Purpose and Components of an Identity Management System
An identity management system (IMS) involves a set of technologies used for the cross-management of the system. The described method includes the automation of the application provisioning, management of user roles, credentials, and privileges, and the delegated responsibility of administrators (Soenens, 2018). The identity management systems play a critical role in an organization since they are concerned with identifying the users, authentication, and authorization, and non-repudiation (Neto et al., 2016). IMS is used in the healthcare facilities such as Kaiser Permanente to identify customers and prevent unauthorized access to the patients’ data.
Various components are attached to the identity management system, including the scalable, secure, and standard-compliant directory service to facilitate the storage and management of the user’s information. Similarly, it involves a run time model used for authentication of the user, a platform for directory integration, and a delegated administration application and model (Soenens, 2018). Health Insurance Portability and Accountability (HIPAA) Core policy prohibits the doctors who use laptop devices as they visit patients at the hospital and want and want to access the Protected Health Information (PHI) data of the hospital (Tellabi et al., 2018). The use of portable devices that are personally owned to do the work is only allowed if approved by the senior management (Neto et al., 2016). Therefore, these are the options available for the doctors who what to use personal computers in the hospitals.
Access Control Management
Access control entails the permissions granted for given resources and involves many types, including access database access controls, control lists in operating systems (OS), files, role-based access controls. Control lists in OS provide rules which allow or deny the accessibility of the OS (Tellabi et al., 2018). Filesystem list filters the file and directories accessibility and informs the OS on the users to access the system and are not allowed. Access database access controls will enable the accessibility of the sensitive data for the company among the people who are only allowed to get to such data while restricting the unauthorized people (Clauß & Köhntopp, 2017). The role-based access control involves the granting of access to the system depending on the roles each individual playthrough user privileges. Finally, the file access control involves setting permissions to allow or deny access to specific files and directories.
Authorization and Authentication and the Use of Passwords, Password Management, and Password Protection
There are various types of authorization which include password-based authentication, where the passwords are commonly used to regulate the system access. Passwords are presented as numbers, letters, and special characters. Password management presents principles and practices considered best for users to follow as they store and manage passwords. Password protection aims to protect the accessibility of information through computers for specific users (Tellabi et al., 2018). Multifactor authentication requires two or more independent ways of identifying the user, including the codes generated from the users’ devices. Certificate-based authentication entails using technologies to identify users, devices, or machines with the help of digital certificates. Biometric authentication is a process that is based on the unique individual biological characteristics involving facial recognition and fingerprint (Soenens, 2018). Finally, token-based authentication technologies allow entering of the credentials once before a unique encrypted string of random is received in exchange for random characters.
Common Factor Authentication Mechanisms
Common factor authentication mechanisms are used in facilitating the entry or denial of access entry into the system. Factor authentication systems involve a security credential with the special category that verifies the authorization and identity of any user who wants to gain access and send the requestor information from the network that is secured (Clauß & Köhntopp, 2017). The multifactor authentication allows the dealing with control to access for computers and servers. Users in this model can only access once they have provided more than three information pieces to prove their identity as the right users. Common factor authentication mechanisms such as multifactor authentication practices require the users of the electronic medical record in Kaiser Permanente to show they know password, possess, or have a key tag before accessing.
Kaiser Permanente, as an organization, restricts access to protect billing and PHI by the use of the security measures such as the use of passwords where the users have to identify themselves before allowed accessibility. The use of passwords is significantly essential in ensuring that the processes and workflows of the organization are aimed at safeguarding the PHI (Neto et al., 2016). Password management is essential in this case to set best practices in place and ensure optimum security.
The access management system is essential to manage and monitor the permissions available to the user for access and the rights one has towards the systems, files, and services. These permissions and access rights are focused on protecting the organization from the loss of data and breaches of security (Hansen et al., 2018). Thus, the whole act is about the control to the access of the user, such as changing and tracking the authorization as needed. There are various types of access control management, including role-based access controls, database access controls, access control lists in operating systems, and files limit access to those with a need to know.
An organization needs to focus on strategic measures in pursuit of its goals. For Kaiser Permanente, the mission statement is based on providing high-quality and healthcare services that are affordable. The primary aim is to improve the members’ health and the communities around. The organization has an excellent structure with the chairman and CEO, who provides the overall leadership of the company, including making decisions at the top. The CEO has the key passwords to all computers in the departments and should limit the access to the relevant people. Senior vice president (SVP) government relations follow, then SVP both who have unlimited passwords to computers in several departmentsd and should secure them from unauthorized users (Hansen et al., 2016).. Others are chief communication officer and chief human resource officer both who hold key accesss passwords to systems in their departments.
The manager needs to consider the risk, and should the Chief information officer (CIO) and the leaders fail to take action against the risk, the organization is likely to face a data breach where unauthorized people may gain access to patients and others’ information (Neto et al., 2016). For instance, the failure to mitigate risks led to unauthorized access/disclosure in the Electronic Medical Record of Kaiser Permanente, affecting 2756 people. Thus, the CIO needs to adopt ways to mitigate the risks. The projected costs to address risks amount to $4,732. The organization needs to adopt three multifactor authentication and strong passwords with unique characters. They can also limit people accessing the departments where computers carry essential information. For Kaiser Permanente, the organization should restrict the accesses to Electronic Medical Record after the system experienced breach that saw 2756 people affected. The company needs to used more advanced tools like Personal Identification Number (PIN) numbers and strong passwards characterixed by numerical numbers and lower and upper case letters. Since the system keeps records, the company should consider encrypting of the stored information. The sharing of the patient’s information by the healthcare provider should only happen after the permission by the patient.
References
Clauß, S., & Köhntopp, M. (2017). Identity management and its support of multilateral security. Computer Networks, 37(2), 205-219.
Hansen, M., Berlich, P., Camenisch, J., Clauß, S., Pfitzmann, A., & Waidner, M. (2016). Privacy-enhancing identity management. Information Security Technical Report, 9(1), 35-44.
Hansen, M., Schwartz, A., & Cooper, A. (2008). Privacy and identity management. IEEE Security & Privacy, 6(2), 38-45. Web.
Neto, S., Ferraz, F. S., & Ferraz, C. A. G. (2016). Towards Identity Management in Healthcare Systems. In Proceedings on the International Conference on Internet Computing (ICOMP) (p. 157).
Soenens, E. (2018). Identity management systems in healthcare: the issue of patient identifiers. In IFIP Summer School on the Future of Identity in the Information Society (pp. 56-66). Springer, Berlin, Heidelberg.
Tellabi, A., Sassmanhausen, J., Bajramovic, E., & Ruland, K. C. (2018). Overview of Authentication and Access Controls for I&C systems. In 2018 IEEE 16th International Conference on Industrial Informatics (INDIN) (pp. 882-889). IEEE.