Controlling who is accessing your data

With various information security standards to adhere to, Mercy Health and Aged Care Central Queensland Limited (MHAC) needed transparency into who was accessing its data, and what they were doing with it. In addition, with nearly 400 workstations and a user base of 600, MHAC also needed an easier, holistic approach to control access.

Marcia Healy, Information Systems Officer for MHAC, explains, “As part of compliance with various legislatures, we needed a mechanism to provide visibility into who was accessing our data. We were also conscious that our IT team were receiving, and provisioning, access requests which, although technically capable, they did not have adequate data context, value or other relevant insight on which to base these decisions.”

MHAC also knew it needed to improve visibility, and control, of users’ access rights. Marcia explains, “We knew that certain groups had various access rights, through NFTS permissions. However, this was exceptionally complicated as we did not have a holistic view. We needed transparency to be able to monitor who was accessing information and identify what they were doing to it.” Due to the nature of the organisation, MHAC’s workforce includes a large percentage of shift workers, further complicating users’ access permissions.

MHAC has met these challenges using Varonis DatAdvantage and DataPrivilege. This solution allows MHAC to identify who is accessing its information and what they are doing with it. With a complete audit trail, MHAC can prove policies are in place, and being adhered to, to satisfy compliance with various national and international information security standards.

Starting with one of its aged care facilities, MHAC used Varonis to maintain the management of data ownership. From this point it nominated, with the help of the system, data owners who were then trained in managing their own data privileges.

Marcia explains, “The solution automatically identifies who the likely data owners are and they are then empowered to assign the permissions for their information. Anyone who needs access to files can raise a request, which is directed to the relevant data owner automatically who provisions the request. It also allows us to remove access rights from groups, without having to go through them one by one, when someone terminates their employment, which previously was a huge job.”

MHAC has already started to classify data, and identify data owners, in other parts of its business. In the coming months, it will meet with all its clinical quality and risk staff to introduce them to the system and train them in its use, before fully rolling out across the organisation.

Marcia clarifies, “From our first integration we discovered that its user-friendly interface means it’s very easy for people to use and training isn’t too arduous. The fact that it’s also supported by automated workflows, in email, is a real benefit as it’s simplistic and users are familiar with the interface.”

Speaking specifically about the improvements MHAC has been able make, Marcia concludes, “An immediate benefit is, by removing the onus of this responsibility from IT, the process of provisioning users becomes far more efficient as people are now dealing direct with managers who can action the request immediately. It also strengthens security to sensitive data as the appropriate person is making the decision of who does and doesn’t have access. This is great both morally and administratively. Although we haven’t made a full cost analysis, we predict ROI within three to six months, which is just phenomenal.”