Security: ConceptsTopic number: 1425412935969

National regulations require healthcare providers to provide safeguards for administrative, physical, and technical security. You can achieve this through appropriate setup of user authentication and authorization processes.

Security goals

With accurately configured security, you can:

  • Limit the visibility of patient health information in the application (where necessary)
  • Manage access to the application by restricting access to authenticated users
  • Restrict permissions for application users based on their responsibilities and tasks within the hospital

Authentication

Authentication is the process of verifying that the users are who they claim to be. It is required for all users accessing the system.

Authentication verifies who you are—it does not deal with what you are permitted to do. It answers questions such as:

  • Who is the user?
  • Are the users really who they represent themselves to be?
Typical administrative tasks for user authentication
  • Creating user accounts, logins, and passwords
  • Resetting user passwords

Authorization

Authorization is the process of determining whether a user can perform a specific operation in the application.

Authorization is about what you are allowed to do—it is based on the assumption that authentication has already happened. It answers questions such as:

  • Is radiologist Peter authorized to report on studies from the Oncology department?
  • Is transcriptionist Miranda authorized to add and remove study attachments?
  • Is technologist Sam authorized to change the priority of an acquisition task?
Typical administrative tasks for user authorization
  • Set up permissions that grant users access to tasks and actions when using the application, such as granting the permission to perform reading tasks to radiologists
  • Set up security filters limiting the access to Patient Health Information, such as limiting view rights on VIP studies

Security and assigning tasks

If you accidentally assign a task to someone who does not have permission to perform the task, an error message appears and the assignment is canceled. The dialog explains why the task could not be reassigned and you can try again with a different assigned person. This might occur because task assignment groups and security roles do not necessarily coincide. Normally, users who do not have permission to perform the task cannot be selected in the Assign to dialog.