Home > Guides > Security > General Security and Privacy

Security Reference Guide

Hosted by

Toggle Open Guide Table of ContentsGuide Contents

Close Table of ContentsGuide Contents

Close Table of Contents

Physical Access Controls and HIPAA Compliance

Last updated May 23, 2003.

As previously mentioned, the use of Physical Access Controls is required to ensure that data is only accessed or viewed by authorized personnel. It is important to note that Physical Access Control is not the same as Computer Access Control. This section deals with the ability of a person to gain physical access to sensitive information that should only be available to authorized personnel. For example, a maintenance person should never be allowed to access a file storage area or computer server room without having an authorized chaperone to prevent them from accessing personal information. In addition, maintenance personnel are granted access to a sensitive area, they should not be inadvertently exposed to patient information.

To help regulate access control, you should develop a mandatory sign-in system to track entrance to sensitive areas, or to assign accountability for sensitive material that needs to leave a monitored area. For example, if a staff member needs to remove a patient's file from a secure area, they need to understand and adhere to the guidelines for removal, such as a non-disclosure agreement and the consequences if they fail to meet the expected guidelines.

Policy/guideline on workstation usage

It is necessary for each organization to define policies to regulate proper workstation (computer) usage. The policies should outline the logging on/off requirements, as well as general policies to control how the workstation is used. For example, a workstation policy should restrict the use of web browsers to view pornography, and the use of peer-to-peer (file sharing) programs. This can help curb wasted productivity, as well as reducing the chance of a liability due to inappropriate activity.

Secure Workstation Location

Related to workstation use is the subject of workstation location. When a computer is in use, its screen is typically viewable by anyone directly behind or to the side of the monitor. This is a problem if the monitor is in a public area where unauthorized personnel or clients could inadvertently view the screen. While direct viewing is the most serious issue, it is important to identify alternate methods by which a screen could be viewed. The use of mirrors, location of a monitor next to a window, or even the use of a video camera can create a compromised system. In fact, it is possible to use the reflection from a glass-framed picture hanging behind a computer monitor to read the screen from over two miles away. While this is an extreme circumstance, it demonstrates the thought that needs to go into proper computer placement in a sensitive environment.

Security Awareness Training

At the core of maintaining proper Physical Access Control is user training. As a result, you should provide training for all employees, agents, and contractors. It is necessary for all staff to understand security responsibilities and possible consequences of policy violation.

Technical Security Services to Guard Data Integrity, Confidentiality, and Availability

The core of maintaining a secure organization is to control access to the system. Therefore, most of the services provided by a security system are found in access control, and how the controls are implemented, maintained, monitored, and regulated. This section will define and describe the methods by which access controls are used to guard and main the integrity, confidentiality, and available of a system's services and the data provided by those services.

Access Control

Health care providers must ensure that only authorized personnel have access to a patient's sensitive and confidential data. To do this, you should have system in place by which access is granted and controlled based on a need-to-know status. This next section will describe several types of access control.

Discretionary access control

Discretionary access control (DAC) is a subjective method, based on a decision made by an individual user that is typically not the manager. For example, when a user creates a resource such as a file, he or she can define an access control list (ACL) that regulates who can have access to the resource, and how much access they can have (read, write, or delete). Therefore, DAC is usually granted based on a username/password combination that is linked to a set of permissions. Examples of this are a file in which everyone is granted read access, with the exception of the owner who has full read/write access to the file. This type of system takes the control away from a central authority and leaves the assigning of permission to the creator of the resource.

Mandatory Access Control (MAC)

Mandatory access control (MAC), on the other hand, is a standardized method of categorizing resources and users based on a predetermined set of criteria overseen by an authority figure, such as a system administrator. For example, military and government organizations have long used the levels of classified, confidential, top secret, etc. This type of control is usually more secure that DAC, but is typically less convenient for end users who rely on another party to identify their security clearance level. An example of MAC is a four-level system in which scheduling is granted to all personnel with a level 4 and above clearance, financial data is granted to all with level 3 and above, normal medical information is available to level 2 and above, and sensitive medical data is available only to level 1 users.

Content and Role Based Access Control

Content Based Access Control is most often seen in content filtering programs, such as child filters for the Internet. Using a predetermine list of words, or another form of file content monitoring, a Content Based Access Control will provide access to data based on the actual substance of that information.

In contrast, a Role Based Access Control is designed around the user's actual activities. In other words, Role Based Access Control uses roles, or job responsibilities, to define who has access to a resource. For example, if a staff member needs access to data for the purpose of determining that day's schedule, then she will be granted only enough access to perform that duty. This type of access control is typically used in database systems where each user is granted access to data via an application that meets a specific goal. Therefore, a scheduling program will have access to a subset of data, while the finance program will have access to another subset.

User-Based Access Control

User-based control is founded on a user name and password combination that is compared to an access control list to determine what permission a user has with regards to a resource. User-based controls are often used to control access to services, such as protected web pages, file servers, etc. For example, most email servers require a username and password combination before you can access your email. Not only does the username/password combination determine if you can retrieve your email, but it also determines what email is made available to the end user.

Next Time: Audit controls and more!