The Requirements
One of the areas most often in need of immediate remediation for both HIPAA compliance and for overall system security is specified within the HIPAA Privacy Regulations. Specifically, we have found that that healthcare organizations fail - and are therefore vulnerable - in the requirements to control access to Protected Health Information, and to record (log) which person accesses which records so that accesses can be audited.
Architecting a Solution
The Problem
In order to satisfy these requirements, systems will need to require unique identification of the person making an inquiry. In current scenarios at many health-care institutions, such identification is not recorded, usually because of the onerous nature of traditional logon procedures. The problem is compounded by the fact that many individuals often need to access multiple systems, each requiring its own logon and password regime.
Furthermore, in order to be compliant with the regulations, systems are required to record all Protected Healthcare Information access (logging) and to audit the information as appropriate.
The Questions
How can compliance be achieved without requiring everyone to know several passwords or change how they perform their work? How can compliant systems provide easy sign-on and sign-off functionality so that only authorized individuals access information, and so that all information access are correctly tracked? How can all those systems be economically upgraded to support the required logging and auditing capabilities?
The Solution
Access control, logging, and auditing problems can all be solved through the adoption of an integrated, universal access control system using authorization-based rules tied to authentication devices, including a combination of biometric and proximity card-reader devices.
These systems provide an easy, uniform means for staff to gain the proper access while denying improper access, and provide the necessary level of access logging to enable the required audit functions under the regulations. Furthermore, a universal access control system works on top of the systems already in place, minimizing the number of systems that must be modified to attain compliance.
Implementing the Solution
Authentication
To obtain universal compliance with proper logon procedures, authentication for login has to be easy, fast, and unobtrusive, and logging off has to be automatic to prevent use of a logged-in terminal by an unauthorized person. Modern biometric scanners (fingerprint, hand scan, iris scan, face scan) are increasingly inexpensive and easy to deploy, and provide a high level of certainty for user identification. Using a proximity card to regulate access provides a second layer of security in the logon process, and provides a means for automatic log-off when a user leaves the area of the terminal. This combination provides a high level of security.
Authorization - Single Sign-On
To implement the automatic logon and log-off, there needs to be a facility to provide access to whatever systems and information the user is authorized to access. This requirement defines a need for the use of Single Sign-On (SSO) technology, whereby an authorization process, through a single login, provides access to various systems depending on each user's identification, role, or context.
Logging and Auditing
In addition to access control, many authorization management products can also perform the required logging and audit capabilities, solving that problem simultaneously without having to deal with the problem on a system-by-system basis.
Flexibility
Since not all patient's information will be subject to the same access limitations, and since the limitations may change from time-to-time as patients are permitted to grant or rescind access at will, the authorization management tool must be able to recognize differences both in users and in data within systems.
Following the Standard
Any solution implemented should conform to the Object Management Group (OMG) Resource Access Decision (RAD) standard, designed by security specialists specifically for healthcare industry requirements.
Thaumaturgix Can Help
Thaumaturgix can help you design, specify, and implement HIPAA-compliant technologies to create the required levels of authentication, authorization control, logging and auditing capabilities. We can assist with the selection of the right products and tools from a range of vendors to create the best OMG-RAD compliant access control and SSO solutions for our Healthcare clients.
For more information, please e-mail hipaa@tgix.com or call Peter Dolch at 212-918-5025.
