Printer Friendly

A healthy approach to medical data: find out how one hospital streamlined secure data access to meet medical staff needs while complying with government privacy regulations.

A newly hired physician at the Cincinnati Children's Hospital Medical Center (CCHMC) needed to access his e-mail, the computerized clinical order system that allowed him to order medication for patients, and the hospital's Picture Archiving System (PACS), which held patient x-rays and was operated by the radiology department. Though all three systems were critical to his work, they were each operated by a separate division and required separate request forms. The divisions each had different procedures, and the physician found himself able to access e-mail and the PACS but unable to input orders for care or medication. Instead, he had to dictate his instructions to a nurse who then typed them into the system. That's just one example of how the inefficiency of the system introduced the possibility for human error.


Faced with such situations on a regular basis, security and information technology specialists at CCHMC implemented a new program that dramatically streamlined the process for personnel to obtain access to hospital computer systems. The new process allows personnel who need access to enterprise systems such as the network, e-mail, the PACS, clinical order entry, and clinical documentation to get access to all systems at once. The system also ensures that appropriate access is granted only to authorized individuals. The success of the project can be attributed to an alliance formed between information services and protective services.

CCHMC is a 350-bed pediatric institution located in Cincinnati, Ohio. A private, nonprofit organization, the center offers primary and specialty inpatient and outpatient services as well as research and teaching programs. The CCHMC campus consists of 10 buildings and 10 satellite clinics. It is home to more than 7,000 employees and more than 700 other personnel such as contractors and vendors. CCHMC's user population is made up of physicians, residents, fellows, students, traveling nurses, and contractors, as well as a large business and research community. Given the number of entering and exiting personnel, there was an obvious challenge: the company had to ensure that systems were available when needed but prevent entry to unauthorized personnel.

In developing new access controls for the data, the hospital had these goals: centralize and streamline a uniform, secure, and easy system access process and meet HIPAA (Health Insurance Portability and Accountability Act) regulations. HIPAA regulations require development of policies and procedures that address who has access to protected health information, how access to such information is controlled, and what proactive measures are in place to prevent unauthorized access to systems containing protected health information.

As the hospital embarked on its effort to develop a system that would meet these goals and be accepted by users, it bore in mind the lessons from an earlier effort undertaken by the information systems division. In that case, a customized software program had been written to facilitate information requests. None of the potential users or other stakeholders, however, had been involved in the design of the system. The resulting request process did not fit the flow of information within the hospital. As a result, it failed to gain the support of managers. The procedure was discontinued because it was too cumbersome and frustrating for employees and division managers to carry out.

By the time the new effort got underway, a solution was urgently needed due to the impending implementation of an enterprisewide clinical order entry system and clinical documentation system. This system, called the Integrating Clinical Information System (ICIS), allows hospital employees to issue orders on patients and was replacing the older system used to issue orders (ICIS is just one of many systems on the network.) Unlike the old clinical information system, however, ICIS requires that physicians and nurses identify themselves before inputting information. A nurse would no longer be able to issue orders after a doctor dictated them as described in the opening example. Similarly, those receiving clinical training at the hospital would need to access the system even though they would only be at CCHMC for a short time. The development of a process to support timely access to ICIS became a critical factor.

The director of application integration at the time of the project started a team that consisted of medical office staff, clinical division business directors, application owners, information services, and protective services. A member of the information services department was identified as the project manager.

The problems. The project team identified numerous challenges. These issues dealt with ease of use, process, and management support.

Use. The primary problem with the current system was that it was difficult to use both for employees and system operators. For example, personnel were assigned a different login for each system. Some physicians had to remember eight different logins. The team determined that this should be replaced by a single login system so users could access all necessary systems with one password.

Process. Another significant problem was that there was no standardized way to request access. Each program was controlled by a different department and each had a distinct form and process. Users could be added only by calling the appropriate department and asking for access to the system. Users were frequently given logins over the phone, meaning that the person requesting the access was not positively identified before being given the login.

The team decided that a formal approval process was needed. Protective services was put in charge of this aspect of the project. Once the employee was authenticated, the next question was whether he or she had a right to access the information sought. The protective services group had access to the information on the authorization status of each employee. For example, protective services could determine whether a physician had earned the credentials to write prescriptions. If not credentialed, that employee would not be given access to the prescription ordering system.

Tracking requests was also a sore spot. Forms would get lost or sent through a fax chain that slowed delivery. Similarly, such forms needed to be documented and a user agreement created to comply with HIPAA.

Support. Managers and users frequently abused the system. Requests came in as "urgent" as a matter of course, meaning that a truly urgent situation was often overlooked. Also, there was no central authority over the system. Because divisions administered access for their own systems, senior management could not track the status of the system as a whole.

The plan. During their investigation, the team found that the only common point that all personnel passed through was protective services. Almost all employees have to get a hospital ID badge from security personnel in that department. (The one exception to this rule is nursing students. They do not receive a badge because they are not employees, are not allowed to enter data, and are accompanied by a nurse instructor at all times.)

