Scott Van Heest IT Specialist, Data Analysis and Support Team, NPCR, CDC Denise Farmer CDC/NPCR Contractor Division of Cancer Prevention and Control National Center for Chronic Disease Prevention and Health Promotion NAACCR 2010 Annual Conference Quebec City, Canada June 24, 2010 ABSTRACT PLUS VERSION 3: Security Standards Upheld

Background  NPCR program standards require registries to have data security procedures in place to ensure cancer registry data are available only to those who need to use it for legitimate purposes  Controlling access to data helps ensure patient privacy and data confidentiality  Abstract Plus version 3, has improved software features to uphold security standards

Abstract Plus Purpose  Summarize the medical record into an electronic report of cancer diagnosis and treatment by abstractors and other individuals or groups who work with cancer data  Conduct casefinding, reabstracting (blind or un- blinded), and recoding audits of reporting facilities and central registry coding staff  CDC provides support and consultation to state central registries for their state-specific customization and distribution of the Registry Plus software

Abstract Plus Functions  Used to abstract, code, and audit cancer cases using standard data items and codes  Supports abstraction and auditing of all data items in national standard data sets, including all text fields and state-specific data items  Entered abstracts are validated by customizable edits, allowing for interactive error correction while abstracting  Customized by central registries for distribution to and use by hospitals and other reporting sources  Also used for special projects and start-up registries

Security Features  Options to configure security policies  Form-based authentication, and Challenge Questions for individual users  User passwords stored and encrypted using a one-way hash method  Microsoft Access encrypted databases  Microsoft SQL Server database option  Role-based access

Results: Application Preferences  Security Policies  Security Challenge Questions  Password Expiration, Re-use, and Password Expression (restrictions) options  Database options

Security Policies Options for challenge question setup and use Options for password expiration, re-use and password restrictions

Security Questions  Security Challenge Questions can be added or removed from current list of questions Add or remove challenge questions to be presented to the user

Password Expression Test custom password restrictions  Customized password restrictions can be set via regular expression, or the default expression can be used Use default Edit

Database Options SQL Server options

MS Access Encrypted Databases  Password protected access outside application  User passwords encrypted in database  Common database access needs met through menu selections  Support available for database customization

MS SQL Server Database Option  Requires SQL Server database management for abstract database  Allows multi-user abstract database access, with record locking  Requires database connection string for setup  SQL Server offers inherent security features  Login same as MS Access option  Database option included in title bar

Role-based Access  Facility Abstractors (login access):  Add, edit, delete, print, and export abstracts  Auditors (additional password required) – perform all Facility Abstractor functions, plus:  Perform casefinding, reabstracting, and recoding audits  Administrators (additional password required) - perform all Facility Abstractor and Auditor functions, plus:  Set application preferences  Manage abstracting and auditing display types, and set up audit databases  Manage user accounts and passwords  Maintain Administrator/Auditor passwords

Form-based Authentication  Login requires valid username and password  First-time access to application requires setup of user account  Initial login requires setup of user’s password with challenge security questions  Forgotten password can be reset by user with valid answers to challenge questions  Password can be managed by user or administrator  User allowed to change password (must know old password)

Creating User Account on Initial Access  Enter User Name, User ID, and Initials  Click Add  Click Close User ID User NameUser ID

Initial Log In  Enter User ID form new user account  Enter default, initial access password (Welcome1)  Update default password to new secure, user-specified password User ID Welcome1 Enter and confirm new password

Define User’s Security Questions  Prompted to select and answer required number of questions  Each selected question must be different  Verification of answers used to reset forgotten password Select questions and answers

Routine Log In  User ID and Password required  Password is case sensitive  Click Forgot Password to reset password using security questions to verify user  Click Change Password to change existing, known password Password User ID

Conclusions Abstract Plus version 3:  Provides user-friendly, flexible options for meeting changing security standards  Preserves the confidentiality, integrity, and availability of cancer registry data

For more information please contact Centers for Disease Control and Prevention 1600 Clifton Road NE, Atlanta, GA Telephone, CDC-INFO ( )/TTY: Web: Thank You! Denise Farmer, Joe Rogers, Sherrie Stein, Kathleen K. Thoburn, National Center for Chronic Disease Prevention and Health Promotion Division of Cancer Prevention and Control The findings and conclusions in this report are those of the authors and do not necessarily represent the official position of the Centers for Disease Control and Prevention.