iSite 3.5: Security Administration I

iSite 3.5: Security Administration I

CONFIDENTIAL 2TRN-0035-10 Rev 06/23/06

Table of Contents

• Objectives

• Terminology

• Security Overview

• User Account Management

• Define Access Groups

• Assign User Privileges


Learning Objectives

• Adding Users

• Adding Access Groups

• Assigning Security Codes to Access Groups

• Resetting User Passwords

Understand the purpose and configuration of:


Terminology

• PACS (Picture Archive and Communications System)– Information Systems designed to manage, store and distribute

medical images and related information throughout the healthcare enterprise

• HIS (Hospital Information System)– Information Systems designed to manage patient records; including

patient registration, billing, order entry

• RIS (Radiology Information System)– Information Systems designed to manage exams (orders); including

filling orders and scheduling


Terminology

• MRN (Medical Record Number)– A unique patient identifier (also known as Patient ID) used for

auditing of billing and scheduling for patients

• Accession Number (ACCession Number)– A unique exam identifier (also known as an order number or

requisition number) used for auditing of billing and scheduling of scheduled procedures

• SUID (Study Instance Unique IDentifier)– A unique study identifier used for auditing of performed imaging

service requests


Terminology

• DICOM (Digital Imaging COmmunication in Medicine)– DICOM is the predominant communication standard between

imaging equipment throughout the Healthcare Enterprise

• HL7 (Health Level 7)– HL7 is the predominant messaging standard for exchanging key

sets of administrative and clinical data in the healthcare enterprise


Security Overview


Security Overview

• Security Administration is the management of Users, Access Groups and Security Codes to ensure that users have the permissions and therefore the functionality necessary to perform their job functions

• User Accounts using iSite User Database– Users must belong to at least one Access Group – Access Groups are assigned Security Codes– Security Codes designate permissions– Access Group Security Codes are cumulative


Security Overview

Security CodeSecurity Code

Security CodeSecurity Code

Security CodeSecurity CodeSecurity CodeSecurity CodeSecurity CodeSecurity Code

Access Group

UserUserUserUserUser

Access Group

UserUserUserUserUser


• User Accounts using iSite User Database

• Background:

– Users must be members of at least one Access Group – An Access Group is made up of Multiple Security Codes– Each Security Code designates a function– Need to review the Default Access Group Settings and modify any

Security Codes to fit your needs– User determined passwords - If users forget passwords, the iSite

System Administrator can only Reset password– First time users login or if password Reset

• Password = User ID or Username– Users cannot re-use their previous 10 passwords

Security Overview


Security Overview

• Password default = “UserID”

• Users are prompted to change password at initial log-in

• iSite Administrator may reset passwords

• Password Enforcement:

– Users may not re-use previous 10 passwords– Minimum password length = 3 characters– iSite Enterprise = NO maximum log-in attempts– iSuite = 3 maximum log-in attempts


• Session Timeouts are assigned to Access Groups• Session Timeout = xx minutes• Default Session Timeouts = 20 minutes (max)

• Auto Logouts may be assigned to individual Workstations in the iSite client Machine Preferences

• Auto Logout overrides Session Timeout• Auto Logout = xxxxx seconds• Auto Logout may be utilized for workstations requiring lengthy periods

of inactivity (O.R.) or to accommodate high traffic zones (E.R.)

Security Overview


User Account Management


User Account Management • In iSuite, select the

‘Sys Admin’ module

• Click the ‘Security’ tab



• To add a new user, from the pull-down menu select ‘Users’ and click ‘continue’



• Click the ‘add new’ button



• An empty User Information page is displayed



• Fill in the user information as requested

– Enter the user’s name (Last, First)– Give the user a ‘Title’ in accordance to their role; this has no use in iSite

other than for organized user management– The ‘Employee #’ field also has no specific use in iSite– Assign a User ID



• Fill in the user information as requested

– Select the user’s default organization in the drop-down ‘Primary Org’ box

– Select the number of days to force the user to change the password in the ‘Chg PW Days’ - The maximum is 999 days

– Currently, ‘Discount Approval’ has no functionality in iSite– Check the ‘Active’ box for a currently active user account



• Once information is complete, click “add” to create a new user



• To assign the user to an Access Group, select the ‘+ - access groups’ button



• Administrators must be familiar with the definitions of the access groups before assigning users to them

• Assigning users to inappropriate access groups could compromise sensitive data



• Select the Access Group(s) to which the user will belong

• Click the ‘ok’ button



• User Information screen returns and the Access Groups for the user are displayed

• iSite Enterprise cannot be used by the new user until the user has been assigned to at least one access group



