CCHIT Certification-Security-User Authenticat

visolveemr wrote on Saturday, September 12, 2009:

Hi Team,

The ways to improve the user authentication are described below.

Note: We have framed the technical requirements based on our understanding. Your suggestions are most welcome.

**Technical Requirements**

1. CaCert certificates to verify the authenticity during the login

2. Two login names: One password is known by the IT manager and both passwords are known by the user.  Only the user knows the second password which is changed after initial login.  This guarantees that the IT manager cannot misuse the password of the practitioner by simply changing a single password for the practitioner

3. Good password policy :
Eight character length or more.
• Must contain an upper case letter, a lower case letter, a number and a special symbol.
• Passwords need to be changed on a regular basis (every 6 weeks to 3 months)
• The system should log the last three passwords and prevent reuse.

4. Automated system monitors to disable user identifications that remain inactive for certain periods of time.

5. Option to remove the account.

6. The passwords should not be displayed while entered

7. Storing the documents of workforce while adding the users

Do share your views here.

Thanks
ViCare Team

ideaman911 wrote on Saturday, September 12, 2009:

Please see my comments in the "Breakglass" section.  There is far more to worry about with external assault via "interconnectivity" than from local user password expiry policy.  The vast majority of users will not be technically sophisticated in such practices, which either assures higher costs for having "pros" do the maintenance (and therefore even greater exposure of the data), or reduced access when it is most needed.  Is ALL this REALLY necessary?

People with multiple sex partners need protection, and it needs to be physical.  The same is true for larger user bases.  But small users should NOT be forced to wade past the defenses of the DOD to provide healthcare, or they will simply refuse to use the EMR systems.

Joe Holzer    Idea Man
http://www.holzerent.com

cfapress wrote on Tuesday, September 15, 2009:

I’m a little unclear about some of the items presented. Could you help describe them more fully?

? Storing the documents of workforce while adding the users

? Two login names: One password is known by the IT manager and both passwords are known by the user

The other topics you discuss are good and could be enforced through software without too much work.

I firmly agree that all OpenEMR installations be done with an SSL certificate, whether self-signed or signed by a trusted certificate source.

Jason

sunsetsystems wrote on Tuesday, September 15, 2009:

Agreed that a top priority is to keep the bad guys out for a site that is on the Internet or other large network.  For this I suggest client-side SSL certificates, to authenticate the client to the server.  This requires each user to install a certificate into their web browser and would be in addition to "normal" SSL which just authenticates the server to the client.

Rod 
(http://www.sunsetsystems.com/)

visolveemr wrote on Wednesday, September 16, 2009:

Yep… client side certificates are already a part of our requirement  for user authentication… CaCert certificates which i’d refered at the beginning of this conversation are client side ssl certificates only…

Once the SSL implementation of openemr is done (either through a local ca or trusted ca) during installation, client side validations can be enabled in the apache web server (for linux)…

For each user creation, client side certification (using local ca) can also be created. The same can be circulated to them through the email-id so that they can store the same in their browser for further validation.

During the login process, we can verify the authenticity of the login using the client side certificates.

Thanks

ViCare Team

visolveemr wrote on Wednesday, September 16, 2009:

Hi Jason,

Please find our replies to some of your questions…

**Storing the documents of workforce while adding the users**

This is to store the photo identity and other documents belongs to physicians, physician assistants, and Nurse Practitioners. In this way we can really verify the user who is going to have access to the healthcare system… Refer "http://www.oemr.org/modules/wiwimod/index.php?page=UserAuthentication&back=WiwiHome"

**Two Passwords**

Two passwords can be configured for each user.  One password is known by the IT manager and both passwords are known by the user. Only the user knows the second password which can be changed after initial login.

This guarantees that the IT manager cannot misuse the password of the practitioner by simply changing a single password for the practitioner

Do share your views here.

Thanks

ViCare Team

mbrody wrote on Wednesday, September 30, 2009:

You might want to look at the HIPAA RULEs

Unique User Idenfification.  164.312.(a)(1).
Password Management 164.308(a)(5)
Log In Monitoring 164.308(a)(5)

It has the HIPAA requirements.  You probably already have this covered, but just to be sure.  If you need more details on these HIPAA Rules let me know.