Well group policy settings are the first thing that come to mind and if needed additional audit trails can be added to track access and log it. I’m sure some type of Group Policy was in place at the time but maybe it was not tight enough. Hospitals such as Long Beach Memorial who use Epic also have an algorithm called “break the glass” and employees are actually asked, just in case they are in there by a mouse click by mistake or whatever, before they get access so they have to allow it themselves and of course all this is tracked and audited.
I’m sure the FDA has security access in place but perhaps adding more groups and restricting some access along with audit tables should do the trick. Does the IT department like doing Group Policy, heck no as it gets complicated. It is about as much fun as managing Outlook Exchange except it doesn’t need daily attention for the most part to the same extreme. BD
Food and Drug Administration Commissioner Margaret Hamburg, in a memo provided to Reuters, told employees she had taken steps to address "potential vulnerabilities" in the way the agency handles information electronically. The agency houses details about upcoming drug decisions that can make or break a pharmaceutical company's fortunes.
The steps include a new tracking system to "better monitor employee access of data," Hamburg said in a memo sent to FDA staff on Wednesday.