Most large organizations use role based access control, your access levels are determined by your job role.
Even if you have access to the data you may not be allowed to access it unless required by what you are working on, this is called need to know.
- Need to know:
- Just because you have access does not mean you are allowed the data.
- You need a valid reason for accessing the data. If you do not have one you can be terminated/sued/jailed/fined.
- Leaked information about Octomom Natalie Suleman cost 15 Kaiser employees fines or terminations, they had no valid reason for accessing her file.
- We may never know who actually leaked the information. It may not be one of the 15, but they violated HIPAA by accessing the data without a need to know.
Another approach is giving employees as little as possible access, just enough for them to do their job.
- Least privilege:
- Users have the minimum necessary access to perform their job duties.
