How To Secure An Emr-Link System Architecture

Transcription

1 EMR-Link Security Administration Guide Introduction This guide provides an overview of the security measures built into EMR-Link, and how your organization s security policies can be implemented with these mechanisms. All security settings are under control of the admin user(s) in your organization. Security Overview Secure Connections over the Internet EMR-Link is a cloud-based service, running on Liaison servers in secure data centers. These data centers provide strong security to protect the system from unauthorized physical access as well as from unauthorized use over the Internet. Users connect to EMR-Link using a secure SSL connection from a web browser. SSL is enabled automatically and requires no user action. Users authenticate with EMR-Link using a username and password. System-to-system connections with EMR-Link, such as from an EHR or a lab system, is made over an encrypted communications channel. This may be SSL or may be a VPN or other mechanism, depending on the technical details of the system with which EMR-Link is connected. Authentication of both ends of the connection is done via a security key; usage depends on the details of the connection. Security Infrastructure At the EMR-Link data center, a series of firewalls insulates different parts of the system to provide multiple layers of security. Servers storing Protected Health Information are not directly accessible from the Internet, but only from the application servers and through the Liaison administrative VPN. Customer Security Responsibilities Managing security settings and user accounts is delegated to the customer organization, to allow implementation of customer-specific security policies. And because EMR-Link connects with and works in conjunction with the EHR, overall security depends on securing the EHR environment and the customer s networks and workstations, as well as proper use of security settings within EMR-Link. The customer has these specific responsibilities: Configuring EMR-Link security settings in accordance with the customer s security policies. Creating user accounts and assigning appropriate permissions based on the user s role, and modification or termination of user accounts when responsibilities change. Monitoring the EMR-Link audit log for any unauthorized activity. EMR-Link System Architecture 1 Last updated: 3/12/2015

2 EMR-Link Security Settings Passwords The first step in configuring security is to establish a password policy, to determine the complexity of passwords, when they expire, and how to handle login failures that may be evidence of attempts to gain unauthorized access to the system. The screenshot below shows the password settings. Password Expiration this setting controls how long a given password can be used before it must be changed. Good password policy requires periodic password changes, to limit the usability of passwords that might have been compromised in the past. Password Requirements these settings control how complex passwords must be. Complex passwords are more difficult to guess or to attack using brute force methods. The password reuse limit prevents a user from recycling the same small number of passwords, so that new passwords must be selected. Account Lockout this setting helps delay attempts to guess a password, by limiting the number of attempts that can be made in a specific period of time. Since password guessing requires a large number EMR-Link System Architecture 2 Last updated: 3/12/2015

3 of attempts, this feature can make password guessing infeasible. The user account is automatically unlocked after a period of time, or can be manually unlocked by an administrator. Sessions When a user logs in, a new user session is created. Automatic termination of idle sessions is important to help prevent unauthorized use of an unattended workstation. There is also a setting to enable manual locking. This allows a user to lock their EMR-Link session when leaving their workstation, without logging out. The user will then need to re-enter their password to reactivate the session. Other Security Settings Integrated Authentication EMR-Link provides a mechanism to connect to the customer s own authentication system, such as Active Directory. This requires installing a redirection page on the customer s intranet server; EMR-Link Support can assist with configuring this. Mobile Settings these settings control authentication from a mobile device, when using EMR-Link Mobile. Server Side View Authentication Settings these settings control authentication for viewing server-side results via a URL from within the EMR. EMR-Link System Architecture 3 Last updated: 3/12/2015

4 Managing EMR-Link Users Permissions and Roles EMR-Link provides a set of permissions that can be assigned to a user login. Based on the user s permissions, certain features within EMR-Link are enabled or disabled. Users should be provided the minimum access consistent with their job requirements. In particular, there are two functional areas that should be carefully considered for each user: The need to access Protected Health Information; The need to be able to change EMR-Link settings. Creating and Managing Users User accounts are created from the Users navigation tab. When creating a new user account or modifying an existing account, the permission settings below are available. The EMR-Link username must be globally unique across all EMR-Link users, so an address is a good choice. The name field provides the name used in reports and on user screens. Phone is optional and is provided for information only. The field must be populated; this field is used if a user needs to reset his/her own password. A specific password can be entered and this is required when creating a new account. The Require Password Change checkbox should be checked for new user accounts or when an admin manually resets the password, to force the user to select a different password when they log in. There is also an option to manually unlock a locked account. The user permissions for the account should be verified, and modified if needed. The permissions are as follows: Manage Users allows viewing and modifying user accounts. Since this provides the ability to modify (i.e., increase) the permissions of users, it should be set only for admin users who specifically need to manage user accounts. View Users allows visibility of the set of user accounts but not the ability to change them. EMR-Link System Architecture 4 Last updated: 3/12/2015

