Two Factor Authentication - A Secure Method of Access Control

The corporate network infrastructure can withhold a huge amount of data relevant to the company. It is imperative that this data has restricted access, and can not be viewed by unauthorised personnel. There are many ways of implementing an ‘Access Control’ solution which generally utilise a username/ password scenario or possibly having an agent on the end user point that verifies its authenticity. However, for increased protection to highly sensitive networks it is strongly advisable to consider a more secure approach. ‘Two Factor Authentication’ provides a solution to this scenario which is trusted and utilised in the most security conscious of environments including banks and finance sectors.

So why is the old username/ password system considered inappropriate by many top establishments? Firstly the username is generally easy to guess. In normal circumstances it will be based on a very simple formula which revolves around the employees name, which is the same formula used for all employees. So the first step in the process is already relatively insecure. Secondly, the username is combined with a password that goes hand in hand with the username. Passwords are generally easier to guess than people acknowledge and can vary around birthdays, mothers’ maiden names, and are probably very similar to passwords they use for a variety of other accounts. This is generally because so many accounts require passwords; users try to make them as simple as possible so they won’t forget them themselves. To make matters worse, many companies have the policy that passwords expire on a regular basis and force their employees to constantly change them. How does this make matters worse? Well it actually makes the password harder to remember for the operator, who is generally the weakest link in your company’s security. If the operator finds it hard to remember then they are likely to leave a reminder somewhere so they don’t forget themselves. This can be a post it note on the monitor or scraps of paper around the desk either under the keyboard, in the top drawer or in the nearby vicinity.

So what does ‘Two Factor Authentication’ offer? Using this method the user will require an additional piece of information in conjunction with their username/ password to gain access to the network. There are various vendors out there providing different versions of this solution, though the common approach is for a ‘token’ to be issued. The token is a small device which will comfortably fit into your pocket and is quite often able to attach onto your key ring. At any one time the token will display a numerical value. This value will provide an authorisation code unique to the individual employee that when combined with the username/ password will grant access to the network. How is this secure? Well the numerical value on the token changes every 60 seconds. The network infrastructure will be aware of the number that is expected and will verify it against the number being produced. If they match, then the connection will be successful otherwise they are not allowed to connect. This provides huge advances for the security of the network as this token won’t be found next to the computer when the user is away and due to the sheer complexity of the algorithms used to generate the values, the code has never been cracked. Even if someone was given the formula, they couldn’t process the figures quick enough to calculate the next number in anywhere near under a minute. In fact competitions are held regularly where some of the top mathematical minds are allowed months to attempt it, and it is still safe. Also, each number can only be used once, so if a number is compromised after the users fingers are seen typing the digits in, and a hacker tries to repeat that code within the 60 second window, it will already be void.

It also provides a solution for commuting staff that are looking to obtain remote access. They can use this process across a remote access solution, and are able to verify themselves in a very safe and secure manner. No agents will be required to be uploaded to the end user point so staff are not necessarily restricted to what computer they can access the infrastructure on.

This is a brief introduction to ‘Two Factor Authentication’ and provides a very strong and trusted solution for Network Managers.

‘Secure in the Knowledge’

Dean Grimshawe is Head of Marketing at Toranet Ltd - The Network Security Specialists. Toranet work closely with businesses to provide an intricate balance between access and security. By optimising this relationship companies are able to secure their infrastructure while still experiencing efficiency. This scenario produces the greatest return on investment for the client. For further information visit http://www.toranet.net

Electronic Medical Billing Software, HIPAA Compliance, and Role Based Access Control

HIPAA compliance requires special focus and effort as failure to comply carries significant risk of damage and penalties. A practice with multiple separate systems for patient scheduling, electronic medical records, and billing, requires multiple separate HIPAA management efforts. This article presents an integrated approach to HIPAA compliance and outlines key HIPAA terminology, principles, and requirements to help the practice owner to ensure HIPAA compliance by medical billing service and software vendors.

The last decade of the previous century witnessed accelerating proliferation of digital technology in health care, which, along with reduced costs and greater service quality, introduced new and greater risks for accidental disclosure of personal health information.

The Health insurance Portability and Accountability Act (HIPAA) was passed in 1996 by Congress to establish national standards for privacy and security of personal health data. The Privacy Rule, written by the US Department of Health and Human Services took effect on April 14, 2003.

Failure to comply with HIPAA risks accreditation and reputation damage, lawsuits by federal government, financial penalties, ranging from $100 to $250,000, and imprisonment, ranging from one year to ten years.

