Securing access to health data: Ensuring the right role
Establishing clear, specific roles within an organization is the first step toward maximizing information access while ensuring crucial protection of data.
When it comes to access, what does it mean to have “the right role?”
Here’s a simple example: Last month, my four-year-old discovered that, by taking a step stool from the laundry room into the kitchen, he can reach the top shelf of the freezer, where mom keeps the ice cream.
Recently, I came downstairs at 5:30 a.m. to discover him and his younger brother sitting on the floor of the living room, holding two oversized spoons and a pint of mom’s special reserve. Up until this point, we had been using height as our barrier for restricting access to the Haagen Dazs.
Essentially, we tied an attribute (height) to permissioning (access to the ice cream). In this case, to use cybersecurity lingo, my son had successfully pulled off a privilege escalation attack.
Assuring that only the right roles have access to your assets matters for everything from ice cream to personal health information. Even outside of the regulatory implications, access to health data should be tightly controlled. In the context of secure health data exchange, strong permissioning is often the difference between an isolated breach and a catastrophe. Enter role-based access controls.
Implementing role-based access
Role-based access control (RBAC) is a widely recognized method used to restrict system access to only authorized users. By defining roles based on job responsibilities, healthcare organizations can ensure that employees can access only the data necessary for their role. This minimizes the risk of data breaches, exfiltration and potential misuse of patient information.
To get started with RBAC, organizations face the temptation to jump into the technological deep end. But as with most things in the digital age of healthcare, it starts with a balance of people, processes and technology — with technology coming intentionally last.
Start by defining roles clearly
Establishing clear, specific roles within the organization is the first step. Each role should be defined with a thorough understanding of what level of data access is required. Access should only be given on Jerome Saltzer’s principle of least privilege: “Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job.”
For example, a nurse will need access to the vitals of patients under their care, but not financial information, whereas a billing specialist would require the opposite. Remember, the more granular your role specifications, the more secure your RBAC.
Overly simplistic role specifications often enable hackers to gain elevated access to data that should otherwise be restricted. After a bad actor has entered a system — commonly through social engineering or phishing attacks — the most common attack flow is to move laterally within an organization until additional weaknesses are identified that enable privilege escalation.
Ultimately, thieves will find admin-level access and after they have it, they can deploy ransomware or similarly destructive technologies.
Recently, Nate Couture, CISO for University of Vermont Health spoke about his experience with a cyber attack. In that case, the hackers were able to break in within 60 minutes of their malware “phoning home.”
Mounting a defense
Healthcare is a dynamic field, with staff, roles and responsibilities frequently changing. Regular audits of access rights are crucial to ensure that role definitions remain accurate and aligned with current job functions. This proactive approach helps to prevent outdated access rights from becoming a security vulnerability.
Not doing so can lead to major breaches, like this CISA-cited attack of an unnamed US government agency.
After a proper governance structure is in place, leveraging advanced technologies like open source KERI protocol (Key Event Receipt Infrastructure) can help manage and update access control dynamically. By issuing verifiable credentials that attest to key roles without your organization, to cryptographically secure identifiers, KERI enables organizations to securely provision the access of data to roles on the principle of least privilege.
As roles within the organization change — whether because of job shifts, promotions or department transfers — access rights can be updated in real time, reducing the risk of inappropriate data access. More importantly, when someone within your organization needs to assert their authority to act in a given role on behalf of your organization, KERI enables this to be done in a true Zero Trust fashion without federated identity.
Case study: Protecting patient data
Consider a scenario in which a healthcare provider implements RBAC to manage access to PHI across multiple departments. By assigning roles such as nurse, physician, administrator and IT specialist — each with specific access rights and cryptographically bound identifiers — the organization ensures that each professional accesses only the information necessary for their role. For instance, an IT specialist might have access to audit logs, while a system administrator would be granted full access to the clinical data warehouse.
This role-based access not only secures sensitive data but also enhances operational efficiency. In emergency scenarios, for example, the right data can be accessed swiftly by those who need it, without compromising security.
Challenges and considerations
While RBAC represents a highly effective method of securing data access, it requires ongoing maintenance and a deep understanding of organizational workflows.
Organizations must strike a balance between security and accessibility, ensuring that roles are neither too restrictive — hindering necessary access — nor too permissive, which could lead to data leaks. Additionally, there must be a robust system in place to address exceptions, such as temporary access needs for specific projects or interdisciplinary collaborations.
Another challenge is ensuring that employees understand the importance of access control and adhere to policies. Regular training and clear communication about the significance of "The Right Role" in safeguarding patient data can help foster a culture of security awareness.
"The Right Role" is not just a technical requirement, but rather is a fundamental principle for secure health data exchange. By implementing role-based access controls, regularly updating roles, and leveraging advanced technologies, healthcare organizations can protect sensitive information while ensuring that those who need access can perform their duties efficiently.
As the healthcare landscape continues to evolve, maintaining this balance will be crucial for sustaining trust in digital health systems.
Jared Jeffery is a Fellow of the American College of Health Data Management and CEO of healthKERI.