While most organizations assess risk at the organization level of their vendors, partners, and suppliers, highly regulated industries like healthcare need to be more diligent and risk-rate each individual third-party identity in order to have a comprehensive understanding of their risk exposure. By risk rating individuals, organizations can ensure that users are not provided with too much access, that access is monitored to be in-line with current responsibilities (as users may change roles over the lifetime of their relationship with the organization), and that access is terminated in a timely manner when it is no longer required.
2. Audit non-employee population access
Patients interact with third parties, also known as non-employees, throughout their healthcare experience, exposing their sensitive data to a wide variety of potential threats. Organizations should proactively, rather than reactively, evaluate and audit current access for third parties on an ongoing basis, and particularly during periods of heightened risk like a virus outbreak, geopolitical conflict, or natural disaster. If an organization is centrally managing its third-party identities and providing each with risk ratings, they are in a powerful position to take action and make well-informed decisions that can mitigate the danger of a heightened risk climate.
Ad Statistics
Times Displayed: 21862
Times Visited: 433 Stay up to date with the latest training to fix, troubleshoot, and maintain your critical care devices. GE HealthCare offers multiple training formats to empower teams and expand knowledge, saving you time and money
Unfortunately, many health organizations will be surprised to learn how many non-employees have access to sensitive information that is not needed for the duties of their role. This means assessing the risk presented by every non-employee individually, rather than grouping individuals from the same outside organization (like a temp agency or medical school) together and assuming they possess the same risk profile.
3. Mitigate risk through appropriate access adjustments
Once a healthcare organization has provisioned access and provided a risk rating to each individual identity, the next step is identity verification and the timely removal of all unnecessary access to internal facilities, systems, and data. For example, a person that once worked as a hospital scribe and has since transitioned into an administrative role does not need the same access they once had. As such, their access should be adjusted accordingly and not just incrementally provisioned with additional access for their new role. Additionally, organizations can create automated workflows that require high-risk third parties to confirm their need for access at more frequent intervals than lower risk identities.
