There is a good article over at the Vormetric Security Blog that looks at restricting employee access to patient information. They argue that not all employees need full access and unless an employee can demonstrate that access is needed to perform their job function, no access to patient data should be given.
The below paragraph from the article lays out a good case for restricting access:
The foundations of access control are the principles of need to know and least privilege. Employees should only have access to data if they have a demonstrated need. When a demonstrated need is identified, then employees should be provided with only the access necessary to perform their jobs. Finally, it is imperative that access to data is monitored. This is similar to that the way a company has multiple people review major payments to a vendor. While companies trust their employees, they should also verify that policies and processes are being followed. In each of the cases listed strong encryption with appropriate access controls would have prevented the loss of data and the subsequent fallout.
Make sure you periodically look at who has access to patient information and ensure that the appropriate access has been granted.
Leave a Reply