Is Your EHR Harmful or Helpful? Reimagining Role-Based Access Control

In a cloud environment where security controls are implemented early on, the planning, communications, and budgeting for EHR deployment is critical.

By Hassan Zahwa, Kristin Porter, Brian Jones, DO

As healthcare organizations look to eliminate unnecessary errors and provide efficient and high-quality care, they often count on the usability, security, and effectiveness of their electronic health record (EHR). Because of the EHR’s potential to reduce harm and support clinicians, the technology is a key factor in establishing a high reliability organization (HRO). 

EHRs require the ability to secure sensitive patient information with access control methods, such as role-based access control (RBAC). This creates a record of user movement within an EHR, providing accountability for policy violations. EHR users accumulate permissions when they are assigned roles that require additional system access. RBAC can also restrict access based on a user's role in a healthcare setting. While tailoring user access can be beneficial, restrictions vary by organizational policy, professional scope, and information-owner consent. This can create limitations to optimizating an EHR’s full potential. 

As hospitals and health systems strive for HRO status, leaders should consider reevaluating their EHR’s RBAC model to ensure the system is properly designed to improve patient safety and enhance care quality. 

EHR RBAC Model Limitations and Opportunities 

While RBAC touts enhanced information security and reduced IT support, there are many limitations that are commonly overlooked. Identifying and addressing these limitations is crucial to optimizing EHRs’ use of the RBAC model. 

Limitations within the RBAC model stem from a variety of causes, but ultimately result in lack of integration between people, processes, and technology. These three pillars of healthcare technology implementation/organizational change are required to maximize efficiency, enhance patient safety, deliver quality care, and maintain a high-performing healthcare organization. 

As healthcare organizations continue to adopt and expand use of EHRs, they will need consistent methods to improve functionality and prevent risks. For RBAC systems, governance, change management, communications, and collaborative solutions will play a key role in improving staff experiences. 

Here are three risks to watch out for and accompanying solutions. 

Risk #1 – People: Preventing Productivity Losses 

Decreased staff productivity is a risk for using the RBAC model. Staff often require multiple role assignments to perform their job duties, and must spend time submitting access request tickets or switching roles to perform certain tasks. 

Clinicians review data from a variety of specialties (lab, radiology, etc.) to determine a diagnosis and treatment plan for patients. Frequently, these specialties have their own IT system that is not integrated with the EHR, resulting in constant switching from one application to another. This lack of “context management” creates patient safety issues (reviewing wrong patient data), decreases productivity (time lost by manually switching between applications), and staff frustration/burnout. 

To prevent disenfranchised staff, increased workload, and decreased productivity, employees must be prepared for the change in advance. 

Clear communications regarding the distinction between role assignment and job titles can reduce confusion. Clinicians and staff need to understand that their role assignment in an RBAC model does not directly reflect or define their position within the organization. 

Building a team that consists of IT, super users, physician champions, and change leadership can help bridge the gap between IT developers and end users, maximizing understanding and adoption of new staff roles. Establishing a current state assessment (CSA) can help the team quantify the change impact, identify ideal state workflows, and then optimize them within the EHR.

Change commonly brings apprehension and uncertainty but using organizational change management methodologies can deliver a new lens for how staff members view change, drive action, and successfully implement new approaches.  

Risk #2 – Processes: Preventing Compliance Misses 

RBAC governance implements policies and procedures to control access to information and resources. If the policies are designed around direct entitlements of the user, this may lead to role explosion. 

Role explosion is the most costly and complex process limitation of RBAC models, occurring in organizations with large staff, high turnover, and third-party staffing. Managing thousands of access rights across a healthcare organization requires adequate IT staffing and bandwidth. Large volumes of service tickets due to fluctuating demand can result in incorrect assignment of user roles and creation of ad-hoc roles to quickly provide user access. This creates access creep, compromising secure information and posing a legal risk to organizations. 