Protected Health Information (PHI)

The key term of HIPAA is Protected Health Information (PHI), which includes anything that can be used to identify an individual and any information shared with other health care providers or clearinghouses in any media (digital, verbal, recorded voice, faxed, printed, or written). Information that can be used to identify an individual includes:

1. Name
2. Dates (except year)
3. Zip code of more than 3 digits, telephone and fax numbers, email
4. Social security numbers
5. Medical record numbers
6. Health plan numbers
7. License numbers
8. Photographs

    

    

 

Information shared with other healthcare providers or clearinghouses

1. Nursing and physician notes
2. Billing and other treatment records

    

    

 

Principles of HIPAA

HIPAA intends to allow smooth flow of PHI for healthcare operations subject to patient's consent but prohibit any flow of unauthorized PHI for any other purposes. Healthcare operations include treatment, payment, care quality assessment, competence review training, accreditation, insurance rating, auditing, and legal procedures.

HIPAA promotes fair information practices and requires those with access to PHI to safeguard it. Fair information practices means that a subject must be allowed

1. Access to PHI,
2. Correction for errors and completeness, and
3. Knowledge of others who use PHI

    

    

 

Safeguarding of PHI means that the persons that hold PHI must

1. Be accountable for own use and disclosure
2. Have a legal recourse to combat violations

    

    

 

HIPAA Implementation Process

HIPAA implementation begins upon making assumptions about PHI disclosure threat model. The implementation includes both pre-emptive and retroactive controls and involves process, technology, and personnel aspects.

A threat model helps understanding the purpose of HIPAA implementation process. It includes assumptions about

1. Threat nature (Accidental disclosure by insiders? Access for profit? ),
2. Source of threat (outsider or insider?),
3. Means of potential threat (break in, physical intrusion, computer hack, virus?),
4. Specific kind of data at risk (patient identification, financials, medical?), and
5. Scale (how many patient records threatened?).

    

    

 

HIPAA process must include clearly stated policy, educational materials and events, clear enforcement means, a schedule for testing of HIPAA compliance, and means for continued transparency about HIPAA compliance. Stated policy typically includes a statement of least privilege data access to complete the job, definition of PHI and incident monitoring and reporting procedures. Educational materials may include case studies, control questions, and a schedule of review seminars for personnel.

Technology Requirements for HIPAA Compliance

Technology implementation of HIPAA proceeds in stages from logical data definition to physical data center to network.

 

 

 

1. To assure physical data center security, the manager must
   1. Lock data center
   2. Manage access list
   3. Track data center access with closed circuit TV cameras to monitor both internal and external building activities
   4. Protect access to data center with 24 x 7 onsite security
   5. Protect backup data
   6. Test recovery procedure

    

    

2. For network security, the data center must have special facilities for
   1. Secure networking - firewall protection, encrypted data transfer only
   2. Network access monitoring and report auditing

    

    

3. For data security, the manager must have
   1. Individual authentication - individual logins and passwords
   2. Role Based Access Control (see below)
   3. Audit trails - all access to all data fields tracked and recorded
   4. Data discipline - Limited ability to download data

    

    

 

Role Based Access Control (RBAC)

RBAC improves convenience and flexibility of systems management. Greater convenience helps reducing the errors of commission and omission in granting access privileges to users. Greater flexibility helps implement the policy of least privilege, where the users are granted only as much privileges as required for completing their job.

RBAC promotes economies of scale, because the frequency of changes of role definition for a single user is higher than the frequency of changes of role definitions across entire organization. Thus, to make a massive change of privileges for a large number of users with same set of privileges, the administrator only makes changes to the role definition.

Hierarchical RBAC further promotes economies of scale and reduces the likelihood of errors. It allows redefining roles by inheriting privileges assigned to roles in the higher hierarchical level.

RBAC is based on establishing a set of user profiles or roles according to responsibilities. Each role has a predefined set of privileges. The user acquires privileges by receiving membership in the role or assignment of a profile by the administrator.

Every time when the definition of the role changes along with the set of privileges that is required to complete the job associated with the role, the administrator needs only to redefine the privileges of the role. The privileges of all of the users that have this role get redefined automatically.

Similarly, if the role of a single user is changed, the only operation that needs to be performed is the reassignment of the user profile, which will redefine user's access privileges automatically according to the new profile.

Summary

HIPAA compliance requires special practice management attention. A practice with multiple separate systems for scheduling, electronic medical records, and billing, requires multiple separate HIPAA management efforts. An integrated system reduces the complexity of HIPAA implementation. By outsourcing technology to a HIPAA-compliant vendor of vericle-like technology solution on an ASP or SaaS basis, HIPAA management overhead can be eliminated (see companion papers on ASP and SaaS for medical billing).

Yuval Lirov, PhD, author of Practicing Profitability - Network Effect for Revenue Cycle Control in Healthcare Clinic and Chiropractic Office: Scheduling, SOAP Notes, Care Plans, Coding, Billing, Collections, and Audit Risk (Affinity Billing) and Mission Critical Systems Management (Prentice Hall), inventor of patents in Artificial Intelligence and Computer Security, and CEO of Vericle.net - Distributed Billing and Practice Management Technologies. Yuval invites you to register to the next webinar on audit risk at BillingPrecision.com