The HIPAA Security Rule requires health care organizations to develop administrative procedures to safeguard patient data.
As of April 2005, health care organizations have been required to develop and maintain practices and procedures that safeguard sensitive patient health information stored and transmitted electronically. These security rules support the health information privacy standards enacted in the Health Insurance Portability and Accountability Act of 1996 (HIPAA). One task toward keeping patient information secure involves implementing technology to regulate access to information stored on workplace computers or servers.
Creating Log-ins
Designed to be technology neutral, the HIPAA Security Rule doesn't list technologies that hospitals and health plans must use to authenticate employees authorized to access the organization's protected patient data. The U.S. Department of Health & Human Services (HHS) requires identification for each user and encourages organizations to control access to electronically stored data using a technology that fits their needs and budgets.
Passwords and PINs
The traditional way a clinic or hospital can authenticate users involves creating a unique user name and password for each employee. Alphanumeric passwords provide greater security. Personal identification numbers (PINs), often used in combination with a bank card at an automated teller machine, are numeric passwords used to authenticate users to a data system.
Smart Cards and Tokens
Smart cards and tokens are physical devices that authorize user access when swiped or inserted into a card reader.
Telephone Callback
In telephone callback for dial-up connections, remote users register their computer with the host computer's authentication system. When users want to access their organization's files, they direct their terminal to dial the host computer. After entering a user name and password, the host system returns the call to the user's pre-registered telephone number. High-speed Internet connections are making telephone callback obsolete.
Biometrics and Behavior
Biometric log-in solutions use fingerprinting, iris recognition, retinal scan, hand geometry, facial and voice recognition and handwriting or signature dynamics to allow access to a computer network. Behavior action authentication may involve recording the unique keystroke activity of each user to make an identification.
Automatic Logoff and Audit Trail
To guard against disclosures from unattended computers, HHS requires automatic log-off features at terminals. Hospitals and health plans also may want to create an audit trail that records each log-in into the system as well as any invalid password attempts.
Securing Log-ins
Even as a hospital or health plan implements one or more of these authentication technologies, workers must develop a heightened awareness about access to their organization's files, computers and servers. If an employee jots his user name and password on a piece of notepaper and posts it near his workstation, it may jeopardize the security of the information stored on that computer.
Tags: information stored, name password, user name, user name password, access their, access their organization, authenticate users
