Transactions Education Security Privacy
Home
Events
Sign Up
HIPAA Getting Started
HIPAA Overview
HIPAA Links
HIPAA Tools
Contact Listing


Chapter 6: Information Access Control

Index

Section I: Pertinent sections of HIPAA proposed security regulations relating to Information Access Control
Section II: Definitions
Section III: Requirement
Section IV: Approaches/Solutions
Section V: Web Sites of Interest

Section I: HIPAA Proposed Security Regulations relating to information access control

Federal Register (Volume 63, No. 155) Wednesday August 12, 1998 Proposed Rules 45 CFR Part 142 Security and Electronic Signature Standards; Proposed Rule
Section II: Definitions

Access
Refers to the ability or the means necessary to read, write, modify, or communicate data/information or otherwise make use of any system resource.

Access Control
Refers to a method of restricting access to resources, allowing only privileged entities access. Types of access control include, among others, mandatory access control, discretionary access control, time-of-day, classification, and subject-object separation.

Context-based Access Control (CBAC)
Refers to a security mechanism used to grant access based upon the context of a transaction as opposed to being based on attributes of the initiator or target. The "external" factors might include time of day, location of the user, strength of user authentication, etc.

Role-based Access Control (RBAC)
An alternative to traditional access control models (e.g., discretionary or non-discretionary access control policies) that permits the specification and enforcement of enterprise-specific security policies in a way that maps more naturally to an organization's structure and business activities. With RBAC, rather than attempting to map an organization's security policy to a relatively low-level set of technical controls (typically, access control lists), each user is assigned to one or more predefined roles, each of which has been assigned the various privileges needed to perform that role.

User-based Access Control (UBAC)
Refers to a security mechanism used to grant users of a system access based upon the identity of the user.

Discretionary Access Control (DAC)
Refers to a security mechanism used to restrict a subject's access to an object. It is generally used to limit a user's access to a file. In this type of access control it is the owner of the file who controls other users' accesses to the file.

Mandatory Access Control (MAC)
Refers to a security mechanism used to restrict access to objects based on fixed security attributes assigned to users and to files and other objects. The controls are mandatory in the sense that they cannot be modified by users or their programs (Stallings, 1995, as cited in the HISB draft Glossary of Terms Related to Information Security in Healthcare Information Systems)

Need-to-Know Access Control
Refers to a security principle that a user should have access only to the data he or she needs to perform a particular function. (O'Reilly, 1992, as cited in the HISB draft Glossary of Terms Related to Information Security in Healthcare Information Systems)

Unique User Identification
Refers to a combination of name/number assigned and maintained in security procedures for identifying and tracking individual user identify.


Section III: Requirement

Administrative Procedures
Establish and maintain formal, documented policies and procedures for granting different levels of access to healthcare information that includes all of the following implementation features:
Access Authorization - information-use policies and procedures that establish the rules for granting access to a terminal, transaction, program, process, or some other user.
Access Establishment - security policies and rules that determine an entity's initial right of access to a terminal, transaction, program, process, or some other user.
Access Modification - security policies and rules that determine the types of, and reasons for, modification to an entity's established right of access, to a terminal, transaction, program, process, or some other user.

Technical Security Services

  • Maintain a mechanism for access control that restricts access to resources and allows access only to authorized entities.
  • At least one of the following features must be implemented: • Context-based access
    • Role-based access
    • User-based access
  • Emergency access procedures must be implemented.
Technical Security Mechanisms
Processes must be put in place to guard against unauthorized access to data that is transmitted over a communications network implementing either encryption or Access Controls (protection of sensitive communications transmissions over open or private networks so that they cannot be easily intercepted and interpreted by parties other than the intended recipient).

Section IV: Approaches/Solutions

Best Practice
Single sign-on/biometrics access control authorization to all systems containing PHI data and all network services (i.e. e-mail, Internet, Intranet).

Minimum
Multiple independent User Id/Password access control authorization for each system containing PHI.

  • Assign user department 'owner' of each application or service to define 'roles' and decide on access rights to each role.
  • Revoke all prior access rights when employee transfers between job positions.
  • Have policy defining minimum password configuration requirements.
  • Have policy to immediately disable access controls for terminated employees.
  • Have policy to immediately change Administrator password when key people leave position (i.e. security administrator).
  • Implement PKI encryption with token access controls for PHI information accessed via open networks (i.e. Internet, Extranet).
  • Implement specific security measures to address vulnerabilities in wireless LAN protocols (i.e. VPN, authentication)
  • For Patient access on healthcare network, restrict Patients from all internal company applications, documentation, procedures, and information (i.e. Intranet) as well as PHI data.

Section V: Web Sites of Interest

http://aspe.hhs.gov/admnsimp/nprm/secnprm.pdf  - Federal Register document

http://www.hipaadvisory.com/action/selfeval_afehct.htm  - HIPAA Advisory - Security Self Evaluation Checklist

Return To Top






Member PolicyWeb Disclaimer