[Transcript] Episode 520: The Risk No One Talks [Enough] About: Shared Admin Accounts and Role-Based Access

 

Evan Dumas 

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co-host, Evan Dumas.

 

Liath Dalton 

And I’m Liath Dalton, and we are Person Centered Tech.

 

Liath Dalton 

This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and electronic health record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user go to therapynotes.com and use promo code PCT.

 

Evan Dumas 

Hello and welcome to Episode 520: The Risk No One Talks [Enough] About: Shared Admin Accounts and Role-Based Access.

 

Liath Dalton 

Indeed. We know it can come up from time to time, but it doesn’t come up as often as it should, because this is something that can actually be really impactful, both in terms of HIPAA compliance, or lack thereof, as well as create some logistical and practical, just operational consequences that are preferable to to avoid.

 

Liath Dalton 

And so we’re going to be looking at how you can make some small changes that have a major impact in terms of being in compliance with the applicable HIPAA standards, while also meaning managing your operational needs.

 

Liath Dalton 

So essentially, this is a common setup,

 

Evan Dumas 

Yep.

 

Liath Dalton 

like system setup, login credential practice that we see frequently that puts client info at risk without folks even realizing it. So Evan, what is this problem that comes up and and why?

 

Evan Dumas 

Yeah, yeah. So the simple term for it is password sharing, but the common problem is there’s one sort of main account that is maybe an entry point for clients reaching out, or something called like admin, or intake, or contact, @ your practice name. And for ease of use for the practice, everyone has access to it. So everyone, you know, shares a password. You don’t have two-factor turned on because you wouldn’t be able to, and so everyone’s got this password for this one account. People all check it, people all look at it, and it’s like you’re all sharing keys for the same mailbox. But the, the analogy breaks down, because this is, there’s a lot of PHI there. There’s a lot of shared access, and this creates a lot of problems.

 

Liath Dalton 

Exactly. And in terms of the risks that it creates, it actually creates an issue with multiple HIPAA standards, which are that if you are sharing login credentials, then there is no audit trail or accountability. That it is necessary, in order for there to be a meaningful audit trail, that login credentials be unique and individual, right?

 

Liath Dalton 

So not, no password sharing, no account sharing. It also creates the problem of being able to unable to control access when roles change, and it’s not uncommon for roles to change within a practice you know, someone takes on more responsibility, and therefore needs a higher level of access, or, you know, someone departs the practice as well.

 

Liath Dalton 

So it really creates a risk of unauthorized access, both internal or external. And for the external access, that not being able to have two factor authentication enabled is one of the biggest weak points there.

 

Liath Dalton 

So in terms of each of the HIPAA standards that are at play here, we have both the Access Control Standard, the Audit Control Standard, and the Minimum Necessary Standard, and then it also honestly causes logistical non HIPAA problems.

 

Liath Dalton 

And this is something Evan and I see on a frequent basis, just in terms of how practices and their team members are interacting with PCT. Because if admin staff only use the [email protected] email address, for example, and don’t have their own unique email address, then they can’t have a unique user account in our system. So if there are multiple admins sharing the admin account, you can’t have a easily set up unique user account for each individual, which makes assigning trainings and tracking progress and completion a pain.

 

Liath Dalton 

Of course, we do have a workaround for that, but we would rather this issue not exist in the first place on the logistical level, because we know when it exists on this logistics level that it also has pretty significant HIPAA implications as well.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So, why is it so common, though? Um, because this isn’t like people are trying to create hassles for themselves. There are absolutely reasonable causes for why this might have come to be at the outset.

 

Liath Dalton 

So of course, there’s the like perceived convenience or work around for platform limitations. In terms of the perceived convenience, I think this is actually one of the biggest reasons that we see in our present practice context, and that’s, “Well, we need a generic contact address for our practice, for admin@, or intake@, etc, billing@, and every time the team member that fills that role changes, we don’t want to have to be changing the email address and changing all the places that it exists,” Right?

 

Evan Dumas 

Mhm.

 

Liath Dalton 

So there is a very reasonable case to be made for why there needs to be that standard contract address and why you might need multiples of those for multiple sort of role tiers within your practice.

 

Liath Dalton 

But the good news is there are some sort of technical measures that can be put in place that provide for that while also providing for unique individual login credentials for everyone who’s accessing that email address and able to manage it.

 

Liath Dalton 

So we’re going to get into the practicalities of how to set that up and what that looks like in our next episode. But for now, we’re want to focus a little bit more on the the why and the what of role based access control. So Evan, what are some other causes for why this credential sharing, particularly for admin accounts, is so common?

