Page 1
AMC HIPAA Security Guidelines
Category I and I Guidelines
Websuche.info die frische Suchmaschine alteredrealitycc derkach private Krankenversicherung Autoversicherung KFZ Versicherung Lebensversicherung KFZ Versicherungsvergleich Autoversicherungen KFZ Versicherungen Lebensversicherungen Horoskop Horoskope Eintrag bbsnet Reisen Urlaub Baufinanzierung Hausfinanzierung Immobilienfinanzierung Erotik Hallenbau Vermieterrechtsschutz Last Minute Algarve Ferienhaus Portugal Werbemittel Werbeartikel Viking Buerobedarf Bueroartikel Bueromaterial Kalender Drucker Druckerpatronen Tintenpatronen HP Drucker Werbeartikel Werbemittel Bueromoebel Kopierer Krankenversicherungsvergleich Werbeartikel Werbemittel Kreditvergleich
tableofcontents.htm   start.htm   securitysectiontwo.htm   securitysectionthree.htm   securitysectionone.htm   securitycategories.htm   references.htm   privacysectiontwo.htm   privacysectionthree.htm   privacysectionone.htm   privacysectionfour.htm   privacysectionfive.htm   privacycategories.htm   jobdescriptions.htm   introduction.htm   index.htm   hipaatrifold.htm   hipaasuppliment.htm   hipaaresources.htm   hipaaexecsummary.htm   guidelinesorganization.htm   generalpolicyguidelines.htm   generalcategories.htm   definitions.htm   contractsandpolicies.htm   contact.htm   amchipaasecurityandprivacyguidelines.htm   acronyms.htm   acknowledgements.htm  
SEC.01 Certification § .308(a)(1)
Category I Guidelines-Actions must be taken to address
these
.
Implement a certification process to determine the extent to
which systems and networks
meet established security criteria.
Category II Guidelines-Actions should be taken to address
these
.
Document the network configuration.
.
Ensure that individuals performing certifications are
knowledgeable about security
requirements and best practices.
.
Ensure that conflicts of interest do not exist in the
certification process-specifically that
certifiers are not responsible for the system or network's
administration or maintenance.
.
Perform certification a minimum of once every three years
due to the changing nature of
computer systems and accelerating rate of change of IT-
related security risks.
SEC.02 Chain of Trust Partner Agreement § .308(a)(2)
Category I Guidelines-Actions must be taken to address
these
.
Develop a Chain of Trust Agreement with each party with
which protected health
information is shared, including language that states that:
_
The parties agree to electronically exchange data and
protect the transmitted data; and
_
Each party will maintain the integrity and confidentiality of
the transmitted
information.
.
Develop a plan to update all current agreements to ensure
that the terms and conditions
do not contain any provisions, including data content and
format definitions, that conflict
with the standards outlined in the security regulations
.
Develop a plan to ensure that all future agreements have
appropriate provisions.
Category II Guidelines-Actions should be taken to address
these
.
Engage legal counsel to develop and review contract
language for the COT.
.
Establish monitors to ensure compliance by all parties
subject to the agreement.
.
Train all contracting officials about the nature and intent of
the COT.
.
Devise and promulgate a COT template for all Contracting
Officers to use.
.
Establish a process to determine when/how to activate the
sanctions for nonperformance
with regard to COT.
.
Periodically review all current partnerships for COT need.
.
Develop process to review partners' COTs for adequacy and
fairness.
SEC.03 Contingency Planning § .380 (a)(3)
Category I Guidelines-Actions must be taken to address
these
.
Assess all systems with protected health information for
reasonably anticipated risks,
focusing on the potential impact of the lack of availability of
specific applications and
data on the secure operation of the covered entity.
Page 2
AMC HIPAA Security Guidelines
Category I and I Guidelines
.
Prepare a data backup plan that details how data will be
maintained and duplicated in
order to prevent its loss during a natural or man-made
disaster.
.
Prepare a disaster recovery plan that details how data and
operations would be restored in
a timely fashion following a catastrophic event or
unanticipated interruption of
operations.
.
