• Access control
  • Metadata
  • Automate access control management for access
  • Grant, modify, and terminate user access
  • Secret authentication information
  • Logging in and out
  • Restrict use of admin utilities
  • Review access grants quarterly
  • Unique user IDs
  • Enforcement
  • References

Access control

MedStack Confidential

Metadata

• responsible officer: CTO
• date
  • effective: 2018-06-20
  • revised: 2019-10-12
  • reviewed: 2018-06-20
• Applicability: standard

Automate access control management for access

• by us, to
  • PHI
  • servers, programs, processes, networks, etc.
  • administrative functions
  • facilities (where possible)
  • equipment (where possible)
• by customers
  • Limitations on our management of customer systems
    • Administrative access for customers means access to administrative functions on the systems we operate for them.
    • We only manage customer administrative access and no other type of access related to the customer.
    • For example, we do not manage, monitor, access, or otherwise involve ourselves in any other access to customer apps, database schemas or data, files, cache data, point of services, electronic health record systems, or any other customer systems or data.
  • Customer administrative authorization and access
    • Provide customers with a secure method to establish, modify and terminate authorization for access.

      Code	Section	Title	Text
      ISO	A.9.4.1	Information access restriction	Access to information and application system functions shall be restricted in accordance with the access control policy.
      ISO	A.9.2.4	Management of secret authentication information of users	The allocation of secret authentication information shall be controlled through a formal management process.
      HIPAA	164.308(a)(4)(ii)©	Access establishment and modification	© Access establishment and modification (Addressable). Implement policies and procedures that, based upon the covered entity’s or the business associate’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.

Grant, modify, and terminate user access

• Grant access
  • in sync with authorization grants
  • no more than necessary to implement the authorization
• Modify access control grants
  • when authorization changes.
• Terminate access
  • immediately when authorization terminates
  • independently of the technology used for access
• Review access
  • immediately when a user’s role or authorization changes
  • quarterly for all users
• Use the principle of least privilege
  • Run customer applications on low-privilege accounts with restricted system access.

    Code	Section	Title	Text
    ISO	A.9.1.2	Access to networks and network services	Users shall only be provided with access to the network and network services that they have been specifically authorized to use.
    ISO	A.9.2.1	User registration and de-registration	A formal user registration and de-registration process shall be implemented to enable assignment of access rights.
    ISO	A.9.2.2	User access provisioning	A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services.
    ISO	A.9.2.3	Management of privileged access rights	The allocation and use of privileged access rights shall be restricted and controlled.
    ISO	A.9.2.6	Removal or adjustment of access rights	The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change.
    CHI	SR60	Timely Revocation of Access Privileges	The EHRi and all PoS systems connected to the EHRi must support the revocation of user access privileges in a timely manner (i.e. immediately prevent the user from logging on after access privileges have been revoked).
    HIPAA	164.308(a)(4)(ii)(B)	Access establishment and modification	(B) Access authorization (Addressable). Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism.

Secret authentication information

• Create strong passphrases (passwords)
  • The user creates their own passphrase, subject to the minimum standards by the service (such as Google Suite).
  • Encourage users to use password management tools and generate random passphrases.
• Evaluate passphrase strength using entropy
  • Minimum lengths and requirements to use certain types of characters do not reliably increase the difficulty of guessing a passphrase.
  • Minimum recommended entropy for interactive login systems is 40 bits.
• Generate strong secret keys
  • The user creates their own key using an authorized key-generation tool (such as OpenSSH).
  • A key is generated for the user and provided to them through a secure encrypted channel (such as customer credentials).
  • The key strength for SSH keys is at least 2048-bits.
  • Document the allocation and transfer to users.
• Do not require scheduled passphrase rotation
  • Password rotation introduces weaknesses such as password hashing vulnerabilities and the use of easily guessable passwords.
• Rotate secret authentication information as required
  • Change affected secrets in the event of an information security compromise.
• Storage of passwords in writing
  • Important passwords may be stored in writing on paper.
  • The paper copy must be kept out of sight (such as in a drawer).

    Code	Section	Title	Text
    ISO	A.9.3.1	Use of secret authentication information	Users shall be required to follow the organization’s practices in the use of secret authentication information.
    ISO	A.9.4.3	Password management system	Password management systems shall be interactive and shall ensure quality passwords.
    HIPAA	164.308(a)(5)(ii)(D)	Password management	Password management (Addressable). Procedures for creating, changing, and safeguarding passwords.

Logging in and out

• Protect all systems using authentication
  • Require a username and a strong passphrase at minimum.
  • Require two-factor authentication where possible, except where secret keys are used.
• Automatic logoff
  • Enable in vendor services where available.
  • Enable on workstations where available.
  • Do not enable in situations where it would have no effect because login is automated (such as SSH).

    Code	Section	Title	Text
    ISO	A.9.4.2	Secure log-on procedures	Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure.
    HIPAA	164.312(a)(2)(iii)	Automatic logoff	(iii) Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

Restrict use of admin utilities

Code	Section	Title	Text
ISO	A.9.4.4	Use of privileged utility programs	The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled.
CHI	SR68	Controlling Access to EHRi System Utilities	Organizations hosting components of the EHRi must restrict and control the use of system utility programs.

Review access grants quarterly

Code	Section	Title	Text
CHI	SR56	Reviewing User Registration Details	All organizations connecting to the EHRi should periodically review user registration details to ensure that they are complete and accurate and that access to the EHRi is still required.
ISO	A.9.2.5	Review of user access rights	Asset owners shall review users’ access rights at regular intervals.

Unique user IDs

• Exclusively use unique user IDs for information system access and activities where possible.
• Do not require UUIDs where it would make it impossible to automate key tasks.

  Code	Section	Title	Text
  HIPAA	164.312(a)(2)(i)	Unique user identification	Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity.

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title	Text
ISO	A.9	Access control
ISO	A.9.1	Business requirements for access control	Objective: To limit access to information and information processing facilities.
ISO	A.9.1.1	Access control policy	An access control policy shall be established, documented and reviewed based on business and information security requirements.
ISO	A.9.2	User access management	Objective: To ensure authorized user access and to prevent unauthorized access to systems and services.
ISO	A.9.3	User responsibilities	Objective: To make users accountable for safeguarding their authentication information.
ISO	A.9.4	System and application access control	Objective: To prevent unauthorized access to systems and applications.
HIPAA	164.308(a)(4)	Information access management	(i) Standard: Information access management. Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part. (ii) Implementation specifications: (A) Isolating health care clearinghouse functions (Required). If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. (B) Access authorization (Addressable). Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism. (C) Access establishment and modification (Addressable). Implement policies and procedures that, based upon the covered entity's or the business associate's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process.
HIPAA	164.312(a)	Access control	(1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4). (2) Implementation specifications: (i) Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity. (ii) Emergency access procedure (Required). Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. (iii) Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. (iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.

November 13, 2019

Powered by