Info Access: Management Policy for Access Modification

Goal: Implement policies and procedures that, based on the Security access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.

The purpose of this policy is to establish guidelines to audit and modify access as needed to complete the required functions of the individuals. This policy also addresses the following issues:

• Describe how access will be administered or modify in the future.
• Describe how access is implemented thru the use of passwords and other security precautions.
• Describe who should modify or terminate an individual’s access and under what circumstances such changes are necessary.

Procedure: The Security Manager shall update policies regarding access to ePHI as new technologies or software is incorporated into the workplace.

• Access Management
  • The Security Manager is responsible for the completion and maintenance/update of a log indicating systems that contain ePHI, when they came on line and when applicable last time used. This log shall also indicate the name of the person that authorizes access to the system and a brief description of the system (use “System Responsibility Matrix” form).
    • It is the responsibility of each System Manager to inform the Security Manager in terms of available systems and requirements (i.e. training) needed prior to allowing access.
• Security Precautions
  • Whenever feasible each system will have at least three security methods to prevent unauthorized access. Some of the most common methods presently used are:
    • Automatic Log-off. A timed automatic log-off feature will prevent unauthorized access from a workstation that is left unattended. Many organizations have established a time limit that can vary but should be no more than 20 minutes of inactivity.
    • Unique User Identification. All users must have a unique identification by which they are authenticated to the computer system. This ID provides accountability and a means for auditable authentication to system resources.
    • Biometric Identification. The human body contains several unique identifiers, such as fingerprints, that can meet ID requirement. The proper use of biometrics can be more secure than a username/password combination because it does not rely on memorization. This reduces the chance that a password will be forgotten or abused to gain unauthorized access to a system.
    • Password. This is the traditional method by which a user is authenticated to a computer system. It requires the user to enter a matching username/password combination that provides authorization to system resources.
    • Personal identification number (PIN). The PIN is a very common method of providing a unique identifier. Typically, the PIN is a part of an identification system, which may consist of a card (e.g., credit card or smart card) used with a corresponding PIN. Together, these values permit a user access to a service.
    • Telephone Callback. Telephone callback is a system use to authenticate users during remote operations. While telephone callback methods are not as common they remain a viable option. To use telephone callback, a user who wants access to a computer system commands the computer to call a remote access server, which allows the user to provide some form of identification.
    • Token. A token system uses a physical device to authenticate a user to a system. For example, a user might swipe a smart card or insert it into a reader to authorize access to a service. Often, the token is used in conjunction with a PIN to create multilayered authentication. If the information corresponds, the user is granted access.
  • All system containing ePHI shall use the following security measures to prevent access from unauthorized users:
    • Automatic Log-off. A timed automatic log-off feature is implemented into a two-tier system.
      • Screen Saver. After a time of of inactivity the screen saver will automatically kick in. Users may be allowed some freedom in terms of screen saver options used as long as the same meet the following specifications:
        • No porn.
        • No offensive material.
        • No political or religious statements.
        • Screen Saver options must be approved by individual’s supervisor and Security Manager.
      • Log-Off. Whenever feasible systems will be programmed to log-off after 20 minutes of inactivity.
        • Unique User Identification. All users must be assigned a unique identification by which they are authenticated to the computer system.
        • Password. All users will be assigned a username/password combination that provides authorization to system resources. Whenever feasible users may be assigned the same password to be used in multiple systems.
      • System Management. Each system containing ePHI shall have a designated System Manager. The System Manager shall be responsible for:
        • Assisting Security Manager with audits of the system.
        • Updating Security Manager regarding system changes including but not limited to hardware/software updates.
        • Revoke users’ authorization to the system when necessary.
        • Delete the employee's account and password from all systems and networks.
        • Retrieve all hardware, software, and documentation, including government equipment used at home.
        • Save the employee's files in case they're needed for proof in case you discover wrongdoing.
      • Management Supervision. A member of the management team shall regularly review the access authorizations. Management review shall not exceed the term of one year.