List of HIPAA Access Control Policy

List of Health Insurance Portability and Accountability Act (HIPAA) Access Control Policy:
1. Internal network resources, so these resources can all be grouped together.
If a specific resource such as a file share or database requires additional authentication, then this takes place when a user accesses the resource. The only exception to this policy of grouping all resources is a set of HR applications that only a small set of external users is authorized to access. Note that these users may not access the other internal resources that other users can access.

2. List the groups or users.
Most users are in one main group that has network connectivity to all internal resources. A smaller group is composed of external users that have access to the set of HR applications mentioned in the previous step.

3. List the conditions under which the resources should be accessible by the groups.
There are several conditions for accessing resources:
– Users must use hosts managed by the organization to gain access to internal resources. These organization-managed hosts all have a system registry key installed that can be checked to verify their identity.

– Users who login from systems in a public location such as a kiosk or Internet café or use their personal computers can only access a limited set of Web-based applications such as email, calendaring, and employee phone directory.

– The small group of external users that access the HR applications must also use organization-managed hosts to gain access to these applications.

– All hosts, public or otherwise, must be running the latest version of Windows with critical security updates installed and an antivirus package with an up-to-date virus signature database. They must also have a firewall program installed and running. Any host not meeting these requirements is not permitted to login.

4. List how the VPN should be used to access the resources.
Resources are accessible in different ways:
– The organization’s internal resources are accessible by network extension because a broad number of them are hosted on multiple servers. Also, some Web-based applications do not function properly when proxying is used, so network extension must be used.

– When users login from public hosts that are not organization-managed, they can access a set of Web-based applications via proxy.

– The set of HR applications are accessible by network extension because some require many interlocking programs and cannot be accessed by other means.

Bookmark/Search this post with:
  • Delicious
  • Digg
  • StumbleUpon
  • Propeller
  • Reddit
  • Magnoliacom
  • Technorati
  • 1181 reads

User login

Who's new

  • Frudopvia
  • Joe Billini
  • pDrujtyttyhx
  • DSupsjuiyyx
  • KimkasJK

Who's online

There are currently 0 users and 1 guest online.