Electronic Access Control Systems - The Key to Crime Prevention

In my role as a Security Consultant, I have been on countless appointments at companies that do not have a comprehensive key management plan in place. It?s not really that uncommon of a problem and it can quickly get out of control.

Almost every home and office is secured with a lock and a key. Most people have a key chain to help them keep track of these important symbols of modern society. House keys, office keys, garage keys and several car keys usually rattle around in most people?s pockets or purses.

Even though lock and key mechanisms incorporate many modern security features they are still susceptible to being lost, stolen or copied. Another inherent weakness in lock and keys is that anyone with a key can enter your building any time they want.

Each year, companies spend hundreds of thousands of dollars re-keying buildings because someone lost a set of keys or an employee was fired who did not return a set of building keys?

Do you know how many grand master keys have been issued in your building? Can you reasonably say with confidence that none of your keys have been copied by less than ethical employees? Do you have employee?s entering your office at odd hours? Has your building ever been left unlocked?

If you have experienced any of the preceding issues, perhaps and Electronic Access Control System is the ?key?. An Electronic Access Control System can provide you with an effective solution to your key management nightmare while providing a very potent tool in your overall security management plan.

Take back those keys! A properly deployed electronic access control system will allow you to secure your facility and deter crimes by limiting access to authorized personnel and separating public from private areas.

The capabilities of electronic access control systems vary greatly. They range from single door stand alone systems that you program through a keypad, to medium sized computer based systems, to the top of the line "enterprise" systems that have the ability to communicate control thousands of card readers on multiple continents.

Electronic Access Control Systems have some very basic things in common. Each of them will allow you to control who goes where and when in your facility by requiring the presentation of a unique credential at a Card Reader or a PIN pad and they can be set up to provide you with a report of who has entered your building.

There are several manufacturers that provide 1 to 4 door solutions that are programmed through a keypad or a remote software package. Some of the higher end burglar alarm systems can also control access on up to 4 doors.

These smaller systems provide fully controlled access to individuals based on the door, the date and the time. Some of them allow you to hook up a form feed dot matrix printer directly to the controller in order to get reports. Most of these systems are limited to less than 4 doors and a couple of hundred users/credentials.

Many people who use the 1-4 door systems will usually program cards to work 24 hours a day because it can be difficult and time consuming to manage multiple time groups or limit an individual?s access.

That?s not to say that you cannot provide full date and time limited access control with a 1-4 door system, but if your application requires periodic updates and multiple users, you may want to consider a more sophisticated solution. A good application for a 1-4 door system would be a remotely managed multi-tenant building without an on site manager.

Lower to mid range P.C. based solutions can be provided that control access on 1 to 32 doors of access. Systems in this range can provide controlled access to several thousand users. They are a good choice if your intention is to allow keyless entry on a limited number of doors at a single site and run some limited reports.

Most electronic access systems in the low to mid range are Windows based software applications that use MSDE or other off the shelf database software; therefore the reporting features are fairly limited.

In addition, the low to mid range systems have limited abilities to monitor alarms, provide video badging, integrate with 3rd party databases or interface with other systems such as CCTV or Burglar Alarms.

There are literally dozens of manufacturers flooding the small to mid range market and their offerings vary greatly. You would be wise to perform some due diligence and ask for local references from any vendor that you may be considering.

Enterprise Level Access Control Systems occupy the top tier of entry control systems. There are only a handful of manufacturers that can truly call themselves an "Enterprise Level" solution. These highly sophisticated systems are true security management systems that can easily and effectively handle thousands of card readers, hundreds of thousands of cards, and a multitude of workstations spread all across the globe.

An Enterprise Level Solution has integrated single point of entry video badging, seamless integration to CCTV systems and Digital Video Recorders, true real time alarm handling with live on line graphics pages and full blown database solutions like SQL Server or Oracle.

