January 20, 2006
Database Administrator Security
Written by: John
The Healthcare IT Guy gives some good food for thought when looking at your database administrator and the security of your database. Database administrators often have access to all of the medical information by looking directly at the database. This is often gone unaudited and unmanaged. As part of any HIPAA policy this issue should be addressed and documented. The best way I know how to do this is through implementing a strict policy with stiff penalties if it is ever breached. I think it would be hard to prove that they breached it, but at least it can insulate you from the “HIPAA police”. I’ll continue my research on the subject and post them here as I find them. Unfortunately, I expect that many of them will be database vendor specific.
More importantly, you should seriously consider who you’re hiring as your database administrator. They really have power to do all sorts of bad if they wanted.
Related ArticlesLook for similar articles under these categories:
4 responses to "Database Administrator Security"
Leave a Reply
- » Recent articles
- EMR and HIPAA Annual Reader Survey
- The Financial Implications of Skipping Years and Switching Incentive Programs – Meaningful Use Monday
- eCollaboration at HIMSS12, MU Stage 2, Healthcare Social Media, Tablets and Accessible Patient Data
- More Meaningful Use Stage 1 Numbers from 2011
- HIMSS 12 New Media Meetup – Sponsored by simplifyMD
- Large EHR Vendor Recommendation
- Interoperability versus Usability in Best of Breed or All-in-One HIS Systems
- Meaningful Use Appeals Process – Meaningful Use Monday
- Kaiser’s Mobile App, EHR Anxiety Coding, EHR Accessibility Challenge and EHR Design
- Social Media ROI for Doctors
- Health Care Administration - MHA Programs
- » Archive Calendar
-
Jobs by SimplyHired
Jane Davis
5 hrs, 47 mins ago
We are a Free Clinic serving uninsured adults in our community. We are using Freedom MD for our EMR. at this point, there is some discussion about WHO should be the Administrator of the system. Originally, it was setup with ALL USERS signing in with the admin username and PW. We decided that wasn’t a good idea because of HIPPAA violations and for the wellbeing of the system. This clinic is run by all volunteers. We have a couple who are pretty much computer savvy and they have been taking care of our problems that come up. They feel like they should be the only ones to have the Admin username and PW ( which have been changed) and then the rest of us are assigned our own signin and levels of access according to our job description. Is that the way we should be set up? Please let me know so I can settle this discussion once and for all!
Thanks.
Jane
Jane,
Depends on which admin username and password you’re talking about. Is it the admin user for the software, for your computer, for the server, etc?
If it’s the EHR software itself, HIPAA’s quite clear that each user should have their own unique login and should only have rights to access the pieces of the EHR that they need to be able to access to do their job.
Regardless of which system you’re talking about, it’s really bad IT strategy to have 1 admin user with a shared password that everyone knows. There’s no accountability then and you could be in serious trouble. Instead, each admin should have their own username and password with admin rights where appropriate.
I think the key question is does the person that has admin rights need the admin rights to perform their job duty.
Thanks, John for your response. Our IT man takes care of the computer access and the server as well as the EMR program. I believe he is trying to set it up the way you have recommended . There is some resistance from some of the folks feeling like he has too much control. Can you help alieve that fear?
Thanks.
Jane
Jane Davis,
I’d suggest that the best thing you can do to help with that fear is to have an outside person “audit” the login and security controls that your IT man implements. Every IT person hates to have someone look over their work, but there’s no better way to get your IT person motivated to do things right.