As HIPAA experts have indicated, security and confidentiality of health care information ranks are cultural issues.  These issues cut across all facets of an organization's business and medical professional operations.  However, technologies that emphasize security enable health care organizations to implement security policies for safeguarding electronic information.

The FutureNet system's security structure was created with both a cultural and technical perspective.  First of all, FutureNet strictly follows the security policies of clients when setting up physical security, network security, and data security.  Organizational security policies provide the translation from legislative and standards-based requirements to operational processes for both external and internal security requirements.  Second, the FutureNet system itself enables implementation of organizational security policies.  The FutureNet system provides multiple layers of security for data, the system, the network, and the physical arena.  The degree to which security enablers are deployed across various layers of the model depends solely on the organizational policy.

Client Organizational Security Policies

Security procedures and requirements are from the client site.

Client Network Security Requirements

Security requirements from the client's IT department for enterprise-wide communication infrastructure protect against external exposure and entry.  Enforced internal user authentication and access control exists.

Physical Security for the FutureNet System

A safe and secure physical environment will protect the data resources and hardware equipment of the FutureNet system.

FutureNet Network Security

FutureNet's network security addresses FutureNet's system user authentication for both computer and telephone networks within client network environments.  This accesses control of a FutureNet sub-network or domain system and allows for data encryption for communication and transmission.

FutureNet System Security

The FutureNet system's security combines the FutureNet server with application-specific security features, which validate and govern user access to the server and host-based resources.  Security features include user authentication for the FutureNet system, access control for application functionality, and audit management for all activities involved in system access and data modification.

FutureNet System Data Security

FutureNet security services provided by our database management system applications facilitate and strengthen data integrity.  Data level security features include data access control, data level validation, data encryption, and audit trails for data modification.

FutureNet System Security Features

Security features of the FutureNet system are based on the security structure and framework described in the previous section.  They meet the current HIPAA requirements.

Administrative Security Procedures

FutureNet will follow our client's organizational security policies for general practices,
in terms of security procedures.

Physical Safeguards for the FutureNet System

FutureNet will locate its servers and workstations in the client's safe and secure physical environment to protect them from unauthorized access.

FutureNet System Network Integration and Security

The FutureNet system will integrate into the client's network by one of two ways based on the preferences of the client:

• The FutureNet system will join the client's domain as one of the domain members.  The domain system controls network user authentication and access.

• The FutureNet system will function as an independent domain system.  In this system, FutureNet will setup a full trust relationship with our client's domain system.  Our client's system will not need to setup a trust relationship with the FutureNet system.

Technical Security Services and Mechanisms

The FutureNet system will follow the HIPPA security standards listed in the first section of
this document.

Identification and Authentication

The FutureNet system provides for both a user identification code and password to verify authorization to access the system.  All applications require an authorized user ID and password.

• The FutureNet system prohibits the reuse of user identification codes and the reuse of passwords for different users.
• The FutureNet system provides messages to the user upon denial of access due to invalid user identification codes or passwords.
• The FutureNet system supports automatic disabling of a user identification code after pre-determined, system administrator-defined, three-time consecutive invalid access attempts.
• The FutureNet system provides the ability to inform the user of the last time the system was accessed with that user identification code.
• The FutureNet system supports the encryption of the password files or the password information.

Authorization and Access

FutureNet supports defining groups of users to be granted access to specific data elements, files, functions, menus, and commands, or collections of these.  In the FutureNet system, 6 different security levels can be setup for user groups, and sub-security levels can be setup in some levels of security.  For example, the physician user group has one level of security and under this level of security there are sub-levels, like "Regular", "Resident", and "Department Leader".