• If a user forgets their password, it can be reset in iSuite from the User Information screen

• Select the ‘reset pw’ button

• The password is immediately reset to the default password, which is the same as the ‘User ID’


Define Access Groups



• When creating an access group, a set of security codes is grouped together, thereby enabling access to the modules and options in which users can work

• Changes made to an access group concerning associated security codes affects all users assigned to that access group

• If a user is logged into iSite Enterprise when you edit their access group information, changes to user privileges do not take effect until the user logs out of iSite Enterprise and then logs back into the system


Security by Organization

• Users can view patients who belong to the same organization as the Access Group(s) with which the users are associated

• Organizations are designated via Access Group setup

• If a user belongs to multiple Access Groups which have different organizations, the user has the cumulative security rights and access to all patients in all associated organizations

• For example, if a user is given Mark Read security in Access Group A of ORG A and the user also belongs to Access Group B of ORG B which does not grant Mark Read rights, the user has Mark Read rights for both ORG A and ORG B



• With Security by Organization, a user cannot access exams that are not in the user’s organization(s)

• If a Patient’s History Timeline contains exams that were performed at different organizations, the user will only have access to view those exams that were acquired at the organization to which the user belongs



• To create a new access group, select Access Groups from the pull-down menu and click continue



• Click the ‘add new’ button in the Access Groups window



• Enter all pertinent information to define and describe the new Access Group



• Enter the title of the role in the Name field • Enter the description of the role in the Description field• Check the Active box for a currently active Access Group• Determine the length of the Session Timeout assigned to this

Access Group– Session Timeout = xx minutes– Default Session Timeouts = 20 minutes (max)



• iSite 3.5 Security by Organization feature allows customers to prevent specific users or user groups from accessing exams in organizations (ORGs) to which they do not have clinical privileges

• This gives customers from institutions in competitive situations an additional level of access security



• Security by Organization supports multi-organization customers sharing an iVault who do not want users from one organization to view patients from another organization for patient confidentially reasons



•Users can view patients who belong to the same organization as the Access Group(s) with which the users are associated

•Organizations are designated via Access Group setup

•If a user belongs to multiple Access Group(s) which have different organizations, the user has the cumulative security rights and access to all patients in all associated organizations

•For example, if a user is given Mark Read security in Access Group A of ORG A and the user also belongs to Access Group B of ORG B which does not grant Mark Read rights, the user has Mark Read rights for both ORG A and ORG B



•With Security by Organization, a user cannot access exams that are not in the user’s organization(s)

•If a Patient’s History Timeline contains exams that were performed at different organizations, the user will only have access to view those exams that were acquired at the organization to which the user belongs



• Philips recommends that all customers verify their Access Group configurations to ensure that they are associated with the desired organization(s)



• If the iSite System Administrator does not want to restrict user access enforced by Security by Organization, the iSite System Administrator should make sure that all Access Groups are configured to associate with the “Enterprise” umbrella organization immediately after the upgrade

• This gives users with Access Groups configured with the “Enterprise” organization access to patients across all organizations


Security by Organization• Features Not Impacted by Security by Organization

• Security by Organization does not apply to system-wide features such as Public Folders

• For example, if User A in ORG A is given security code access to Public Folders that contain patient exams from ORG A and ORG B, User A will have access to view those exams from ORG B. Likewise, if User A (in ORG A) is given security code access to Merge Patients, User A can merge patients from multiple organizations


Security by Organization• The following features are not affected by Security by Organization:

– Public Folders– Viewing Access: Exceptions– Merge Candidates List– System Preferences: Window Width/Center– System Preferences: Image Processing– System Preferences: DICOM Sources– System Preferences: Screen Overlays– System Preferences: Paper Printing– System Preferences: Print to Film– System Preferences: System Plug Ins– System Preferences: System Filters– System Preferences: iExport– System Preferences: iQuery



• After entering all the pertinent information, click ‘add’



• Information is saved and the access group created appears as an editable entry

• From the window shown here, the entries can be changed and security codes may be added



• Click the ‘+ - security codes’ button to add security codes to this access group



• Select the security codes to grant access to the group just created

• Click the ok button



• Access Group entry window reappears and clicking the update button finalizes the changes


Assign User Privileges



• PACS Admin Team shall have all features and functions available (SYSADMINALL Access Group)

• Caution: To enable Exceptions Handler Tab for iSite Enterprise the ISTSUPPORT Security Code must be active for the related Access Group; however, ISTSUPPORT allows Access Groups with ISTUSRPREF active to access System Preferences and Machine Preferences as well