Enterprise Level Access Control systems utilize door processing units or access control panels that can communicate via RS422/485 and TCP/IP Protocol. Enterprise Level Systems are only sold through factory trained and authorized systems integrators who have a proven track record and fully staffed service departments.

If you need an Enterprise Level Access Control System, I highly recommend that you perform your due diligence on both the manufacturer and the security companies that you are considering. Make sure that you choose a reputable Security Company or a Systems Integrator that has a strong computer networking background to perform and support the installation. Ask for several references of projects of a similar size and scope from both the manufacturer and the Systems Integrator. Interview each reference thoroughly before you make a purchasing decision.

You will thank me later!

Roy Stephenson is a Security Consultant with over 21 Years Experience Designing and Installing High End Integrated Security Systems. He is currently the VP of Marketing at http://www.Security-Kits.Com and http://www.EZWatchstore.com

Medical Billing, HIPAA Compliance, and Role Based Access Control

HIPAA compliance requires special focus and effort as failure to comply carries significant risk of damage and penalties. A practice with multiple separate systems for patient scheduling, electronic medical records, and billing, requires multiple separate HIPAA management efforts. This article presents an integrated approach to HIPAA compliance and outlines key HIPAA terminology, principles, and requirements to help the practice owner to ensure HIPAA compliance by medical billing service and software vendors.

The last decade of the previous century witnessed accelerating proliferation of digital technology in health care, which, along with reduced costs and greater service quality, introduced new and greater risks for accidental disclosure of personal health information.

The Health insurance Portability and Accountability Act (HIPAA) was passed in 1996 by Congress to establish national standards for privacy and security of personal health data. The Privacy Rule, written by the US Department of Health and Human Services took effect on April 14, 2003.

Failure to comply with HIPAA risks accreditation and reputation damage, lawsuits by federal government, financial penalties, ranging from $100 to $250,000, and imprisonment, ranging from one year to ten years.

Protected Health Information (PHI)

The key term of HIPAA is Protected Health Information (PHI), which includes anything that can be used to identify an individual and any information shared with other health care providers or clearinghouses in any media (digital, verbal, recorded voice, faxed, printed, or written). Information that can be used to identify an individual includes:

1. Name
2. Dates (except year)
3. Zip code of more than 3 digits, telephone and fax numbers, email
4. Social security numbers
5. Medical record numbers
6. Health plan numbers
7. License numbers
8. Photographs

Information shared with other healthcare providers or clearinghouses

1. Nursing and physician notes
2. Billing and other treatment records

Principles of HIPAA

HIPAA intends to allow smooth flow of PHI for healthcare operations subject to patient's consent but prohibit any flow of unauthorized PHI for any other purposes. Healthcare operations include treatment, payment, care quality assessment, competence review training, accreditation, insurance rating, auditing, and legal procedures.

HIPAA promotes fair information practices and requires those with access to PHI to safeguard it. Fair information practices means that a subject must be allowed

1. Access to PHI,
2. Correction for errors and completeness, and
3. Knowledge of others who use PHI

Safeguarding of PHI means that the persons that hold PHI must

1. Be accountable for own use and disclosure
2. Have a legal recourse to combat violations

HIPAA Implementation Process

HIPAA implementation begins upon making assumptions about PHI disclosure threat model. The implementation includes both pre-emptive and retroactive controls and involves process, technology, and personnel aspects.

A threat model helps understanding the purpose of HIPAA implementation process. It includes assumptions about

1. Threat nature (Accidental disclosure by insiders? Access for profit? ),
2. Source of threat (outsider or insider?),
3. Means of potential threat (break in, physical intrusion, computer hack, virus?),
4. Specific kind of data at risk (patient identification, financials, medical?), and
5. Scale (how many patient records threatened?).

