CIS User Access Control Requirements

From Clinfowiki
Jump to: navigation, search

ClinfoWiki Article: CIS User Access Control Requirements


Controlling user access to clinical information systems (CIS) is a core component of information security management. HIPAA Privacy rules stipulate that health care providers and organizations maintain strict control over who accesses private medical information, and when. As CIS become more widely used, and robust in their capabilities, this becomes all the more important. CCHIT certification includes the requirement that electronic health record systems employ the most restrictive set of access rights and privileges that users require to accomplish their assigned tasks.

In general, there are three broad Categories of system user access:

User-based access, in which access is assigned to the individual user. Although straight forward, this is cumbersome to manage due to the volume of user accounts that must be maintained, and audited.

Role-based access, in which users are grouped into categories, and access rights assigned to the group. The groupings are generally by functional category. For example, primary care physicians, mental health clinicians, nursing staff, and clerical staff may all be assigned to their respective group, with access to the medical record restricted according to these groupings. Users can access only selected portions of the record according to the permissions assigned to their group.

Context-based access, which is similar to role-based access, but includes additional access rights assigned (or restricted) based on the context of the transaction, such as workstation location, time-of day, etc. For example, a primary care clinician who provides coverage to mental health unit after hours and weekends is permitted to access the mental health portion of the medical record during these times. At other times this access is denied.

Two other types of system access control merit comment.

HIPAA requires provisions for emergency access situations. In a role-based system for example, an ER physician may not have access to mental health portions of the medical record. Should a mental health patient present to the emergency department unresponsive, with circumstantial evidence of overdose, the primary care clinician is now authorized to “break” the electronic seal and access this portion of the patient’s record. All such actions must be auditable in the system.

Finally encryption of data is also an acceptable method of access control, according to HIPAA regulations. Although the data file may be accessed, they are unintelligible without the passkey to decipher the data; hence this is a de facto method of access control. In general, such systems are more complex and thus difficult to maintain. In addition, issues of emergency access can arise.

Finally, the importance of auditing system access must be emphasized. Scheduled, random and “as needed” system audits serve to detect unauthorized and inappropriate record access, and also act as a deterrent to same.

Submitted by: Dean Smith


References:

CCHIT: http://www.cchit.org/files/Ambulatory_Domain/CCHIT_Ambulatory_SECURITY_Criteria_2007_Final__16Mar07.pdf

HIPAA:

http://www.cms.hhs.gov/SecurityStandard/Downloads/securityfinalrule.pdf

Ontario Specifications:

http://www.ontariomd.ca/cms/infoForVendors.shtml

Hu J, Weaver A. “Dynamic, Context-aware Security Infrastructure for Distributed Healthcare Applications”, Proceedings of First Workshop on Pervasive Security, Privacy and Trust (PSPT), August 26, 2004.

Cimino JJ et al. Architecture for a Web-based Clinical Information System that Keep the Design Open and the Access Closed. Proc AMIA Symp. 1998:121-5

Rostad L, Edsberg O. A Study of Access Control Requirements for Healthcare Systems Based on Audit Trails from Access Logs. ACSAC Proc,pp.175-186, 22nd Annual Computer Security Applications Conference, 2006