476 A Practical Guide to Security Assessments
These policies and procedures should be designed to allow access only to those
persons or software that has been granted access rights as specified in the Admin-
istrative Safeguards section on Information Access Management. Although the
Administrative Safeguards section required entities to have policies and procedures
to grant access to systems where electronic protected health information is main-
tained, this Access Control requirement is essentially requiring that these policies
and procedures be translated into technical policies at the technical level. With this
requirement, entities should take advantage of the technical capabilities relative to
access control to ensure that access is limited to only those who require it. Based
on some of the comments received, access control was further clarified to include:
• Context-based access
• Role-based access
• User-based access
a. REQUIRED Implementation Specifications
i. Unique User Identification
“Assign a unique name and/or number for identifying and tracking user identity.”
46
Unique user identification is generally accepted as an information security best
practice and is one of the items covered in the user ID administration checklist. The
ideas behind this requirement are making users accountable for what they do and
enforcing the HIPAA security requirements. One item to note here is that there are
several levels of access to be concerned about. Access is at several levels within
organizations including network, application, and remote access. This requirement
is specifically for access related to electronic information systems containing elec-
tronic protected health information.
1. Identify the systems that contain electronic protected health information
and how they can be accessed.
Guidance: This information should already be available from the initial
analysis but it is a good idea to confirm what systems contain electronic
protected health information. In addition, all the different ways the sys-
tems can be accessed should be identified.
Client Response:
2. Do individuals accessing the identified systems have unique IDs for
access?
Guidance: Systems containing electronic protected health information
should be using unique IDs. There may be situations where applications
AU1706_book.fm Page 476 Tuesday, August 17, 2004 11:02 AM