Prepare a plan to use for emergency operations following a
catastrophic event until
normal operations can be restored.
.
Test these procedures periodically and revise them
accordingly to address any
weaknesses discovered during testing.
Category II Guidelines-Actions should be considered to
address these
.
Develop a data storage plan that ensures that the medium
and location of backup storage
are secure from physical damage and that backup storage is
separated in some way from
the main site.
.
Dispose of information in a manner that maintains its
security. Shred paper and wipe
magnetic or optical media.
.
Make backups at regular intervals.
.
Develop a procedure covering the scope (full, incremental,
and differential) of backups.
.
Provide adequate facilities to support recovery operations.
.
Test contingency and disaster recovery plans regularly,
specifically including restoration
of data.
.
Protect backup information at the same level as the original
data.
SEC.04 Formal Mechanism for Processing Records §
.308(a)(4)
Category I Guidelines-Actions must be taken to address
these
.
Develop and document processes to govern the creation of
protected health information.
.
Establish policies and procedures on storage of data,
including administrative policies
governing the length of time to various types of data are to be
stored and policies for the
archiving and destruction of data.
.
Establish policies for data dissemination within and external
to the covered entity. (See
Comments.)
.
Develop policies for secure disposal of protected health
information, including
information contained on media and systems that are
replaced.
Category II Guidelines-Actions should be taken to address
these
.
Protect records to a degree commensurate with the risk
associated with them.
.
Consider standardizing record management policies across
the enterprise.
SEC.05 Information Access and Control § .308(a)(5)
Category I Guidelines-Actions must be taken to address
these
.
Establish documented policies and procedures to assign,
implement, revoke, and modify
access to protected health information.
Category II Guidelines-Actions should be taken to address
Page 3
AMC HIPAA Security Guidelines
Category I and I Guidelines
these
.
Create a process for determining access needs for
individuals and other entities such as
law enforcement and public health.
.
Grant access on the basis of need-to-know and/or right-to-
know.
.
Provide a means to review the effectiveness of access
management and control.
.
Assign responsibility for implementing the policy to
specific individuals or organizations
within the covered entity.
.
Enact a process to modify access, taking into account the
types of, and reasons for,
previously established access.
.
Require implementation of technical means to control
information access.
.
Require execution of a grantor-grantee agreement to honor
information security
requirements before access is granted.
.
Establish a process to ensure that system access is available
at appropriate times for
repair and other maintenance purposes.
.
Establish a documented plan to ensure that all workforce
members can demonstrate
knowledge of access control responsibilities and how to
obtain access authorization.
.
Establish a process whereby termination of a workforce
member or other entity's need
for data access will trigger timely revocation of access.
.
Require data owners or stewards to list functions that will
require access to data for
which they are responsible.
SEC.06 Internal Audit § .308(a)(6)
Category I Guidelines-Actions must be taken to address
these
.
Maintain, and periodically review, audit trails or activity
logs for critical application
systems, including user-written applications.
Category II Guidelines-Actions should be taken to address
these
.
Follow up on suspicious entries such as unauthorized
accesses and access attempts.
.
Identify and resolve inappropriate activity.
.
Ensure that audit procedures validate the necessity for data
input, processing, and output.
.
Ensure that audit requirements and activities do not disrupt
important business processes.
.
Agree to and control the scope of the checks.
.
Explicitly identify resources for performing the checks and
ensure that they are available.
.
Identify and agree to requirements for special or additional
processing, such as
prospective audits of user activity.
.
Document all procedures, requirements, and
responsibilities.
.
Consider making logs of access to individuals' health
information available to the
subjects of the records via a "patient portal."
.
Develop an audit process to ensure that users comply with
access control procedures.
SEC.07 Personnel Security § .308(a)(7)
Category I Guidelines-Actions must be taken to address
these
.
Establish written personnel clearance procedures for
Page 4
AMC HIPAA Security Guidelines
Category I and I Guidelines
determining the appropriateness of
access to protected health information or systems.
.
Maintain documentation regarding the levels of access
granted to each individual,
program, and procedure.
.
Review access levels periodically.
.
Review access levels when the status of the workforce
member changes.
