Privacy Officer's Roundtable

Access Termination Procedures

  • 1.  Access Termination Procedures

    Posted 02-03-2020 06:41 AM
    I'm interested in learning best practices for access termination. Who submits the request? How is termination verified? Do you use a checklist? Portal? If staff has access to systems that are not controlled through active directive credentials, how do you keep track of that and who is responsible for terminating that access / ensuring it was accomplished? And what does that process look like? How often do you audit the process? Anything I may have missed such as creep prevention? Thank you in advance.

    ------------------------------
    Brenda Manning J.D., C.H.C., C.H.P.C.
    Compliance Director, Privacy
    Carilion Clinic

    The views expressed herein are my own and do not represent those of my employer. They are not meant to constitute legal advice or create an attorney-client relationship.
    ------------------------------
    2020 SCCE Membership


  • 2.  RE: Access Termination Procedures

    Posted 02-03-2020 07:30 AM
    All right folks...Brenda has asked some good questions...I've listed them below for a bit easier reference.  Looking forward to what people have to share.

    1. Who submits the request? How is termination verified?
    2. Do you use a checklist? Portal?
    3. If staff has access to systems that are not controlled through active directive credentials, how do you keep track of that and who is responsible for terminating that access / ensuring it was accomplished? And what does that process look like?
    4. How often do you audit the process?
    5. Anything I may have missed such as creep prevention? 

    I'll offer a response on #4 and this can actually apply for many and just about any audit...and I think can be an extremely valuable approach, particularly for those who are really struggling in terms of available time and resources for audits (keep in mind, I'm assuming people know HOW TO do a valid audit).  If you find your audit of the termination process meets whatever "pass" threshold you established, then consider doing it again...next quarter or in six months.  If you find that the threshold is not met...you may want to allow for the implementation of a corrective action plan to mitigate what may be causing the process to fail and then you can reaudit again.  Very effective and quite frankly audit 101 so not difficult at all and a very good way to use your resources and also helps you target your auditing efforts more effectively.​

    ------------------------------
    -------------Frank Ruelas--------------
    ► We don't fail unless we quit! ◄
    Next Study Session Topic(s) - The eGroups Shall Decide
    2020 CI Meet Up Sign Up: https://www.surveymonkey.com/r/26VLMS8
    ------------------------------

    2020 SCCE Membership


  • 3.  RE: Access Termination Procedures

    Posted 02-03-2020 08:31 AM
    ​At our facility that averages around 3,500 employees in our system:

    1. Supervisor submits the "remove access" request by e-mail that includes IT (for active directory) and all other system owners.  Supervisors are trained that this is their responsibility.  Supervisors must complete an HR checklist and this is one item on the HR checklist.  The checklist is turned in to HR.  Supervisors submit the "remove access" e-mail to the "remove access" group that has been set up in our system.
    2.  HR verifies that the information is correct.  For example, if the supervisor sends out the e-mail with the wrong employee number, HR will send out a correction e-mail.  The e-mail states "Please remove access for _____________.  Employee number: __________________
    3. The "remove access" group is for an employee leaving for any reason- firing, resignation, retirement--it does not matter-same procedure.
    4. System owners are responsible for ensuring access is removed for their systems.  For example, if a cancer center employee retires, our cancer center uses specialized software called ARIA and the system owner ( a cancer center IT employee) for ARIA must delete the access--not the IT Department.  The IT Department will remove active directory access.
    5. The HR Department will review the checklist to verify that keys have been turned in, badge has been turned in, parking hang tag, etc.
    6.  Security is part of the "remove access" group.  Our contracted security is responsible for removing badge access since our name badges are equipped with RFID.
    7.  If a firing is going to occur and the employee is considered a threat to systems/safety, the process is escalated through phone calls and all access is terminated prior to the termination.
    8.  If a firing occurs over the weekend, weekend IT staff and Security handle their part and, depending on the situation, the system owner could be contacted- depends on whether the system can be accessed remotely.
    9. Terminations are typically performed during the day to ensure access can be terminated through the appropriate process.
    10. The process is audited by internal audit, but I am not sure how often.


