How small practical changes can make a big difference
written by Brendan Pugh
Introduction
In multi-user/multi-computer environments, the application of HSE security policy can in certain circumstances be a hard ask if approached in a strictly literal manner. A classic example of ‘one size does not fit all’ is that element of policy dealing with the limited use of "generic" domain accounts (accounts used to log on to a domain that are not associated with/owned by a specific person). The challenges faced by one of our critical front line hospital departments, highlighted the need for a flexible yet risk-aware adjustment, to the practical application of policy.
The Challenge
The hospital department’s personnel need to access a small shared group of computers for their routine work and this is typically done on a first-come first-served basis. When dealing with patients, it is a frequent requirement to access online medical resources (e.g. drugs cross-reference material). When signed in with the generic account, internet access is not possible as dictated by security policy. The result is that team members tend to sign in with their individual domain accounts which does allow them access to the necessary online resources. What then tends to happen is that the team member in question vacates the computer while leaving him/herself logged on. The machine will invariably be used by another team member almost instantly and that person will, for reasons of expediency, not wish to log off and on again in their own name but rather will be inclined to simply use the open machine under the first team member's account.
The Department’s team would have made 2 distinct points in favour of addressing this problem by relaxing the controls on the generic account as follows:
- The urgent nature of the job does not allow for frequent logging on and off of individual domain accounts. The instantaneous accessing of online data has to be viewed as being the paramount requirement
- The re-use of colleagues’ logon sessions is recognised as not being satisfactory as it too runs contrary to policy.
Security Matters Arising
The potential pitfalls of using a generic account for internet access centres around the identification of who accessed what and when. This would be of most significance when conducting investigations into inappropriate online behaviour. The flip side of the problem is that if a user cannot be identified then, by definition attention remains on the team as whole and this could prove to be contentious in its own right.
The Solution
The Department heads undertook to assume collective responsibility for the use of the generic account. Since the computers in question would be within open sight, it was felt that the monitoring of activity on them would be straightforward. It was also pointed out that staff rostering details coupled with security cameras in the department would assist with investigations into inappropriate use.
At corporate governance level, it was agreed that reports on blocked access attempts by staff would be generated at regular intervals and that these would be evaluated by the hospital to determine if any action was required.
On the basis of commitments given, it was decided to open internet access on a group of 8 machines in the Department. This was accomplished through the creation of a dedicated domain group for these computers and the application of a new domain policy against that target group.
Conclusion
While it would hold true that the principle behind HSE security policy should always have universal application, the reality in terms of impact on key operational areas will sometimes call for a common sense intervention so as to ensure that the core objective of delivering care to patients is achieved.
In the case of the hospital department, a relatively straightforward accommodation has resulted in a small yet helpful adjustment to the staff's interaction with the I.T. systems which they need to carry out their work as effectively as possible.
- Ambulance Arrivals Project A Case Study
- SNOMED National Release Centre (NRC)
- SVUH Award winning Patient Flow Whiteboard
- Scan for Surgery
- Hospital-based care
- Digital Natives Sign App
- Digitisation of risk assesment tools for Adult mental health services in north Dublin
- Patient Engagement Operating Systems - Hep C
- Digital Transition for HSCPs at St. James's Hospital
- Primary Care Centre Castlebar Case Study
- Mario - Managing active and healthy ageing using caring service robots
- Claimsure - Health Insurance Claims Management System
- Cyber Attack Response
- Data systems in SVUH Emergency Department
- Electronic Discharge Prescription Pilot
- Epilepsy EPR
- eReferral
- eReferral Radiology Pilot
- eRostering
- Electronic Blood Tracking
- GP Practice Management Systems
- Healthmail
- Heart Failure Virtual Clinic
- Infrastructure - MPUP to ECAM
- IT Security - Small changes, big difference
- Kidney Disease Clinical Patient Management System
- Local Asset Mapping Project at St James' Hospital
- LUCY
- Mi Kidney App
- Model Community
- NCHD - Employment Record Portal
- Nursing & Midwifery Quality Care Metrics
- Ophthalmology Electronic Patient Record
- PharmaBuddy
- Radiology & Electronic Patient Record
- National Smart-Pump Drug Library of Paediatric and Neonatal Standardised Concentration Infusions
- Quality & Patient Safety
- Robotic Assisted Surgery Programme
- Shared Learning on EHR
- St. James' Hospital - National Haemophilia System
- Tallaght Hospital Pharmacy
- Tallaght Hospital Patient Engagement App
- Track & Trace
- Using IT to Improve Ireland's Public Sector Healthcare
- National Audiology Clinical Management System (NA-CMS)
- St Vincent's University Hospital Award Winning Whiteboard Patient Flow System
- Snomed Case Study
- Telehealth Project Donegal
- St Vincent's Whiteboard Patient Journey System a Case Study
- Ambulance Arrivals Project