Solutions rollover training page support page



News
press releases
upcoming
company
FAQ's Rollover
 





iRIS Security Features

iMedRIS products are designed to the highest level of security and confidentiality.

The security features that iMedRIS implemented into the software are designed to meet the guidelines set forth in the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This document explains our HIPAA compliance and describes the product features that support compliance with federal regulations. Outlined in this document are features designed within the product and security measures that are in place for iMedRIS hosting.

Listed are the hosting agreement features contained within our product:

I. Audit Trail

The audit trail tracks access to all records. The system audit trail captures all data points tracking old/new value information for changed data that includes the username and date/time stamps. The system also records all successful and unsuccessful login attempts, IP addresses and computer information from the origin(s) of attempted login. The Audit Trail is a data integrity feature to track who did what and when. It is accessed through system reports. The information is not accessible to alter and the ability to view or run reports against audit tables can only be done from an IRB administrator role.

II. Identification and Authentication Management
The URL login screen is accessible through HTTPS therefore all communication channels will be encrypted.

a. Unique Identification. Each user shall be uniquely identified and that identity shall be associated with all auditable actions taken by that individual.

b. Authentication at Logon. Users shall be required to authenticate their identities at “logon” time by supplying their authenticator, such as a password, smart card, or biometrics, in conjunction with their user identification (ID) prior to the execution of any application or utility on the system.

c. Access to Authentication Data. Access to authentication data shall be restricted to authorized personnel through the use of encryption or file access controls, or both.

d. User ID Re-use. Prior to reuse of a user ID, all previous access authorizations (including file accesses for that user ID) shall be removed from the system.

e. User ID Removal. When an employee terminates, loses access to the system for cause, or no longer has a reason to access the IS, that individual’s user ID and its authentication shall be disabled or removed from the system.

f. User ID Revalidation. Active user IDs are revalidated at least annually.

g. Protection of Individual Authenticator. An authenticator that is in the form of knowledge (password) or possession (smart card, keys) shall not be shared with anyone.

h. Password protection. All access to the application requires authenticated access to the system using a login identifier and password. Passwords are always encrypted and login identifiers are unique. The user password is maintained encrypted within the database using a strong encryption algorithm.

i. Password aging. All users are required to change their passwords within a customer-specified period of days. 90-day password expiration is the default. Users are warned before the password expires.

j. Protection of Individual Passwords. When passwords are used as authenticators, the following shall apply:

  1. Passwords shall be protected at a level commensurate with the sensitivity level or classification level and classification category of the information to which they allow access.

  2. Passwords shall contain a minimum of eight non-blank characters, shall be valid for no longer than 12 months and changed when compromised.

  3. Passwords shall be generated by a method approved by the CSA. Password acceptability shall be based on the method of generation, the length of the password, password structure, and the size of the password space. The password generation method, the length of the password, and the size of the password space shall be described in an attachment to the SSP.

  4. When an IS cannot prevent a password from being echoed (e.g., in a half-duplex connection), an overprint mask shall be printed before the password is entered to conceal the typed password.

  5. Passwords must be encrypted for transmission and storage using SSL. Passwords may not be transmitted or stored in clear text.

k. Authenticated server access. Access to the internal database structure is granted only to users with Database Administration (DBA) privileges. No database changes can be made without these DBA privileges.

l. Automatic log off. The system automatically logs a user off the system when no activity is detected for a specified length of time. This prevents a situation where a user steps away from his/her desk, inadvertently leaving confidential information visible on their screen. The length of the inactivity period for a session is variable and can be defined by the system administrator.

m. Screen Access. A software administrator can further restrict access to all screens in iRIS™. A comprehensive “check-off” list of all available screens within iRIS™ can be configured to meet each users individual needs to access confidential data.





Copyright © 2001 - 2003 iMedRIS Data Corprtation
Home | FAQ's | Company | Registration | Contact Us