Security Features in Web Plus

What to know

Web Plus is a secure application that can be used to transmit confidential patient data between reporting locations and a central registry safely over the Internet. Security is achieved by a combination of software features and network infrastructure.

Security features of the Web Plus application

Form-based authentication

Web Plus requires users to enter their user ID and password to access the system. The system provides several options to configure password attributes. These options can be set by the central registry administrator (see Role-Based Access below). Configurable attributes include:

  • Enforcing the complexity of passwords.
  • Requiring new passwords to be different from the ones used before.
  • Setting password expiration dates.
  • Forcing users to change the password when the administrator resets a forgotten password.

Multifactor authentication

Multifactor authentication can be implemented by requiring users to enter a personal identification number or answer challenge questions (or both), in addition to providing their user IDs and passwords.

Personal identification number (PIN). The PIN feature is an optional security feature that satisfies the requirement of two-factor user authentication. When enabled on the systems preference page, the central registry administrator generates a unique, random Web Plus PIN matrix for every user. To log in, users must enter their user ID and password, along with a four-digit PIN that is based on coordinates from their Web Plus PIN matrix. Note: PIN matrix coordinates are provided upon login, and the hosting agency must mail the matrices to users.

Challenge questions. The challenge question feature is also optional. When enabled on the systems preference page, the central registry administrator enters questions each user must answer when the feature is initially enabled and then answer again upon login to validate the user's identity. The number of challenge questions to answer for initial setup and login is configurable.

Role-based access

Web Plus grants users different levels of access depending on their role. Seven roles are defined in Web Plus:

  • Facility abstractor: Works in a local facility or doctor's office and handles patients' medical records. When a patient is diagnosed with cancer, the facility abstractor reports the case to the central cancer registry.
  • Central registry abstractor or reviewer: Reviews abstracts submitted to the central registry for completeness and accuracy and may abstract additional data items from submitted text; also abstracts new cases.
  • Central registry administrator: Sets up local facilities with access to Web Plus to report their data; manages facility accounts and users at the central registry and facilities; configures display types, edit sets, and system preferences; assigns abstracts to registry staff; exports data; and generates reports.
  • Local administrator: Manages the users who are allowed to access Web Plus at one facility.
  • File uploader: Uploads files of abstracts in the appropriate North American Association of Central Cancer Registries format that were not abstracted using Web Plus, views NPCR-EDITS error reports, and cleans errors on rejected files.
  • Follow-back supervisor: Uploads files of partially filled follow-back abstracts, manually adds follow-back abstracts online, tracks follow-back abstracts by uploaded file or by facility, and generates follow-back reports.
  • Follow-back monitor: Tracks follow-back abstracts by assigned facility and generates follow-back reports.

Other security features

Other Web Plus security features include:

  • All users of a facility have access to all abstracts entered for the facility.
  • Web Plus keeps an extensive log of user logins, data accesses, and updates for auditing purposes.
  • Users' accounts can be locked after a set number of failed attempts to log in.
  • Administrators can deactivate users' accounts.
  • The central administrator can see which pages users have accessed.
  • Display types and edit set configurations are centrally controlled.
  • User passwords are encrypted using a one-way hash method.
  • The connection string to the server database can be encrypted.

Security features of the network infrastructure

Security on client computers. Anti-virus and anti-spyware software should be installed on the computers of all clients that are part of a registry network, and these programs should be updated regularly.

Secure communication channel. Web Plus relies on a Transport Layer Security (TLS) channel between the web server and the client browser to protect the data exchanged over the Internet. This secure communication channel is not part of Web Plus, but is required for Web Plus to send data securely.