Transcript Abstract Plus Version 3

ABSTRACT PLUS VERSION 3:
Security Standards Upheld
Scott Van Heest
IT Specialist, Data Analysis and Support Team, NPCR, CDC
Denise Farmer
CDC/NPCR Contractor
NAACCR 2010 Annual Conference
Quebec City, Canada
June 24, 2010
National Center for Chronic Disease Prevention and Health Promotion
Division of Cancer Prevention and Control
Background

NPCR program standards require registries to have
data security procedures in place to ensure cancer
registry data are available only to those who need to
use it for legitimate purposes

Controlling access to data helps ensure patient
privacy and data confidentiality

Abstract Plus version 3, has improved software
features to uphold security standards
Abstract Plus Purpose

Summarize the medical record into an electronic report
of cancer diagnosis and treatment by abstractors and
other individuals or groups who work with cancer data

Conduct casefinding, reabstracting (blind or unblinded), and recoding audits of reporting facilities and
central registry coding staff

CDC provides support and consultation to state central
registries for their state-specific customization and
distribution of the Registry Plus software
Abstract Plus Functions

Used to abstract, code, and audit cancer cases using
standard data items and codes

Supports abstraction and auditing of all data items in
national standard data sets, including all text fields and
state-specific data items

Entered abstracts are validated by customizable edits,
allowing for interactive error correction while
abstracting

Customized by central registries for distribution to and
use by hospitals and other reporting sources

Also used for special projects and start-up registries
Security Features

Options to configure security policies

Form-based authentication, and Challenge Questions
for individual users

User passwords stored and encrypted using a one-way
hash method

Microsoft Access encrypted databases

Microsoft SQL Server database option

Role-based access
Results: Application Preferences

Security Policies

Security Challenge Questions

Password Expiration, Re-use, and Password
Expression (restrictions) options

Database options
Security Policies
Options for challenge
question
setup and use
Options for password
expiration, re-use and
password restrictions
Security Questions
Add or remove challenge
questions to be presented
to the user

Security Challenge Questions can be added or
removed from current list of questions
Password Expression
Use default
Edit
Test custom
password
restrictions

Customized password restrictions can be set via regular
expression, or the default expression can be used
Database Options
SQL Server options
MS Access Encrypted Databases

Password protected access outside application

User passwords encrypted in database

Common database access needs met through menu
selections

Support available for database customization
MS SQL Server Database Option

Requires SQL Server database management for
abstract database

Allows multi-user abstract database access, with
record locking

Requires database connection string for setup

SQL Server offers inherent security features

Login same as MS Access option

Database option included in title bar
Role-based Access

Facility Abstractors (login access):
 Add, edit, delete, print, and export abstracts

Auditors (additional password required) – perform all
Facility Abstractor functions, plus:
 Perform casefinding, reabstracting, and recoding audits

Administrators (additional password required) perform all Facility Abstractor and Auditor functions,
plus:
 Set application preferences
 Manage abstracting and auditing display types, and set up audit
databases
 Manage user accounts and passwords
 Maintain Administrator/Auditor passwords
Form-based Authentication

Login requires valid username and password

First-time access to application requires setup of user
account

Initial login requires setup of user’s password with
challenge security questions

Forgotten password can be reset by user with valid
answers to challenge questions

Password can be managed by user or administrator
 User allowed to change password (must know old password)
Creating User Account on Initial Access

Enter User Name, User ID, and Initials

Click Add

Click Close
User Name
User ID
User ID
Initial Log In



Enter User ID form new user account
Enter default, initial access password (Welcome1)
Update default password to new secure, user-specified password
User ID
Welcome1
Enter and
confirm new
password
Define User’s Security Questions



Prompted to select
and answer
required number of
questions
Each selected
question must be
different
Verification of
answers used to
reset forgotten
password
Select questions
and answers
Routine Log In




User ID and Password required
Password is case sensitive
Click Forgot Password to reset password using
security questions to verify user
Click Change Password to change existing, known
password
User ID
Password
Conclusions
Abstract Plus version 3:

Provides user-friendly, flexible options for meeting
changing security standards

Preserves the confidentiality, integrity, and availability
of cancer registry data
Thank You!
Denise Farmer, [email protected]
Joe Rogers, [email protected]
Sherrie Stein, [email protected]
Kathleen K. Thoburn, [email protected]
For more information please contact Centers for Disease Control and
Prevention
1600 Clifton Road NE, Atlanta, GA 30333
Telephone, 1-800-CDC-INFO (232-4636)/TTY: 1-888-232-6348
E-mail: [email protected] Web: www.cdc.gov
The findings and conclusions in this report are those of the authors and do not necessarily represent the official
position of the Centers for Disease Control and Prevention.
National Center for Chronic Disease Prevention and Health Promotion
Division of Cancer Prevention and Control