individuals,” Gyure says.
“For example, we created a third-floor nurse template,” explains Melissa Rappl, CISO at Children’s Nebraska in Omaha, Neb. “When we hire a new person for that team, we already know which systems and resources they’ll need access to, and that’s what they are assigned.”
Role-based access control is also useful for detecting suspicious activity, Rappl adds. “When we run an audit log, let’s say Bob from the 5th floor cardiac unit accessed a third-floor patient’s chart, and that’s not his role. That’s going to be a flag.”
2. Discretionary Access Control
In a discretionary access control system, information is shared on a need-to-know basis. This method decentralizes access control decisions because the data owner controls who has access to it.
Think of your personal OneDrive — you can share it with others or revoke access instantaneously, at your own discretion.
3. Mandatory Access Control
Mandatory access control is most common in government and military settings. Access rights are organized into tiers such as “restricted,” “confidential” and “secret.” Access to the resource is determined by the user’s clearance level.
Privacy functions for children’s medical records may fall under mandatory access control. Access may be granted only to certain providers and restricted to other hospital staff.