Welcome to CORC HCAI Logo

Module 5: Lesson 1-CORC Security: Topic 2-The CORC System

This Lesson topic outlines a few of the security features that have been designed and built into the CORC System. By CORC System we are referring to the entire CORC system, which is much more than the Web Application the Hospitals use (that we discussed in the previous Lesson Topic).

CORC System

The CORC System as a whole, includes a number of components. We will discuss security on most of them, including:
  1. Access to the CORC System
  2. Role-based security
  3. Submission site and Master Control site
  4. Hospitals monitoring user access
  5. HCAI monitoring user access and activities
  6. Limited HCAI access
  7. HCAI security and firewalls
These topics are discussed in the sections below, some with less detail in order to preserve security measures.

Access to the CORC System

As discussed previously, CORC users must have a Username and Password in order to use the CORC System. Without these, access to the CORC System cannot be accessed legally.

A CORC user may change their own password or it can be reset by a Hospital UAA (or by calling the CORC HOTLINE at (916) 326-3865).

Role-Based Security

Not all HCAI Users can create HCAI or Hospital Users. Not all Hospital Users can perform all functions in the CORC Submission site. This is because the CORC System uses what is called Role-Based Security. This simply means that for each TAB, every function, every screen in the CORC applications, ONLY those types or roles of users allowed to see or perform those functions have the ability to perform them. For a Hospital, there are three types of users. They are:
  1. UAA
  2. Data Submitter
  3. Report Viewer
A UAA is allowed to perform ALL functions in the CORC Submission site. This includes:
  1. Viewing ALL Reports
  2. Submitting and Updating Data
  3. Creating Hospital Users and Resetting Passwords
A Data Submitter is allowed to perform the following functions in the CORC Submission site:
  1. Viewing ALL Reports
  2. Submitting and Updating Data
A Report Viewer is limited to the following function in the CORC Submission site:
  1. Viewing ALL Reports
HCAI Users are also divided into various roles, allowing specific users to perform specific functions in the CORC Master Control site, but for security purposes, those will not be discussed in this CBT.

Submission Site and Master Control Site

As mentioned previously, the CORC System has both a Submission site and a Master Control site. BOTH of these applications are web-based applications. While the Master Control site is ONLY accessible inside the HCAI office, the Submission site is available anywhere there is access to the Internet. In fact, tests by both HCAI and Hospital staff have verified that the CORC Submission site works on iPhones and Android-based smartphones! The mobile application is EXACTLY the same as the PC-based web-application. This allows Hospital Users to check on the status of their submissions any time and from any where. The CORC Submission site allows the Hospital User (based on defined roles) to perform the functions listed in the table below: Table of Submission Site Functions

While the Master Control site provides vast capabilities in both the set up, operation and monitoring of the CORC System, for security purposes, those features will not be discussed outside of the HCAI office.

Hospitals Monitoring User Access

At the present time, the capability to monitor Hospital User activity by a UAA is not in the CORC System. However, this capability is being designed into the CORC System. Once it has been thoroughly tested and approved it will be put into production and Hospitals will have the ability to better track WHO accesses their data via the CORC Submission application.

Currently UAA's can use the CORC Submission site to manage Hospital User access to their Hospital's data in the CORC Submission application. Users can be set to Active or Inactive, as well as Locking or Unlocking user access to the CORC Submission application.

To help monitor Hospital User accounts, the CORC Administrator in HCAI periodically reviews the Hospital User accounts for all hospitals and contacts Hospital UAA's when user accounts are not accessed for extended periods of time. This excludes those accounts that are Inactive.

HCAI Monitoring User Access and Activities

The CORC Master Control application allows HCAI the capability to monitor both User Access and Activity within the CORC System. The design is intended to provide the CORC Administrator with the capability to monitor use of the CORC System, in terms of both the Submission site as well as the Master Control site. It is this capability which is intended to be expanded for use by Hospital UAA's.

Limited HCAI Access

Not all HCAI users have access to the CORC System. Only HCAI staff and management that work directly in support of the CCORP program, and more specifically have the need to use the CORC System have access to it. Just as hospital users have various roles within the CORC Submission site, allowing them to perform specific, approved functions within CORC, the CORC Master Control application uses role-based security.

A limited number of HCAI staff and management have access to the CORC System, and as the capabilities within the CORC System increases, the number of HCAI staff with those added capabilities decreases. In terms of checks and balances, no one person has total control of all functions within the CORC System. While the CORC Administrator may have complete use of all features within the CORC System, more than one HCAI staff has this designation within the CORC System.

In addition to these levels of control of the CORC System, HCAI maintains detailed documentation about the CORC System, both in terms of technical documentation for the Information Technology (IT) staff that maintains the CORC System as well as detailed User Documentation. The detailed user documentation details all features and functions within the CORC System to ensure continuity of operations unaffected by staff turnover.

HCAI Security and Firewalls

In addition to limiting access to the CORC System, and employing strict role-based security therein, access to CORC databases are limited within the HCAI office. The technical infrastructure of the CORC System is closely guarded information such that not all IT staff are aware of its key components. No HCAI staff have unrestricted access to the CORC databases outside the CORC System.

HCAI also employs various layers of hardware and software to form a protective barrier or firewall around the CORC System and databases. While NO system is impervious to outside attack, HCAI technical staff remain vigilant in protecting, monitoring and changing route access into and out of the CORC System and databases.

In short, HCAI, and more specifically CCORP, staff and management take the task of protecting confidential hospital data that has been entrusted to them via the CORC System VERY seriously. We understand hospital staff take their responsibility to protect patient data very seriously and expect nothing less of HCAI staff and management.



To review this lesson click >>NEXT<< below...