Security Features in Web Plus

What to know

Web Plus is a secure application designed for the safe transmission of confidential patient data between reporting locations and a central registry over the Internet. Its security is ensured through a combination of robust software features, secure network configurations, and adherence to information technology (IT) operational best practices.

Security features of the Web Plus application

Form-based authentication

Web Plus requires users to enter their user ID and password to access the system. The system provides several options to configure password attributes. These options can be set by the central registry administrator (see Role-Based Access below). Configurable attributes include:

  • Enforcing password complexity requirements.
  • Requiring new passwords to be different from the ones used before.
  • Setting password expiration dates.
  • Requiring password changes when an administrator resets a forgotten password.

Multifactor authentication

Web Plus supports multifactor authentication, which enhances security by requiring users to provide additional verification factors beyond their user ID and password. These factors include a personal identification number (PIN), challenge questions, or both. Both features can be customized to enhance authentication security while maintaining user accessibility.

PIN. The PIN feature is an optional security measure designed to meet two-factor authentication requirements. When enabled in the system preferences, the central registry administrator generates a unique, random Web Plus PIN matrix for each user. To log in, users must provide their user ID and password, along with a four-digit PIN that is based on coordinates from their Web Plus PIN matrix.

  • Process: Upon login, users are presented with the PIN matrix coordinates required to generate their PIN.
  • Distribution: The hosting agency must mail the PIN matrices to users securely.

Challenge questions. The challenge question feature provides additional identity verification. When enabled in the system preferences:

  • The central registry administrator configures a set of questions that users must answer during the initial setup.
  • Users must answer these questions again upon login to validate their identity.
  • The number of challenge questions required for setup and login is configurable, allowing flexibility to match security requirements.

Role-based access

Web Plus grants users different levels of access depending on their role. Seven roles are defined in Web Plus:

Facility abstractor

  • Works at a local facility or doctor's office handling patients' medical records.
  • Reports cases to the central cancer registry when a patient is diagnosed with cancer.

Central registry abstractor or reviewer

  • Reviews submitted abstracts for completeness and accuracy.
  • Abstracts additional data from submitted text or generates new case abstracts.

Central registry administrator

  • Manages facility accounts and user access at both the central registry and local facilities.
  • Configures display types, edit sets, and system preferences.
  • Assigns abstracts to registry staff, exports data, and generates reports.

Local administrator

  • Manages user accounts for Web Plus at one facility.

File uploader

  • Uploads abstract files in the North American Association of Central Cancer Registries format.
  • Reviews NPCR-EDITS error reports and resolves errors in rejected files.

Follow-back supervisor

  • Uploads partially filled follow-back abstracts and adds follow-back abstracts manually.
  • Tracks follow-back abstracts by file or facility and generates related reports.

Follow-back monitor

  • Tracks follow-back abstracts by facility.
  • Generates follow-back reports.

Other security features

Web Plus incorporates several robust security measures to enhance system integrity and protect sensitive data:

  • Facility data access: All users within a facility can access abstracts entered for that facility.
  • Activity logging: Extensive logs track user logins, data accesses, and updates for auditing purposes.
  • Account lockout: Users' accounts can be locked after a configurable number of failed login attempts.
  • Account deactivation: Administrators can deactivate user accounts as needed.
  • Page access monitoring: Central administrators can monitor which pages users access.
  • Controlled configurations: Display types and edit set configurations are managed centrally.
  • Password encryption: User passwords are encrypted securely using a one-way hash method.
  • Database connection security: The connection string to the server database can be encrypted.

Security features of the network infrastructure

The network infrastructure supporting Web Plus should incorporate several critical security measures to protect client computers, servers, and communication channels. By combining these infrastructure-level security measures with Web Plus's built-in features, the system ensures a comprehensive defense against potential threats to data integrity and confidentiality.

Security on client computers. Anti-virus and anti-spyware software should be installed on all client computers within the registry network. These security programs must be updated regularly to defend against evolving threats.

Security on servers. The server environment should also use anti-virus and anti-spyware software for continuous monitoring and detection of malicious activities. This software should scan uploaded files for potential risks and block, quarantine, or remove them to mitigate threats.

Secure communication channel. Web Plus depends on a Transport Layer Security (TLS) channel to secure data exchanged between the web server and the client browser. TLS ensures the confidentiality and integrity of the data in transit over the Internet. This secure communication channel is not part of Web Plus, but is required for Web Plus to send data securely.

Print
Content Source: