Anticlue

Security and Healthcare Applications

System Security Policies are needed for any healthcare related application. These policies will help to standardized security practices throughout an institution.

One of the main items needed for security is to look at things from the point of restricting access. Only allow users access to the data they need to see. Otherwise confidentiality issues may occur. Its an interesting mix balancing the patient's right to privacy and appropriate access levels of the system users.

Also into the application it is best to have an auditing mechanism architected into the main solution. The auditing functionality includes who logged in, what did they do, when did that do it and from where did they access the system. Include in the auditing a way to determine if the application is logged into from home through remote access. Beware of remote access plans that nat everyone's ip to the same thing. If there is a systematic way to examine the audit trails of an application for a breach of confidentiality, its a very good thing.

Another item to consider is how long until the application times out. For instance, no application should be available above 30 minutes between keystrokes or mouse maneuvers. Have a standardized timeout set for the institution, and have that added to all applications.

Its easier to have a single signon, but this needs to rotate passwords frequently every 100 days. Passwords should be complex, not the work password for instance. The authentication may include who you are, what you know, what you have, and maybe even where you are.

It is a good idea to have a basic set of security practices detailed and agreed to with all stakeholders.