9. Information Access Management

9.1 Respect business requirements

9.1.1 Develop a policy to control access to information
Protecting access to the application is critical to maintain the integrity of Scandiatransplant IT-system and data and prevent unauthorised access to these resources. The objective is to ensure that adequate controls to restrict access to system and data is implemented.

9.1.2 Control access to networks and network services

Information Access Control Management is implemented in the application-layer running on the server behind two firewalls, where the primary firewall is controlled by RM in cooperation with Scandiatransplant, and the secondary is running on each server (i.e. multiple firewalls) making sure that they are not attacked on the sub-net behind the primary firewall.

The primary firewall administered by RM is running CISCO Netscaler and secures Scandiatransplant as defined in the section, "Network-layer DoS protection", of https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/citrix-netscaler-a-powerful-defense-against-denial-of-service-attacks.pdf

Two factor authentication (2FA) adds an extra layer of security, supplementing the username and password with ip-address verification. 2FA is utilized when access is attempted from an unknown ip-number, where the token exchange is done by means of the email-address by which the user is registered in the system. 
Ip-numbers that have been authenticated but not used for 180 days will be deleted. Renewal of ip-number authentication is automatically requested after 1 year. 
2FA with SMS instead of ip-number is available upon request.

When successful two factor authentication, (2FA) has occurred, authorization is granted in compliance with the software filtering the data available to the user as detailed in point 9.4.
Access from ad hoc work stations by Scandiatransplant office staff is decribed here

9.2 Manage all user access rights

9.2.1 Develop a user registration process

Access to the Scandiatransplant database is granted by the system administrators at the Scandiatransplant office, Aarhus, Denmark. Users that are given admittance are recommended by their Head of Department or already existing Scandiatransplant database users, the name of the person approving the new user is registered within the system administration module. New users must be employed at one of the Scandiatransplant member hospitals. All users have during their employment signed a confidentiality agreement according to the secrecy act in each country.
There are no impersonal system users, all user accounts are unique and personal. Multiple users on the same account is not allowed.

Impersonal system accounts (e.g. root) used by the programmers to maintain OS-software (databases, web-services etc.) can only be utilized by login through personal system user accounts followed by impersonation of the impersonal system account. All actions will be logged accordingly.

9.2.2 Set up a user access provisioning process

The account provisioning process is handled through the YASWA application, which ensures that the creation of accounts and access to data is consistent and simple to administer. In the creation process the following information is obligatory: unique user id, name, tx-center, role(s), date of creation, e-mail, person of approval and password.

The system administrators has the ability to create, amend, delete and suspend user accounts.

9.2.3 Restrict the use of privileged access rights

Privileges granted to each user are restricted to least privilege for the job function.

9.2.4 Control secret authentication information

A password management system (the exchange format is OASIS WS-Security SOAP Message Security) is available to all users and after creation of a new account the user is forced to change password upon first login. All active users are forced to change password annually. To ensure passwords of a good quality the user is forced to create a password containing at least 8 characters, use lowercase letters, uppercase letters and include numbers. Passwords are stored as a hash (sha-256) of the actual password.

The system monitors inactivity after login and automated logout is effectuated after 30 minutes.

9.2.5 Review access rights at regular intervals
At the end of each month a Cron-job is set to create a list with users that have not been using the system for 180 days. System administrators review the list and take contact to the relevant departments to confirm whether the account is still required. Once every year information about active user accounts are extracted by the Scandiatransplant office and the list is verified by each transplant center/department. (documentation list)

9.2.6 Remove or adjust user access rights
Where an individual has left their job or doesn't need access any longer the account will be deactivated. Where a user is absent from work for a period greater than six months (due to maternity leave, long term sickness absence etc) the account is deactivated.

9.3 Protect user authentication

9.3.1 Protect secret authentication information
Weekly a cron job results in a list with all unauthorized/failed logins which is systematically checked by the Scandiatransplant office. Furthermore, daily random 'eyes on' checks in access logs are done to reveal unauthorized login attempts. Users are recommended to change password, if they suspect that their account has been compromised.

5 unsuccessful login attempts with same userid within 20 minutes, leads automatically to temporary blacklisting for the next 20 minutes. More than 100 unsuccessful logins within 5 minutes leads automatically to permanent blacklisting.

9.4 Control access to systems

9.4.1 Restrict access to information and applications

To support privacy by design and privacy by default privileges granted to each user are restricted to least privilege for the job function. However, in specific defined situations in clearly defined parts of the system, you need to be able to access relevant information on recipients and donors from other centres. As soon as sharing the information with other centres is no longer needed restriction will automatically be effectuated.
Accuracy and keeping data updated is solely the responsibility of the controller to which the recipient/donor ‘belongs’ to. Data processor acts on behalf of the controller and the processor complies with the various instructions given by the controller in relation to their data.
In the temporary period of matching organs you need access to the necessary data for correct organ allocation and traceability according to EU directive (2010/45/EU).

Authentication of ability to view and add/change data is linked to specified transplant center and user roles granted by the Scandiatransplant office.

Access to each user role can be granted as 'access to look up data (B-user)' or 'access to look up  and update data (A-user)'. The following describes privileges with access as A-user to each role:

Recipient

You are able to look-up data on all recipients in Scandiatransplant, whom are active on the waiting list.
You can only alter/update/enter data on patients from you own country.
When it comes to patients temporarly inactive and not currently on the waiting list, you can only see patients with your user nationality and patients linked to a transplant center in your own country.

Deceased donors

On eligible, actual and deceased donors you can look-up all information within 6 months after date of donation no matter country. Hereafter you only have access to donors from you own country and donors from whom your center has received organs.
Access to view potential donors is limited to potential donors from your own country. Unless an organ offer has been sent out, then all countries can see the information on the specific potential donor for 6 months.

Living donors

You have access to view and update data on all living donors from your own country

Liver registry

You have access to view and update data on all patients that have been registered on a waiting list at your own transplant centre

Thorax registry

You have access to view and update data all patients that have been registered on a waiting list in your own country

Pancreas registry

You have access to view and update data all patients that have been kidney transplanted in your own country

Kidney registry

You have access to view and update data all patients that have been kidney transplanted in your own country

Data extractions

You can extract data on all patients that have been registered on a waiting list at your own transplant centre and donor data related to patients transplanted at your centre.