200 likes | 218 Views
ABSTRACT PLUS VERSION 3: Security Standards Upheld. Scott Van Heest IT Specialist, Data Analysis and Support Team, NPCR, CDC Denise Farmer CDC/NPCR Contractor. National Center for Chronic Disease Prevention and Health Promotion.
E N D
ABSTRACT PLUS VERSION 3: Security Standards Upheld Scott Van Heest IT Specialist, Data Analysis and Support Team, NPCR, CDC Denise Farmer CDC/NPCR Contractor National Center for Chronic Disease Prevention and Health Promotion NAACCR 2010 Annual ConferenceQuebec City, CanadaJune 24, 2010 Division of Cancer Prevention and Control
Background NPCR program standards require registries to have data security procedures in place to ensure cancer registry data are available only to those who need to use it for legitimate purposes Controlling access to data helps ensure patient privacy and data confidentiality Abstract Plus version 3, has improved software features to uphold security standards
Abstract Plus Purpose Summarize the medical record into an electronic report of cancer diagnosis and treatment by abstractors and other individuals or groups who work with cancer data Conduct casefinding, reabstracting (blind or un-blinded), and recoding audits of reporting facilities and central registry coding staff CDC provides support and consultation to state central registries for their state-specific customization and distribution of the Registry Plus software
Abstract Plus Functions Used to abstract, code, and audit cancer cases using standard data items and codes Supports abstraction and auditing of all data items in national standard data sets, including all text fields and state-specific data items Entered abstracts are validated by customizable edits, allowing for interactive error correction while abstracting Customized by central registries for distribution to and use by hospitals and other reporting sources Also used for special projects and start-up registries
Security Features Options to configure security policies Form-based authentication, and Challenge Questions for individual users User passwords stored and encrypted using a one-way hash method Microsoft Access encrypted databases Microsoft SQL Server database option Role-based access
Results: Application Preferences Security Policies Security Challenge Questions Password Expiration, Re-use, and Password Expression (restrictions) options Database options
Security Policies Options for challenge question setup and use Options for password expiration, re-use and password restrictions
Security Questions Add or remove challenge questions to be presented to the user • Security Challenge Questions can be added or removed from current list of questions
Password Expression Use default Edit Test custom password restrictions • Customized password restrictions can be set via regular expression, or the default expression can be used
Database Options SQL Server options
MS Access Encrypted Databases Password protected access outside application User passwords encrypted in database Common database access needs met through menu selections Support available for database customization
MS SQL Server Database Option Requires SQL Server database management for abstract database Allows multi-user abstract database access, with record locking Requires database connection string for setup SQL Server offers inherent security features Login same as MS Access option Database option included in title bar
Role-based Access Facility Abstractors (login access): Add, edit, delete, print, and export abstracts Auditors (additional password required) – perform all Facility Abstractor functions, plus: Perform casefinding, reabstracting, and recoding audits Administrators (additional password required) - perform all Facility Abstractor and Auditor functions, plus: Set application preferences Manage abstracting and auditing display types, and set up audit databases Manage user accounts and passwords Maintain Administrator/Auditor passwords
Form-based Authentication Login requires valid username and password First-time access to application requires setup of user account Initial login requires setup of user’s password with challenge security questions Forgotten password can be reset by user with valid answers to challenge questions Password canbe managed by user or administrator User allowed to change password (must know old password)
Creating User Account on Initial Access Enter User Name, User ID, and Initials Click Add Click Close User Name User ID User ID
Initial Log In Enter User ID form new user account Enter default, initial access password (Welcome1) Update default password to new secure, user-specified password User ID Welcome1 Enter and confirm new password
Define User’s Security Questions Prompted to select and answer required number of questions Each selected question must be different Verification of answers used to reset forgotten password Select questions and answers
Routine Log In User ID and Password required Password is case sensitive Click Forgot Password to reset password using security questions to verify user Click Change Password to change existing, known password User ID Password
Conclusions Abstract Plus version 3: Provides user-friendly, flexible options for meeting changing security standards Preserves the confidentiality, integrity, and availability of cancer registry data
Thank You! Denise Farmer, dfarmer@cdc.gov Joe Rogers, jrogers@cdc.gov Sherrie Stein, sstein@cdc.gov Kathleen K. Thoburn, kthoburn@cdc.gov The findings and conclusions in this report are those of the authors and do not necessarily represent the official position of the Centers for Disease Control and Prevention. National Center for Chronic Disease Prevention and Health Promotion Division of Cancer Prevention and Control