• The FutureNet system allows defined access to specific data elements, files, functions, menus, commands, and networks based on the user's patient care responsibilities or job functions, including but not limited to:
  • By User - administrators, directors, managers, physician staff, nurses, and clerks
  • By Function - dictating, transcribing, listening, viewing, signing, editing, printing, deleting, and updating
  • By Work Type - specific work type, such as H&P, HIV, and psych. reports
  • By Location - Accounts, Sites, Departments
• The FutureNet system permits the system administrator to grant specific users (such as directors or managers) the authority to permit other users (such as clerks, nurses or physician staff) to access specific data items, menus, and functions.
• The FutureNet system allows users to restrict the printing and display of confidential data elements.
• The system module, workstation location, and user, or a combination thereof, can determine the designated length of the time-out feature.
• The FutureNet system prevents the end user from seeing menu items, screen formats, and report forms if the user's security profile prevents them from accessing the data elements associated with these system components.

The FutureNet system has an audit trail module to track the accessing and modification of the dictation server, voice files, the transcription document server, and patient reports.

• FutureNet audit trails can be produced to identify:
  • All users who have used a selected function
  • All activity of a given user
  • All modifications on a database, such as accessing authorities, including; creating, disabling, and deleting user identification codes
  • All changes on patient reports, such as editing and signatures
• The FutureNet system also provides detailed transaction logs for all phone calls and voice file access, all document printing, faxing, and email activities.  Reports are available that document the user ID, activity performed, workstation, time, and date of the various activities.
• The FutureNet system prevents deletion, overwriting, or unauthorized modification of audit trails.

Encryption

The FutureNet system supports 128-bit encryption via VeriSign's secure server ID.  Based on the same technology used to protect nuclear missile codes, VeriSign Secure Server IDs provide the strongest security available today.  Best of all, the technology our clients need to establish a secure channel, SSL, is already enabled on the server.  All they need is a Secure Server ID to activate it.

The FutureNet system also supports high data encryption (such as triple DES) via third party VPN (Virtual Private Network) software and hardware.  The encryption protects all data during the electronic transmission process.

Electronic Signatures

• FutureNet's system provides a electronic signature module for physicians to sign-off their patient reports.  The signature file is a digital file, which can not be used for copy and paste.
• FutureNet's system prohibits any change after physicians sign their patient reports.  Only addendums can be added to signed reports.
• FutureNet's electronic signature supports additional authentication and authorization, such as a PIN (Personal Identification Number) code, and the attending physician's signature as final approval for resident/attending co-sign reports.

Physical Security

• FutureNet recommends that the system is hosted in a secure server room provided by the client for physical access control.
• The FutureNet system provides mirror drives or RAID technology for data back-up and redundancy.
• The FutureNet system provides different levels of UPS as an emergency power source.
• The FutureNet system provides emergency shut down procedures in the server room to prevent emergency situations.
• The FutureNet system provides screen protection for data security.

Disaster Recovery

• The FutureNet system provides a back-up process that can be performed in a dynamic mode so that the system can be operational 24 hours per day.
• The FutureNet system provides a data archiving process based on system administrator criteria.
• The FutureNet dictation server can by-pass the database server in the event of database server failure, and restore all information back to the server after it is recovered.
• The FutureNet system supports disaster recovery procedures.  Mirror disks or RAID hot-swap disks provide sufficient back-up and recovery features to assure there is no data loss after a system failure.

Protection of Remote Access

• The FutureNet system requires user identification and password to remotely access any application.
• The FutureNet system provides detailed access logs in its gateway program, and all remote user access activities will be recorded in the logs.
• The FutureNet system provides detailed event logs for all importing, exporting, transmitting, printing, faxing, and emailing activities.

Data integrity

• The FutureNet system applications share the same database.  The system provides control over stored data to ensure data is complete and internally consistent.
• The FutureNet system provides an interface to strictly control the importing and exporting of data.
• The FutureNet system provides internal HL7 interfaces to ensure physician and patient information is updated and consistent with our client's systems.
• The FutureNet system provides data management features that eliminate the redundant maintenance of duplicate patient data.
• The FutureNet system provides a mechanism for controlling simultaneous updates to the database.
• The FutureNet system supports anti-virus software.

Privacy Protection

• The FutureNet system provides privacy protection for patients by limiting the access of medical reports to only those health care staff members that are involved.
• The FutureNet system flags all confidential reports in distribution.
• The FutureNet system protects employee medical information in the health care organization for privacy.