5 Manage Config allows an administrator to change EMR-Link settings. This should be reserved for a small number of users who are responsible for managing lab settings, insurance lists, test code maps, and other settings. View Config allows only read access to settings. No editing is allowed. Manage Orders allows a user to create and modify orders. This permission allows access to PHI associated with orders. View Orders allows only read access to order data. PHI is visible, but no editing allowed. Manage Results allows a user to view and manage result reports, including PHI associated with those documents. View Results allows only read access to results data. PHI is visible, but no editing allowed. View Reports enables various reporting functions within EMR-Link. Some reports contain PHI; in that case a user only has access to those reports if they have the appropriate Manage Orders or Manage Results permission. Emergency Access this permission can be provided to a user who may need PHI access under exceptional circumstances, but where this access must be justified and documented on a caseby case basis. Such a user can invoke emergency access but must provide a written reason (which is stored in the audit log). Any user with View/Manage Orders or View/Manage Results is understood to have PHI access. Locations of Care EMR-Link supports multiple locations of care (LOCs) within a single EMR-Link account, and can restrict the ability of a user to access data in more than one location. This serves to modify the Manage Orders and Manage Results permissions. A given user can have access to all LOCs or to only specified ones. Provider List Patient information and lab results are associated with a specific provider from the provider list in EMR- Link. A provider and a user are not the same thing; for example, an MD may be creating orders that are sent through EMR-Link but the actual user logging into EMR-Link is a nurse or phlebotomist, not the MD. EMR-Link System Architecture 5 Last updated: 3/12/2015

6 A user account can be associated with specific providers, or to all providers. If limited to a specific set of providers, the user will see only orders, results and patient data for those specific providers. In addition, there may be data which doesn t explicitly identify a provider or an LOC, and a user may or may not have access to this information. Using the Audit Log All user actions in EMR-Link are logged to the Audit Log. Access to this log is achieved through the Reports tab. The log can be filtered and sorted using the controls below: The acting user or all users can be seen in the report, and the report can be organized by date, user or event type. Selecting next to Event Type provides a screen to select the events of interest: EMR-Link System Architecture 6 Last updated: 3/12/2015

7 Once the desired options have been set, data is displayed in a table and can be exported to a file for other uses. EMR-Link System Architecture 7 Last updated: 3/12/2015

8 Security When Accessing EMR-Link from Your EHR Configuration Information The details of how an EHR connects directly to EMR-Link for sending orders or retrieving results varies from one EHR type to another. The most common method is through use of a client component called FlexConnector, installed on servers or workstations that need access to EMR-Link. FlexConnector uses an auth key to identify the EMR-Link account to which it connects. The auth key must be protected from unauthorized access, and the FlexConnector itself must be protected from tampering, to avoid unauthorized access to EMR-Link. File System Security In most cases results are delivered to the EHR by first downloading them to an inbox folder on the EHR system, and then using the EHR s data import capabilities to move the results into the EHR. These downloaded files contain PHI and depending on the specific EHR, they may or may not be removed once they are imported. The customer should assure that this inbox is protected against unauthorized access and that the lab results files are removed or securely archived once they have been processed. Some EHRs use a corresponding method for sending orders, and these should be protected similarly. EMR-Link System Architecture 8 Last updated: 3/12/2015

9 Workstation Security Because EMR-Link is accessed from a web browser on the user s workstation, security gaps at the workstation can result in unauthorized access to data in EMR-Link. The customer is responsible for appropriate security policies, procedures and technical measures for workstation security, including: Maintaining the system with the appropriate security updates and patches; Use of anti-malware software on each workstation; Network security to prevent access to workstations from outside; Locking screensavers, session timeouts, password policies, and browser security settings as appropriate; Acceptable use and security policies and training of employees on security. EMR-Link System Architecture 9 Last updated: 3/12/2015