HIPAA process must include clearly stated policy, educational materials and events, clear enforcement means, a schedule for testing of HIPAA compliance, and means for continued transparency about HIPAA compliance. Stated policy typically includes a statement of least privilege data access to complete the job, definition of PHI and incident monitoring and reporting procedures. Educational materials may include case studies, control questions, and a schedule of review seminars for personnel.

Technology Requirements for HIPAA Compliance

Technology implementation of HIPAA proceeds in stages from logical data definition to physical data center to network.

1. To assure physical data center security, the manager must
   1. Lock data center
   2. Manage access list
   3. Track data center access with closed circuit TV cameras to monitor both internal and external building activities
   4. Protect access to data center with 24 x 7 onsite security
   5. Protect backup data
   6. Test recovery procedure

2. For network security, the data center must have special facilities for
   1. Secure networking - firewall protection, encrypted data transfer only
   2. Network access monitoring and report auditing

3. For data security, the manager must have
   1. Individual authentication - individual logins and passwords
   2. Role Based Access Control (see below)
   3. Audit trails - all access to all data fields tracked and recorded
   4. Data discipline - Limited ability to download data

Role Based Access Control (RBAC)

RBAC improves convenience and flexibility of systems management. Greater convenience helps reducing the errors of commission and omission in granting access privileges to users. Greater flexibility helps implement the policy of least privilege, where the users are granted only as much privileges as required for completing their job.

RBAC promotes economies of scale, because the frequency of changes of role definition for a single user is higher than the frequency of changes of role definitions across entire organization. Thus, to make a massive change of privileges for a large number of users with same set of privileges, the administrator only makes changes to the role definition.

Hierarchical RBAC further promotes economies of scale and reduces the likelihood of errors. It allows redefining roles by inheriting privileges assigned to roles in the higher hierarchical level.

RBAC is based on establishing a set of user profiles or roles according to responsibilities. Each role has a predefined set of privileges. The user acquires privileges by receiving membership in the role or assignment of a profile by the administrator.

Every time when the definition of the role changes along with the set of privileges that is required to complete the job associated with the role, the administrator needs only to redefine the privileges of the role. The privileges of all of the users that have this role get redefined automatically.

Similarly, if the role of a single user is changed, the only operation that needs to be performed is the reassignment of the user profile, which will redefine user's access privileges automatically according to the new profile.

Summary

HIPAA compliance requires special practice management attention. A practice with multiple separate systems for scheduling, electronic medical records, and billing, requires multiple separate HIPAA management efforts. An integrated system reduces the complexity of HIPAA implementation. By outsourcing technology to a HIPAA-compliant vendor of vericle-like technology solution on an ASP or SaaS basis, HIPAA management overhead can be eliminated (see companion papers on ASP and SaaS for medical billing).

Yuval Lirov, PhD, author of "Mission Critical Systems Management" (Prentice Hall) , inventor of multiple patents in artificial intelligence and computer security, and CEO of Vericle.com Billing Technologies. Vericle delivers comprehensive practice workflow engine that integrates patient scheduling, electronic medical records (EMR), billing, transcription, and compliance management. By consolidating technology for hundreds of separate billing services, Vericle? tracks payer performance from a single point of control, shares compliance rules globally, and creates massive economies of scale. Yuval invites you to share your knowledge of medical billing and compliance at BillingWiki.com and register to the next webinar on audit risk at ChiroAudit.com.

Access Control List in .

BalajiAccess Control List in .NET Framework

Once you complete developing a web application, you need to secure it. This is when the aspect of security comes into picture. There will be some portions of your application which need to be secured from users. Securing an application may need extra hardware to build complex multi-layer systems with firewalls, and also some highly secure features. Security enables you to provide access to a specified user after the user is authenticated and authorized to access the resources in your web application. The Access Control List is used in the authorization process.

The basic concepts of security are Authentication, Authorization, Impersonation and Data or functional security. Authentication is the process that enables to identify a user, so that only that user is provided access to the resources. Authorization is the process that enables to determine whether a particular user can be given access to the resources that the user requests. Impersonation is the process that provides access to resources requested by a user under a different identity. Data or functional security is the process of securing a system physically, updating the operating system and using robust software.

