System access controls are a concept that refers to the use of various verification techniques used by entities to restrict particular system access to certain individuals. The use of system access controls is as old as any known civilization on Earth. System access controls could be used to restrict the entry of individuals to a place or use of an object. A password or a cryptographic question was used in old times. With the advent and advancement of information technology, system access controls have become more reliable and diverse.
With the evolution of information technology access control techniques have greatly corrected themselves for loopholes and gray areas. Passwords were the first introduction in this regard. A password is a codeword or a combination of digits that could be remembered by a human mind. Although still used by many entities, passwords have been greatly replaced by bar code or a magnetic stripe technology, in which the holder of the machine-readable instrument himself does not know the code. An ATM card is an example. Lastly, identification through a part of the human body such as an eye or a fingerprint is more enhanced and reliable access control that is used by limited entities owing to the cost of installation of such a system.
The three most commonly recognized systems are Discretionary Access Control (DAC), Mandatory Access Control (MAC), and Role-Based Access Control (RBAC). Discretionary Access control is a system access policy that is defined by the owner of the restricted resource or object (DoD, 1985). The owner specifies individuals who are allowed to access the system and also the authority that they have over the system. Mandatory access control is a verification process defined by the system rather than the owner.
The system sets priority or sensitivity levels for the users and the resources. The allowance of access to the system depends on whether the person requesting the information has a sensitivity level equal to that of the information. Lastly, Role-Based Access control is again determined by the system. Although closely similar to MAC, RBAC sets additional control levels for the users depending on their roles and authority.
System security in any form has always been vulnerable to the threat of unauthorized or more than desired access. The most common and weakest among such systems is a user-chosen password or PIN protection for system access. Password is known by the user and can be easily transferred to another person at the user’s discretion. Secondly, passwords are also subject to stealing by guessing or code-breaking. On other hand, a card having a magnetic stripe is also common but is extremely risky when it comes to effective access control. Machine-readable cards are subject to theft and misplacing.
Health Information management has been experiencing issues in system security and access controls. Health records and information are sensitive and at the same time must be shared across safe passages for better understanding and knowledge of the disease. Paper-based information systems still prevail in most public healthcare places and computerized systems where installed tend to have fewer security measures. (Lorence, Churchill 2005) A good information security program may have various factors, from the training of staff to developing trust between the patients and the healthcare providers. The most important part is that information security demands constant and consistent diligence and evaluation.
Basic components of a good information security program in a healthcare organization are adoption of electronic media and computerized information system mandated by the Federal and other security standards, proper and secure coding of the patient or disease data onto an electronic database as defined by standards of ethical coding (AHIMA, 2008); and finally, acquiring technological safeguards to counter any information breach or security threat to ensure privacy, safety, and confidentiality of the information. All these components together with effective staff training that divulges awareness about the importance of PHI confidentiality create a secure information system.
With the increasing adoption of standards and the use of electronic media for keeping sensitive information, there is an increased risk of security and privacy violation on part of healthcare providers. In this regard, the foremost remedy is to ensure the strength and reliability of the passwords. Rather than a user-chosen password, the idea is to use a combination of asymmetric (public-key) and symmetric (secret-key) cryptography that makes a common password to ensure secure information sharing over an insecure network (Bellowin, Merrit ’92). Strong cryptography safeguards against guessing attacks.
Secondly, any health care organization should implement an effective system that monitors false log-in attempts and weak passwords. Such a security awareness program should include objectives like obliging the staff to keep strong passwords that are frequently changed. Staff should be trained on how to select strong passwords, how to safeguard them and why they should not be cycled, and how to recognize “social engineering attacks” (Landoll,2006). Passwords should never be saved on a system that could be accessed by another person. Also, the interface should be system-oriented where only the system knows the verification passwords so that no other person has access to the passwords. The system could have defined criteria that would prompt weak and cycled passwords or multiple failed log-in attempts.
(1985) Trusted Computer System Evaluation Criteria. United States Department of Defense. DoD Standard 5200.28-STD.
Steven M. Bellovin, Michael Merritt, (1992) “Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks,” sp,pp.72, IEEE Symposium on Security and Privacy.
Lorence, D.P., Churchill, R. (2005). Incremental adoption of information security in health-care organizations: implications for document management. : Information Technology in Biomedicine, IEEE Transactions on. 9, 169-173.
(2008). AHIMA. Web.
Landoll, Douglas J. (2006). The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments. CRS Press.