NRPM: Security and Electronic Signature Standards. Technical Security Services to Guard Data Integrity, Confidentiality, and Availability

08/12/1998

[Please label written comments or e-mailed comments about this section with the subject: TECHNICAL SECURITY SERVICES]

The proposed requirements and implementation features for technical security services are presented at § 142.308(c). We would require each of these services to be implemented and documented. The documentation would be made available to those individuals responsible for implementing the services and would be reviewed and updated periodically. The following matrix depicts the requirements and implementation features for the Technical Security Services category. Following the matrix is a discussion of each of the requirements under that category.

TECHNICAL SECURITY SERVICES TO GUARD DATA INTEGRITY, CONFIDENTIALITY, AND AVAILABILITY


REQUIREMENT:

IMPLEMENTATION:


Access control (The following implementation feature must be implemented: Procedure for emergency access. In addition, at least one of the following three implementation features must be implemented: Context-based access, Role-based access, User-based access. The use of Encryption is optional).

Context-based access.
Encryption.
Procedure for emergency access.
Role-based access.
User-based access.

Audit controls

 

Authorization control (At least one of the listed implementation features must be implemented).

Role-based access.
User-based access.

Data Authentication

 

Entity authentication (The following implementation features must be implemented: Automatic logoff, Unique user identification. In addition, at least one of the other listed implementation features must be implemented).

Automatic logoff.
Biometric.
Password.
PIN.
Telephone callback.
Token.
Unique user identification.


a. Access Control

There would be a requirement for access control which would restrict access to resources and allow access only by privileged entities. It would be important to limit access to health information to those employees who have a business need to access it. Types of access control include, among others, mandatory access control, discretionary access control, time-of-day, classification, and subject-object separation. The following implementation feature would be used:

  • Procedure for emergency access.

In addition, at least one of the following three implementation features would be used:

  • Context-based access.
  • Role-based access.
  • User-based access.

The use of the encryption implementation feature would be optional.

b. Audit Controls

Each organization would be required to put in place audit control mechanisms to record and examine system activity. They would be important so that the organization can identify suspect data access activities, assess its security program, and respond to potential weaknesses.

c. Authorization Control

There would be a requirement to put in place a mechanism for obtaining consent for the use and disclosure of health information. These controls would be necessary to ensure that health information is used only by properly authorized individuals. Either of the following implementation features may be used:

  • Role-based access.
  • User-based access (see access control, above.).
d. Data Authentication

Each organization would be required to be able to provide corroboration that data in its possession has not been altered or destroyed in an unauthorized manner. Examples of how data corroboration may be assured include the use of a check sum, double keying, a message authentication code, or digital signature.

e. Entity Authentication

Each organization would be required to implement entity authentication, which is the corroboration that an entity is who it claims to be. Authentication would be important to prevent the improper identification of an entity who is accessing secure data. The following implementation features would be used:

  • Automatic log off.
  • Unique user identification.

In addition, at least one of the following implementation features would be used:

  • A biometric identification system.
  • A password system.
  • A personal identification number (PIN).
  • Telephone callback.
  • A token system which uses a physical device for user identification.