Some elements of an operating system, the Internet Information Server (IIS), and the .NET Framework work in coordination to provide the features required to execute the security concepts mentioned above. For example, Windows 2000 uses its own list of user accounts for identifying and authenticating users. IIS identifies the users based on the information provided by Windows, when the users access a web site. IIS after identification of the users, passes this information to ASP.NET. Then the user information is checked for authorization.

To restrict access to the users for certain resources of an application, a process of identifying the users becomes a necessity. Authentication enables to restrict a user to access the resources by certain ways. It could be a combination of a username and password, a digital certificate, a smart card or a fingerprint reader. The validity of the information provided by the user helps identify the user, so that the user is provided access to the requested resources. The process of successful identification of the user implies that the user is authenticated.

After identification of the user is over, the next step is to determine whether the authenticated user has access to the resources. The process of determining the access to the resources for a particular user is known as Authorization. In Windows based systems, resources have an Access Control List, which provides a list of users who have access to that resource. The list also specifies the kind of access such as read, write, modify, and delete the resource, for each user. For example, if a user requests an ASP page, the operating system checks whether the user has Read access to the page and if the user has read permission, then the operating system allows the IIS to fetch the page. The IIS has authorization settings which enable the IIS to control the access of resources by users. File Access Control Lists are set for a given file or directory using the Security tab in the Explorer property page.

To access online version of the above article, go to http://www.dotnet-guide.com/accesscontrol.html

Once you complete developing a web application, you need to secure it. This is when the aspect of security comes into picture. There will be some portions of your application which need to be secured from users. Securing an application may need extra hardware to build complex multi-layer systems with firewalls, and also some highly secure features. Security enables you to provide access to a specified user after the user is authenticated and authorized to access the resources in your web application. The Access Control List is used in the authorization process.

The basic concepts of security are Authentication, Authorization, Impersonation and Data or functional security. Authentication is the process that enables to identify a user, so that only that user is provided access to the resources. Authorization is the process that enables to determine whether a particular user can be given access to the resources that the user requests. Impersonation is the process that provides access to resources requested by a user under a different identity. Data or functional security is the process of securing a system physically, updating the operating system and using robust software.

Some elements of an operating system, the Internet Information Server (IIS), and the .NET Framework work in coordination to provide the features required to execute the security concepts mentioned above. For example, Windows 2000 uses its own list of user accounts for identifying and authenticating users. IIS identifies the users based on the information provided by Windows, when the users access a web site. IIS after identification of the users, passes this information to ASP.NET. Then the user information is checked for authorization.

To restrict access to the users for certain resources of an application, a process of identifying the users becomes a necessity. Authentication enables to restrict a user to access the resources by certain ways. It could be a combination of a username and password, a digital certificate, a smart card or a fingerprint reader. The validity of the information provided by the user helps identify the user, so that the user is provided access to the requested resources. The process of successful identification of the user implies that the user is authenticated.

After identification of the user is over, the next step is to determine whether the authenticated user has access to the resources. The process of determining the access to the resources for a particular user is known as Authorization. In Windows based systems, resources have an Access Control List, which provides a list of users who have access to that resource. The list also specifies the kind of access such as read, write, modify, and delete the resource, for each user. For example, if a user requests an ASP page, the operating system checks whether the user has Read access to the page and if the user has read permission, then the operating system allows the IIS to fetch the page. The IIS has authorization settings which enable the IIS to control the access of resources by users. File Access Control Lists are set for a given file or directory using the Security tab in the Explorer property page.

To access online version of the above article, go to http://www.dotnet-guide.com/accesscontrol.html

Visit http://www.dotnet-guide.com for a
complete introduction to .NET framework. Learn about ASP.NET, VB.NET, C# and other related technologies.