• The following list demonstrates all necessary Access Groups that may be created to assign the appropriate permissions to all iSite users based upon previous experiences

– PACS Administration Team– Quality Assurance Clinical Staff– Information Technology (Support and Security)– Radiologists– Radiology Residents– Clinical Supervisors, Leads, and 3rd Shift Techs (Radiologic Technologists)– Staff Radiologic Technologists– Clerical Staff – Medical Staff Specialists (Cardiologists, Endoscopy and Surgeons)– Medical and Clinical Staff (Physicians, Nurses) – EMR Integration Access Group



Access Privileges

View Images for all exams IMGVUEIMG

Log in to iSite PACS ISTACCESS

View Images for any patient ISTANYPAT

View Images for patient for which the user is not the Ordering Physician

ISTANYPHYS

View Images searching by MRN ISTBYMRN

View Images in Exceptions status ISTEXCEPT

View Images that do not have reports ISTNOREP

Show Location – Patient Lookup ISTSHOWLOC

Unrestricted Patient Lookup – Query Type 3 (must be active)

ISTUNRES3


Workflow Related

User Preferences (General Preferences, Filters, WW/WL, etc.)

ISTUSRPREF

System Preferences (System Level Functionality changes)

ISTUSRPREF and ISTSUPPORT

System Filters (Create) ISTUSRPREF and ISTSUPPORT

System Filters (Access) ISTSYSFLTR

User Filters (Create) ISTUSRPREF

User Filters (Access) ISTUSRFLTR

Public Folders (Create) ISTPUBFLDR

Public Folders (Access) ISTPUBFLDO

Personal Folders (Create and Access) ISTUSRFLDR


Workflow Related

CD Manager (CD Burning) ISTMEDEXP

iExport (DICOM Image export) ISTIEXP

IQuery (DICOM Image import) ISTQUERY

Local Exam Cache ISTLCACHE

Paper Print ISTPRNT

Film Print ISTFLMPRNT (must have ISTRAD )

Saving Presentation States ISTPSTATE

Plug-Ins (Recommend link to Intranet without associated Security Code)

ISTPLUG”#”


Image Management

View Exceptions Handler EXHACCESS

Access to Clinical Exam Notes EXHCLNOTE

Remove Exceptions (permanently delete images) EXHWINACT

Resolve Exceptions EXHWRESEX

Digital Image Management (creating patient exceptions due to misidentification)

IMGDIGMGMT, IMGULKSUID

Delete Images from Exam Rack (not permanent) ISTIMGDEL

Remove/Resolve Dup UID Warning Message ISTRDUPID

Assign new Study Instance Unique Identifier ISTRGUID


Technologist Worklist

Technologist Worklist MWLACCESS, MWLBEGIN, MWLCOMPLET, MWLEDIT, MWLEXHACC, MWLRCLNOTE, MWLWPRFRES, MWLWRESEX

Study Linking (Matching two Accession Numbers to one Study UID)

IMGLINKFUL, IMGLINKLIM, IMGULKSUID, IMGUNLKFUL, IMGUNLKLIM


Patient Management

Patient/Exam Edit (may be necessary for Exceptions Resolution)

SCHCANCEX, SCHEDITEX, SCHEDITEX1, SCHEDITEX2, SCHEDITEX3, SCHEDITEX4, SCHEDITEX5, SCHPTAPPT

Delete Patient/Exam SCHCANCEX, SCHDELEX

Patient Merge REGFULL, REGLIM, REGMERG, REGMRGLIM, REGMLSTLIM, REGMLSTFUL


System Management

Exam Audit Trail ISTSUPPORT, PTRPTAUDIT, VUEEXAUDIT

Access Groups/Security Codes (Add/Edit Access Groups)

SADSEC

Reset Passwords (Add/Edit Access Groups)

SADSECUSER

System Preferences (System Level Functionality changes)

ISTUSRPREF and ISTSUPPORT

System Filters (Create) ISTUSRPREF and ISTSUPPORT

Machine Preferences ISTUSRPREF and ISTMPREF

System Hanging Protocols ISTHPSTD, ISTSYSHP, ISTRAD


iSite Radiology Specific Features

iSite Radiology access ISTRAD

Film Print ISTFLMPRNT

Mark Read function ISTDICTATE

Series Matching Rules (create) ISTHPSTD

System level Hanging Protocols (create)

ISTSYSHP

User level Hanging Protocols (create) ISTUSRHP

Machine Preferences ISTUSRPREF and ISTMPREF


For assistance, please call customer support at

1-877-328-2808 or 1-877-328-2809


Documents

iSite 3.5: Security Administration I