    ------------------------------
    Sheila Limmroth
    Privacy Officer
    DCH Health System
    Tuscaloosa,AL
    ------------------------------

    2020 SCCE Membership


  • 4.  RE: Access Termination Procedures

    Posted 02-03-2020 02:46 PM
    A termination request can originate from any of the managers. We have a termination process (checklist). A ticket is created in our task-ticketing system. It has multiple tasks specified with the responsible person marked for each. We have a similar process for new hires. Once a quarter we audit the process for both hires and terms. We call it the Alpha Omega audit. I got that name several years ago from Frank Ruelas.

    ------------------------------
    Carl Russell
    Compliance Analyst, CHPC
    Delta Dental of Idaho
    Boise,ID

    Anything I say is my sole opinion and not of my company.
    ------------------------------

    2020 SCCE Membership


  • 5.  RE: Access Termination Procedures

    Posted 02-04-2020 08:35 AM
    Ah yes...the Alpha Omega audit.  I can't tell you how many times folks have started doing this and were beyond surprised at what they found out...and the SUPER MAJORITY of the time it wasn't good.

    Maybe one of the most practical and effective audits that I've shared with folks that has really proven to be a good one.  Nice to see that folks are doing these.

    ------------------------------
    -------------Frank Ruelas--------------
    ► We don't fail unless we quit! ◄
    Next Study Session Topic(s) - The eGroups Shall Decide
    2020 CI Meet Up Sign Up: https://www.surveymonkey.com/r/26VLMS8
    ------------------------------

    2020 SCCE Membership


  • 6.  RE: Access Termination Procedures

    Posted 02-04-2020 09:14 AM
    We have a ticketing system as well, similar to what Carl detailed. We use it for both new hires and terminations. We are HITRUST certified so we have to be able to show we shut down access within a predetermined amount of time. With the ticketing system we have the ability to monitor the process and timeliness around each step of the way. And I love the Alpha Omega name for the audit.  I am definitely going to steal  borrow that!

    ------------------------------
    Tammy L. Wright
    Compliance Officer
    Director, Compliance & Audit
    MTM, Inc.
    Lake St. Louis, MO
    ------------------------------

    2020 SCCE Membership


  • 7.  RE: Access Termination Procedures

    Posted 02-04-2020 09:29 AM
    Tammy wrote: I am definitely going to steal  borrow that!  I love it!

    ------------------------------
    -------------Frank Ruelas--------------
    ► We don't fail unless we quit! ◄
    Next Study Session Topic(s) - The eGroups Shall Decide
    2020 CI Meet Up Sign Up: https://www.surveymonkey.com/r/26VLMS8
    ------------------------------

    2020 SCCE Membership


  • 8.  RE: Access Termination Procedures

    Posted 02-04-2020 10:06 AM
    1. Supervisor submits a form to our Human Resources Help Desk (e-mail that goes to HR staff) and IT help desk (e-mail that goes to all IT staff and EMR staff that are in charge of giving and terminating access) that states an employee is terminated.
    2. Access to all systems is terminated.
    3. HR sends myself and those in charge of giving and terminating access a monthly termination report so both departments can check to ensure accounts are deactivated.
    4. IT runs reports every 60  days to see who has not logged in for any length of time and will deactivate accounts that way also.

    ------------------------------
    Savannah Knuettel
    Compliance Officer
    Galen Medical Group
    Hixson,TN

    The views expressed herein are my own and do not represent those of my employer or clients. They are not meant to constitute legal advice or create an attorney-client relationship.
    ------------------------------

    2020 SCCE Membership


  • 9.  RE: Access Termination Procedures

    Posted 02-04-2020 11:43 AM
    Consider leveraging your SOX controls. Both Finance and your IT departments need to demonstrate they have access controls including deletion on individuals leaving the company. Since these controls are periodically tested, all you need to do is monitor the test results.



    2020 SCCE Membership