 

Evan Dumas 

It’s cheap. So if you’ve got a bunch of admins, maybe they’re your first admins, and you say, what, another seven to $18 per user per month, that’s too much money, I would rather drink more lattes or, you know, actually pay rent these days. But,

 

Liath Dalton 

Yeah.

 

Evan Dumas 

you just want to, you want to save money. So you’re like, how can I do that? I can share accounts with multiple people. I can have people share logins, and that, that’s one way that people do it.

 

Liath Dalton 

Yes, and there are some platforms, not the platforms that are most typically used in a mental health practice these days, if you are using platforms that are either designed for or designed with compatibility for this use application in mind. But there may be some platforms where you know, you’d really have to upgrade to a higher tier, or it’s an outdated system where their default is just one login.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

And then there’s also the sort of trust bias I will say, of you know, it’s just us, we’re a small practice, everyone understands the importance of privacy and security, so we trust each other, and it’s okay. And while that may be true for a period of time, we know that that still, though, does not meet the HIPAA standards.

 

Liath Dalton 

And the reason the HIPAA standards exist is because we cannot purely rely on behavioral measures, because those are, in reality, the most prone to fail, right?

 

Evan Dumas 

Mhm. Yeah.

 

Liath Dalton 

So let’s take a little step back from what the the risks are and why it’s common to looking at exactly what role based access is and what the applicable HIPAA standards are.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So how would you define role-based access control Evan?

 

Evan Dumas 

Yeah, role-based access control is, it’s kind of right there on the tin, depending on what your job role is in your business, admin, clinician, owner, security, compliance officer, whatever, you get to have access and control for only what your job needs, only what your duties are. They’re not shared across roles. And so in this way, you can say, oh, this type of person gets this, this type of person gets this, and you you have that control per role.

 

Liath Dalton 

Exactly. And so the HIPAA Access Control Standard itself requires that HIPAA covered entities implement technical policies so that electronic information systems that maintain Protected Health Info, client info, allow access only to those persons or programs that have been granted access rights. And this includes the requirement that each user must have their own login to ensure auditability.

 

Liath Dalton 

That authorization to access info is only granted based on what is an appropriate level of access for that user’s role.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And again, this provides for being able to have audit controls. If you don’t have unique logins, then you can’t effectively track who accessed what and when. And then paired, paired with this, there’s the Minimum Necessary Standard as well, which applies across all of HIPAA handling of client info, which also, and this is a little bit of a misnomer, applies to internal access.

 

Liath Dalton 

I think a lot of times when we see the minimum necessary standard applied, that’s intentionally done when it comes to any external access, but it applies to internal access

 

Evan Dumas 

Totally, totally.

 

Liath Dalton 

And it’s, in fact, oftentimes even more important internally, I will say, in terms of the day to day practice operations, because there’s so much more internal access going on than external access, typically. And external access is something that everyone just even without having full training and being really onboarded to all of the security policies and procedures of your practice, has a like innate sense about managing and keeping to a minimum necessary. That same sort of security spidey sense doesn’t seem to typically apply by default as much when it comes to internal access, right?

 

Evan Dumas 

Yeah, yeah. No, not as much, yeah.

 

Liath Dalton 

So put all together, these different standards mean: no shared logins, no open access to all client info by default.

 

Evan Dumas 

No, no.

 

Liath Dalton 

And again, the benefits of this are that it prevents unnecessary exposure of client info, supports accountability, again, you can trace actions to specific users, and then this is a big one as well, it simplifies your onboarding and offboarding process.

 

Liath Dalton 

You can just assign or remove the appropriate role or the individual login credentials. You aren’t relying on changing a password for the shared login that multiple people are using, risking some people losing access for a period of time, or that you overlook the system and a departing or terminated team member has retained access and the ability to, you know, still view or even disclose client info once they no longer should be doing so.

 

Evan Dumas 

Yeah, totally.

 

Liath Dalton 

So now that we’ve explained all of the the why and the what, we are going to tackle all of the practical steps for how to avoid shared admin accounts and manage role based access in our next episode, both from the HIPAA and logistical lens. So please stay tuned for that episode.

 

Liath Dalton 

Thanks for joining us, we hope you found this helpful.

 

Evan Dumas  

Yeah, talk to you next week.

 

Liath Dalton 

This has been Group Practice Tech. You can find us at personcenteredtech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast, or click podcast on the menu bar.