MUSC Policy: Information Security - Access Control

1. RATIONALE

Please refer to MUSC Information Security Rationale: The Need for Safeguards for an overview of the legal and ethical considerations that have motivated the development of this policy. The following laws and regulations have particular relevance:

HIPAA Security: 164.312(a)(1) Standard: Access control

HIPAA Security: 164.312(a)(2)(i) Unique user identification

HIPAA Security: 164.312(a)(2)(ii) Emergency access procedure

HIPAA Security: 164.312(a)(2)(iii) Automatic logoff

HIPAA Security: 164.312(a)(2)(iv) Encryption and decryption

HIPAA Security: 164.308(a)(5)(ii)(C) Log-in monitoring

HIPAA Security: 164.308(a)(5)(ii)(D) Password management

FTC Safeguards Rule: 314.3(b)(3)

2. POLICY

If an MUSC System may be used to house protected information, then the System's access control policies and procedures must enforce the principle that access to protected information must be restricted to authorized users of the information.

3. PROCEDURES

3.1. Definitions

Refer to MUSC Policy: Information Security: Appendix A.

3.2. Assigned Responsibilities

3.2.1. System Owners

If an MUSC System may be used to house protected information, then the designated Owner of the System is responsible for ensuring that access to the System is controlled, and that access to the System's protected information is restricted to authorized users of the information.

The Owner of the System is responsible for ensuring that the following specific objectives are met:

• Users of the System are assigned unique identifiers to enable tracking of their access to protected information.
• Procedures for the proper management of the passwords, access codes, and/or other tokens that are assigned to users are documented.
• User sessions that may provide access to protected information are automatically terminated after a predetermined period of inactivity.
• Procedures exist to allow authorized users to obtain access to protected information in an emergency.
• Encryption is used whenever reasonable and appropriate to restrict access to protected information.

3.2.2. System Users

Each User of the System is required to:

• Properly manage his password, access codes, and/or other tokens, following the procedures documented for the System
• Report any apparent discrepancies in the use of the account to the System Administrator for the System.

3.3. Sanctions

Refer to MUSC Policy: Information Security: Sanctions.

3.4. See Also

MUSC Policy: Information Security

MUSC Policy: Information Security - Workforce Security

MUSC Policy: Information Security - Person or Entity Authentication

MUSC Policy: Information Security - Encryption

MUSC Information Security Standards: Identity and Access Management

4. ACCESS

This policy will be maintained and published electronically by the Information Security Office. This policy is a public document and there are no restrictions on its distribution.