Implementing the process via protective services allowed for physical identification at the time the login was issued. Protective services personnel already functioned as gatekeepers for badging and physical access control, so controlling computer access was a good fit.

A new employee was hired to fill the role of processing requests and keeping the system running smoothly. Now, when personnel are finished registering with protective services, they have a badge and logins and are able to begin work.

The information services help desk also changed its procedures and became responsible for distributing a single user ID to each computer system's division. The application owners all agreed to use a single login and allow the user to choose a single password to be applied to all computer systems.

The divisions were asked to complete the system access request form with their new hire paperwork so that the login would be ready when new employees got their badges in protective services. New employees would then pick up their logins with their badge. Current personnel would be contacted by e-mail with the login. The default password was a combination of letters and the employee's Social Security number.

Directors, managers, information services help-desk personnel, and system owners agreed to a five-business-day turnaround for requests. In addition, an emergency number was established so that problems with logins could be solved at any time without compromising patient care.

All of the computer system owners met to develop a single system access request form. The joint effort was to ensure that each division obtained the information it needed to add a user to its system. For example, the role the employee played in the organization would determine the type of information needed. Physicians would need to provide a license number while a nurse might not.

The system access agreement became page two of the form and was distributed to existing employees as well as new hires. A system access Web page was created on the CCHMC intranet and the forms and documentation were posted. Also, to make administration of the system easier, information services set up e-mail accounts for each division so that all requests for a certain system would go in a separate account and could be accessed by any employees charged with granting access.

The directors and managers that were involved in process planning suggested that obtaining authorized signers for each division should be modeled on a similar process used for paychecks. Each division has three designated individuals who are the only ones allowed to pick up paychecks. Building on this concept, protective services issued a request that went out to each division. The division director and managers identified three people who could sign the system access request form for their division. The division director was designated as responsible for anything signed by an authorized signer. The director would be notified via e-mail of each request for that division. To facilitate this process, a spreadsheet of division-authorized signers was developed by protective services.

This new process was a major change for senior management. Processing the request in a timely manner was critical to the success of the entire program. The project team involved various division directors and managers to ensure that the process was realistic and feasible.

The new process was then communicated to several management groups to discuss the need for the process and how the process benefited them. Next, the process was explained by the project leader during the hospital's monthly managers meeting. The presentation was also given to the hospital's business directors.

After educating management, the project team conducted a pilot program with the anesthesia division. The anesthesia division was chosen because it had personnel willing and able to take on the administrative tasks associated with the test. The test went well. However, it revealed that the process took longer than the project team expected. Instead of the anticipated two-to three-day turnaround, the application process took up to five business days. Based on their experiences, the team changed their goal to a five-day turnaround.

Up and running. For new and current personnel, system access is initiated through the information services system. For new personnel, the system access request form is filled out by the division manager or administrative staff and signed by an authorized signer. The form is then faxed to protective services where it is reviewed for completion. The form is then sent as a scanned e-mail attachment to the information services help desk. The help desk generates a user ID from a computer database and creates a network account for the user, from which point network and e-mail accounts are initiated. Finally, the help desk forwards the scanned form in an e-mail with the user ID to the divisions that oversee the requested systems, such as ICIS, PACS, or the patient scheduling system Encompass.

If approved by the application owner, an account is created for the user. Each application owner adds the same user ID and password. Protective services is also sent the user ID so that personnel there can distribute the login to the new employees when they arrive to get their badges. In protective services, new personnel are given their badges, user communication forms that indicate what their login is with a list of what systems they have been granted access to, and a system access guide that describes what each system is and the guidelines for password construction.

When current personnel request additional system access, an information service's system access form is printed from the intranet, along with the system access agreement. The individual fills out the form, signs the agreement, and has an authorized person from his or her division sign it. The same process described for new personnel is then followed, except that the user is contacted by each system owner to confirm their login information. The information can come via e-mail, telephone, or verbally from the division manager.

A hard copy of the request form is kept in protective services. The forms start out in a daily folder. At the end of each day, the forms are transferred to an alphabetical file that is used monthly. At the end of each month, the files are moved to an alphabetical expanding file for the year. This filing process allows for quick retrieval of forms for troubleshooting and questions. For example, if the employee has not received the requested access, he or she can call to ensure that the application was filled out correctly and that the appropriate division obtained the request.

To further streamline the process, protective services developed a checklist that its personnel must go through to ensure completion of each step necessary before employees are granted access. The checklist is completed for each new hire or new access request. For example, if a system access agreement is not signed, the individual is notified and his or her request for system access is not processed until the agreement is signed. That request form is held in protective services for 30 days. If no agreement is received within 30 days, the form is filed but not processed.

The perks. The new process has yielded several benefits. One form is used to request access for more than 15 systems. All personnel follow one process and receive one user ID and password for all systems requested. Access is granted by the start date for new personnel if the request is made within the service level agreement time frame.

Another key feature of the process is that protective services provides one-stop shopping for request, identification of new personnel, badging, signing, tracking of system access agreement, and distribution of logins.

Statistics are currently being compiled to track the success of the system. For example, protective services is keeping tabs on the number of requests, logins distributed, and agreements signed, as well as on how frequently the service level agreement of five business days is met.

A monthly statistics report details the number of new and existing personnel that are requesting system access. The statistics also document how many people are filling out the forms correctly and how many agreements are signed each month. The statistics will help the project team determine what changes need to be made to the process to better meet the needs of personnel while also maintaining an appropriately high standard of security and productivity.

Process improvements have already been realized in several ways. For example, protective services personnel now attend new employee orientation. This allows employees to submit requests directly to protective services. Having a protective services representative at orientation has also had the ancillary benefit of giving new employees a chance to raise other questions about security policies. New employees have had questions about parking, badge refunds, maps, and parking decals for their cars.

Other divisions such as the medical staff office and the HIPAA office were also able to take advantage of the process. The medical staff office is notified of the request for physician access so that credentialing and a master user file update can be completed proactively before the information is passed on to the owner of the ICIS system. This makes work easier for both the medical staff, who must update their own records, and the ICIS owner, who must enter the information before the doctor can be given access to the system. The pharmacy division also was able to collaborate with the protective services department so that employees' ID bar code badge numbers could double as the proximity card for the automated pharmacy dispensing system that requires positive identification.

At the start of the process, users were calling the help desk to ask for their logins. The help desk was referring users to protective services because an agreement had to be signed before a login was given out. There was no way for the help desk to know if an agreement had been signed by the user. The resolution was to ask protective services to note on the system access form whether an agreement had been signed. If an agreement is noted as signed, the help desk is able to give out the login.

Other lessons learned were to educate division employees on how to choose an authorized signer who would be available to sign the request form so it would not sit on someone's desk waiting for a signature. Presentations and other education programs were expanded and given to administrative staff as well as management because the information was not filtered down from the managers to their administrative employees who complete all the paperwork for new personnel.

Recently, the help desk started using an automated Web-based electronic form to generate and create IDs for new hires. The form saves time by automatically generating an ID and then sending it through e-mail to the application owners. The form lists each system on the electronic form and, when checked, it routes the e-mail to appropriate application owners. The form also adds users to network groups and automatically gives appropriate access to users. Currently, this electronic form is used only for new account requests. The help desk still has to use a manual process to look up existing IDs and send e-mails. Future enhancements to the form will include a feature to allow for researching existing accounts.

Another feature added to the process was that the human resources department was asked to send a weekly report of terminations, transfers, and name changes to all the divisions so that the system user files could be kept current and secure.

Process improvement continues for the many computer systems that can now be requested through one form. Key factors in making this system work included involving stakeholders in the planning process, communicating with employees, securing management support, and conducting a pilot program before going live. Protective services is now looking toward the future. Plans are underway to implement an electronic access form that can be filled out online and a single sign-on software with biometric technology to further secure system access.

By Ronald J. Morris, CPP, Wendy Boblitt, Marijo Rugh, Lalita Duggal, and Julia Seebohm


Ronald J. Morris, CPP, is director of protective services for the Cincinnati Children's Hospital Medical Center. Wendy Boblitt is lead systems analyst. Marijo Rugh is community physician liaison. Lalita Duggal is the lead help desk analyst, and Julia Seebohm is the hospital services coordinator.
COPYRIGHT 2004 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2004 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Access Control
Author:Morris, Ronald J.; Boblitt, Wendy; Rugh, Marijo; Duggal, Lalita; Seebohm, Julia
Publication:Security Management
Geographic Code:1U3OH
Date:Jul 1, 2004
Previous Article:Special protection for special collections: collections of irreplaceable objects like the Rosetta Stone are usually referred to as special...
Next Article:Suppression progression: an IT room is now safe not only from fire but also from the damage an outdated suppression system might have done.

Related Articles
For and Against Privacy Regs.
Role-based Access.
Curing Privacy Problems.
A practical approach: Maine Medical Center works toward HIPAA compliance as part of an enterprise-wide IT strategic plan. (HIPAA Watch).
Fast route to secure, paperless charts for EMRs. (HIPAA Progress Report).
Remote access for physicians: SSL VPNs offer advantages for healthcare organizations that want to provide mobile physicians with secure access. (Data...
Tape-based WORM: the best choice for HIPAA-compliant storage.
Survey finds only 18% of providers ready for HIPAA.
Healthcare must ensure operability before it can reap full benefits of interoperability.
Enterprise Resource Planning systems and HIPAA compliance.

Terms of use | Privacy policy | Copyright © 2021 Farlex, Inc. | Feedback | For webmasters