To resolve these issues, IT staff spend significant amounts of time and resources reassigning and redefining access roles while users often must switch roles to perform alternating tasks in a single workflow. This interrupts clinician workflows, decreases productivity, and increases the likelihood of human error. 

Establishing policies using an identity governance approach is the most beneficial way to prevent role explosion and the compliance risks that accompany it.

Identity governance defines roles based on common resource groups, which are designed for users that need access to the same resources. Each user has one link to the role, and the role has one link to each related resource. Additionally, collaboration with key stakeholders (HR, legal, C-suite, and IT Services) is imperative during implementation of an RBAC model. Collaboration will ensure alignment with organizational goals and objectives and identify the proper set of system and data access based on least privilege.

Sustainment of an RBAC model must be an agile process, where policies and role assignments are continuously reassessed and updated to prevent a massive restructure when it becomes apparent there is too much access, out-of-scope activity, role explosion or overlapping assignments. Creating an iterative process where this sustainment practice is performed at regular intervals will act as a safeguard against security breaches, access creep, and human error. 

Risk #3 – Technology: Preventing Cost Erosion

The implementation of RBAC can be expensive and difficult to manage within a large healthcare organization. The level of complexity increases with additional costs related to changing roles and policies, such as the cost of duplicate servers and other infrastructure (database, APIs, etc.). 

Changing roles or migrating users increases system security risk, unplanned downtime, and data loss. Technology investments for secure EHR access (single sign-on) and integration of IT applications for viewing (context management) will significantly yield a positive return on investment by improving productivity, patient safety, and staff satisfaction.   

Fortunately, three alternative technical safeguard solutions to RBAC’s limitations are available:

  1. Attribute-based access control (ABAC)
  2. Policy-based access control (PBAC)
  3. Access control list (ACL) 

Most EHRs are adopting the ABAC model in combination with RBAC as it offers flexibility that security administrators can define, as well as management of user access based on attributes instead of roles. Policies and rules can be defined in and specific to each attribute allowing for the creation or amendment of business policies to a higher level of complexity. The rules can be evaluated with ease, even for the resources that are yet to be defined by the system administrator.

PBAC is an effective starter for managing user access to multiple applications within an EHR. The role of the user is combined with policies to determine what level of access each user should have. For example, single-sign on access may be attached to a provider for multiple applications whereas administrative will not have single sign-on access to all applications as the policy was not combined with the administrative role. 

Finally, ACL is a good option for “low-level” data environments. For instance, it can grant access to a specific file, but cannot determine what changes an end user can make to the file. While ACL simplifies and strengthens organizationwide access, defining policies and establishing the right resources is a time-consuming process. 

As EHRs transition to cloud platforms, the security and attributes of the systems remain top priorities. RBAC has superiority of organizationwide and “all level” data security. Alternatively, ABAC provides better security and ease of access to geographically diverse workgroups – increasingly seen with telemedicine. Many healthcare organizations are using a hybrid approach, where high-level access is accomplished through RBAC and then fine-grained controls are accomplished through ABAC. 

Ensure Your EHR is Helping, Not Harming 

The main idea behind RBAC is to protect EHR data and impede users from doing something they are not supposed to do. Combining the best of RBAC, ABAC, PBAC, ACL with clear communications and governance is key. It is important for leaders to understand their EHR’s limits and integrate people, processes, and technology to ensure staff are empowered, privileged information is secure, and alerts are effective. In a cloud environment where security controls are implemented early on, the planning, communications, and budgeting for EHR deployment is critical.

Learn how we help organizations optimize their EHR

Let Us Help Guide You

Complexity demands a trusted guide with the unique expertise and cross-sector versatility to deliver unwavering success. We work with organizations across regulated commercial and public sectors to catalyze transformation and pioneer new directions for the future.

Stay ahead of the curve with news, insights and updates from Guidehouse about issues relevant to your organization and its work.