This is not as easily achievable as one may think. When audits occur, the Security Team should have a comprehensive way to report on who has access to what. The Security Team must determine a methodology to employ in order to restrict access appropriately. There are many methodologies one can employ but when deciding on a methodology to restrict access, the most important consideration is making sure the end result can be easily quantified and reportable. The methodology should center around restricting access, not granting access.Ĥ. As the build matures and User Templates are being created, a methodology of build and review should be agreed upon by the application and security teams. The Security Team can then address any “breaches” of policy or procedure early in the build stage. Armed with this knowledge, the Security Team can then review the validated workflows with a keen awareness of what the organization allows and what they do not. Outside of being intimately familiar with HIPAA, HITECH and other regulatory mandates, the first thing the Security Team should concentrate on is understanding the policies and procedures of the organization. The policies and procedures of the organization – along with HIPAA, HITECH, and other regulatory mandates involving security and privacy – must be considered by the Security Team. The reason why most model records can be used without modification is due to the fact they usually “give away the store.” The security classes, roles, menus, activities, profiles, and other security-related records are developed by Epic as a “one-size fits most.” Depending on the policies and procedures of the organization, what is granted in model records may not be permitted or desired for your organization.ģ. The model system must be scrutinized for security and access by the Security Team. Records that are delivered with the foundation system, or model system, grant more access than required by most organizations. While the application teams are busy granting access, the Security Team should be busy restricting access.Ģ. This is where the role of the Security Team is so important. Prior to Go-Live, application analysts meet with the stakeholders and sponsors in each area that requires Epic access to understand workflows and system configuration needed to function effectively. The application analysts and teams concentrate on providing the access necessary to support the validated workflows. In order to determine who has access to what and then configure and assign that access, the following steps must be taken:ġ. ![]() Although the Security Team should not be the primary decision-maker as to who receives access to what, the team should enforce decisions made by others. The Security Team should be the last line of defense as it relates to granting access in Epic. The most prevalent question posted to any Epic Security Team is: “Who has access to what in Hyperspace?” Whether it be asked by the organization’s leadership or an external entity, it behooves the Security Team to be prepared for this question at all times.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |