Journal of AHIMA - May 2012

Access Control Process

Identification

(who are you?)



Authentication (prove it!)



Authorization
(permissions)

Accounting
(what are you doing?)

Identification is the assignment of unique user IDs. Most organizations base a user’s identification off of a person’s name; for example, a user ID could be the first letter of a person’s first name combined with their last name.

Authentication is the process of proving a user’s identity before entering a system. The three primary ways to authenticate users are based upon:

1. Something a user knows (e.g., PIN, password, phrase, pass code)

2. Something a user has (e.g., smart card, ATM card, token)

3. Something a user is (e.g., retina scan, fingerprint, voice scan)

A user’s access privileges are based upon some predetermined level of authorization, usually established to ensure the user’s access is the minimum necessary in order to perform the job. Role-based access is an example of how authorization can be predetermined by management based upon a user’s role within the organization.

Physicians generally have the ability to place orders and access more patient information than a nurse who works on a single nursing unit. A volunteer working at the information desk in the main entrance to a hospital is only authorized to access patient census or directory information.

Accounting is the final step in the process. Limiting user access to the minimum necessary can be challenging. Therefore audit controls should be implemented for holding users accountable for their actions.

Source: Harris, Shon. All-in-One CISSP Exam Guide, Fifth Edition. Berkeley, CA: McGraw-Hill, 2010.

Cryptography

The cryptography domain addresses the security measures used to ensure that information transmitted is readable only by the appropriate individual. In layman’s terms, this is commonly referred to as encryption. Encryption is the transformation of plain text into an unreadable cipher text and is the basic technology used to protect the confidentiality and integrity of data. 6

There are two types of cryptography: symmetrical and asymmetrical. Symmetrical cryptography uses the same private or secret key to encipher and decipher a message. Asymmetrical cryptography uses two different keys: a private key and a public key. For example, the public key can be used to encrypt and send a message and the private key is used to decrypt a message. 7 Confidentiality is maintained because the recipient of the message must use their private key to decrypt the message. “ Encryption Process,” on page 51, depicts the coding and decoding encryption process.

While encryption is an addressable implementation specification under HIPAA’s security rule, the rules governing breach notification under the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act require encryption methods that render protected health information (PHI) unreadable and meet guidelines established by NIST and the requirements of Federal Information Processing Standards 140- 2 to prevent potential breaches. Additionally, vendors of electronic health record systems must be able to meet two meaningful use requirements for encryption: §170.302(u) General encryption and §170.302(v) Encryption when exchanging electronic health information.

Security Architecture and Models

Security professionals must understand the entire information system (configuration, hardware, software) to develop appropriate security architecture. For example, an information system based on a client-server model will have unique security concerns. Desktop PCs could contain sensitive business information and have unique risks, threats, and vulnerabilities. A security professional must understand the issues of this architecture and apply appropriate safeguards.

Information security models are used to organize and formalize security policies by providing a concept and framework.

There are three main types of security models:
x Access control: This model, common in healthcare, al-
lows organizations to identify classes of users and the in-
formation they are permitted to access.
x Integrity: This type of model not only protects confiden-
tiality, but also works to protect the integrity of informa-
tion. An integrity model prevents information from being
modified by unauthorized users and prevents authorized
users from making unauthorized changes.
x Information flow: In this model, information is classified
and flows in a specified manner based on security policies
and rules. 8

Operations Security Domain

The operations security domain is concerned with implementing appropriate controls and protections on hardware, software, and resources; maintaining appropriate auditing and monitoring; and evaluating system threats and vulnerabilities.