PRACTICE PARAMETER 8 Electronic Information
3. Users should generally be required to reauthenticate after 30 minutes of inactivity or after 12 hours of use
regardless of activity to ensure the user is still present and actively using the system. Some exceptions may
be made in particular settings, such as operating or procedure rooms where physical security can be ensured
and periodic reauthentication is not feasible.
4. Two-factor authentication, often referred to as strong identification, can strengthen authentication and
requires two independent ways to establish user identity and associated privileges. The second factor is
often a physical device or application on a personal device, such as a smartphone, but this may more
commonly transition to a biometric feature (fingerprint, face, voice) if the agent is a human. Indeed
biometric feature authentication is becoming more common in smartphone and other personal devices,
which, in some cases, provide access to the second factor. However, biometric features should be limited
to the second factor rather than the primary method of authentication as they are probabilistic rather than
deterministic and could be potentially fraudulently replicated (ie, photographs or latent fingerprints).
Alternately, if the agent is another computer, the second factor is often a cryptographic certificate, which
must be preapproved by the authenticating system. Multifactor authentication should be configurable to
apply higher and lower degrees of secondary authentication depending on the trust of the device
authenticating. For example, a device on a trusted network may only need a second form of authentication
once a month, whereas a device coming from a foreign nation known to have an active hacking community
may require a second form of authentication for each login. Hardware-based two-factor authentication
(2FA) should be considered. Other methods of 2FA such as text/SMS are vulnerable to SIM swaps where
the telephone’s text could be forwarded to another number. App based software tokens may be more secure
for 2FA than text/SMS. However, with a SIM swap attack on one’s mobile device, the capture of the token
could allow an attacker unlimited access to all two-factor codes. A hardware device has no moving parts,
is easy to use and generally can be carried into secure working environments such as military bases [14].
5. Many other advanced methods of passphrase and authentication security can be found in the NIST
publication referenced above, depending on the resources available to the practice.
C. Authorization (access controls)
Restricting access to a system to only authorized users is of primary concern. Sophisticated access controls also
define and limit what exact applications and processes a user can reach, how they can use them, and what hours
they can use. Propagation of access controls to mobile devices, specifically smartphones and tablet computers, must
also have methods for restricted database and system access via device identification, encryption, passwords, and
auto-logoff, among many controls.
1. Access control lists assign rights and privileges of users to resources. Controls or combinations of controls
can be implemented at the institution level using LDAP or AD, operating system or application level.
Institutional management of at least broad roles is recommended to centralize control and monitoring but
some applications, such as the RIS and the PACS, may also store user information with more granular
controls within the application.
2. Auto-logoff is a method of automatically logging off an account after a specified period of inactivity to
deter someone besides the valid user from using the session. As above, this should generally be 30 minutes,
but exceptions can be made depending on the needs and physical security of the space in which the system
is used.
3. Physical access control for critical computers is necessary to prevent console-based attacks, power
interruptions, or other threats. Physical controls may vary depending on use case and sensitivity of data.
4. Access control mechanisms should be reviewed regularly to ensure old or inactive accounts have been
removed.
D. Auditing (HIPAA, Other Requirements)
Secure, computer-generated, time-stamped audit trails that record activity must be maintained in information
systems that contain or use ePHI to stay compliant with HIPAA, HITECH, and other federal regulations [21 C.F.R.
§ 11.10(e), [45 C.F.R. § 164.312(b)]. Additionally, these audit trails and system activity should be reviewed
periodically to assess for any irregular patterns, suspicious activity, or breaches [45 C.F.R. § 164.308(a)(1)(ii)(c)].
This requires fairly detailed logging at a granular level.