Access control generally requires some form of authentication. Authentication, the process of proving your identity, identifies a user to an application. A system needs to authenticate users to a degree appropriate for the level of risk or threat that an authenticated user represents. Authentication is about identification and verification, while access control is about the level of access to system resources, some of which are privileged.
To get to a resource the subject needs to be identified, then authenticated, and the final step is the access to the object (resource). There are four types of access control models:
- Role-basedaccess control(RBAC)
- Discretionary access control(DAC)
- Mandatory access control(MAC), also referred to as rule-based access control
- Context-based access control
Keep in mind, that authentication is a shared solution between an institution and end users.
Shared requirements must define a strategy to protect both the organization and its customers. Keep in mind addressing information security gaps requires a full set of security controls.
For a customized proposal on evaluating the best solution options for addressing identity management challenges and meeting compliance requirements in your environment, email technologysolutions@aha.org or contact Lorna Waggoner at 1.877.899.9974 x17.
GET HIPAA-CERTIFIED ON-LINE!
HIPAA Academy, the industry’s leading provider of HIPAA training, certification and consulting, has made available on-line the content and exams for HIPAA Academy’s Certified HIPAA Professional (CHP) and the Certified Security Compliance Specialist™ (CSCS™). 2007 clients include many hospitals, long term care organizations, BCBS, several business associates and leading firms such as IBM, HP, E&Y, Kaiser Permanente and others. For details, please visit www.HIPAAAcademy.Net.
For more information visit www.aha-solutions.org, contact Lorna Waggoner at 1.877.899.9974 x17 or visit www.HIPAAAcademy.net
HIPAA Tips
ACCESS CONTROL
The Access Control standard in the HIPAA Security Rule (§ 164.312(a)(1)) requires covered entities to implement technical policies and procedures for electronic information systems that maintain electronic Protected Health Information (EPHI) to allow access only to those persons or software programs that have been granted access rights. The Access Control standard includes four implementation specifications:
- Unique User Identification (Required)
- Emergency Access Procedure (Required)
- Automatic Logoff (Addressable)
- Encryption and Decryption (Addressable)
The Unique User Identification implementation specification requires covered entities to assign a unique name and/or number for identifying and tracking user identity. The Emergency Access Procedure implementation specification requires covered entities to establish (and implement as needed) procedures for obtaining necessary EPHI during an emergency. The third implementation specification is Automatic Logoff - covered entities should address implementing electronic procedures that terminate an electronic session after a predetermined time of inactivity.
Finally, to address the Encryption and Decryption implementation specification, covered entities should consider implementing a mechanism to encrypt and decrypt EPHI. The use of file encryption is an acceptable method of denying access to information in files or directories. Encryption provides confidentiality, which is a form of control.
The use of encryption for the purpose of access control of data at rest should be based upon an entity’s risk analysis.
For a complimentary quick reference card on ISO 17799:2005 – (ISO 27002) the international security standard,
please email technologysolutions@aha.org
