IA-3 Device Identification and Authentication

Illustrative Controls and TIBCO LogLogic Solution

All users (internal, external and temporary) and their activity on IT systems (business application, system operation, development, and maintenance) should be uniquely identifiable. Ensuring all users have uniquely identifiable IDs ensures that accurate and complete audit trails can be maintained. Deficiencies in this area can significantly impact accountability. For example, users logging in using shared IDs can modify healthcare records. This can prevent future audits to identify who has modified the data.

To satisfy this requirement, administrators must ensure all logins are assigned a unique name and number for identifying and tracking user identity. Administrators must review the ID list to identify IDs that might be a generic ID and question who is using it and why it is there. Administrators can review the time and sources of the logins to determine whether they overlap. If the time overlap and sources are different, that should indicate a shared (or generic) ID. Administrators must also validate that attempts to gain unauthorized access to healthcare reporting systems and subsystems are logged and are followed up on a timely basis.

Reports and Alerts

Use the following reference to see the IA-3 reports and alerts: IA-3 Device Identification and Authentication