.
Ensure that system users and technical maintenance staff
receive security awareness
training.
.
Ensure that maintenance and vendor personnel are
supervised when working on or near
protected health information.
Category II Guidelines-Actions should be taken to address
these
.
Conduct records checks on applicants for employment,
including residence, employment,
criminal history, and education, when job requires access to
protected health information.
(See Comments.)
.
Require staff and maintenance/vendor employees to sign
non-disclosure statements
before being given access to protected health information.
SEC.08 Security Configuration Management § .308(a)(8)
Category I Guidelines-Actions must be taken to address
these
.
Develop written security plans, procedures, and instructions
to cover all areas of the
covered entity's information security needs.
.
Create and document procedures for installing and
maintaining software and hardware
and periodic testing of that software and/or hardware's
security attributes.
.
Develop a written inventory of hardware and software
assets and keep the inventory
current.
.
Conduct security testing to ensure that the covered entity's
security features are adequate;
security testing must include a manual or automated process
of identifying
vulnerabilities, functional and penetration testing, and
verification.
.
Ensure that virus scans are run on a regular schedule.
Category II Guidelines-Actions should be taken to address
these
.
Establish a team representing diverse perspectives to plan
security controls.
.
Have written procedures to report equipment malfunctions
and any remedial actions
taken.
.
Require departmental systems not managed centrally to
comply with the same security
configuration requirements as centrally managed systems.
.
Employ anti-virus countermeasures at multiple levels, for
example on servers, e-mail
hosts, and desktops.
.
Maintain a separate test environment and test system
changes for security integrity there
before moving them to the production systems.
SEC.09 Security Incident Procedures § .308(a)(9)
Category I Guidelines-Actions must be taken to address
these
.
Implement an incident reporting and response procedure
and document it.
Page 5
AMC HIPAA Security Guidelines
Category I and I Guidelines
Category II Guidelines-Actions should be taken to address
these
.
Tell workforce members when, how, and to whom to report
a security incident.
.
Require workforce members to acknowledge that they have
received security incident
training.
.
Require workforce members to report the incident if they
inadvertently access protected
health information they should not have accessed.
.
Ensure that workforce members know that they should
report security violations to a
supervisor, system administrator, security, internal audit, or
others as appropriate.
.
Require workforce members to report instances of
noncompliance.
.
Ensure that the teams of people who are typically involved
in responding to a security
incident have a well-understood working arrangement that
ensures that the incident is
handled efficiently, expeditiously, and with respect for law
and individual rights.
SEC.10 Security Management Process § .308(a)(10)
Category I Guidelines-Actions must be taken to address
these
.
Establish a management structure that identifies roles and
responsibilities for security
oversight and operational aspects.
.
Establish an overall information security policy that
articulates the organization's
priorities and expectations with respect to safeguarding
protected health information.
.
Identify and communicate security responsibilities of
workforce member who access or
manage access to protected health information.
.
Employ risk analysis to identify information assets, threats,
and the likelihood and costs
of adverse occurrences.
.
Manage risk by applying cost-effective security solutions to
reduce likelihood and extent
of losses due to adverse occurrences.
.
Develop a sanctioning process for violators and
communicate it to all workforce
members. In addition to institutional corrective action, the
policy must include notices of
civil or criminal penalties and notices that violations may
result in notification of law
enforcement, and/or regulatory, accreditation, and licensure
organizations.
Category II Guidelines-Actions should be taken to address
these
.
Develop and apply a data criticality/sensitivity classification
scheme.
.
Make risk analysis and risk management ongoing.
.
Consider establishing progressive sanctions, such as verbal
warning, written warning,
suspension, and employment termination.
.
Ensure that the sanction policy provides for swift and strong
action when appropriate.
.
Establish a process to document and evaluate trends in
breaches and sanctions in order to
identify potential improvements in security, e.g. changes to
policy, procedures, training,
or technical measures.
.
Require all who have, or may have, access to protected
health information to sign
security, confidentiality, and computer usage agreements.
Page 6
AMC HIPAA Security Guidelines
Category I and I Guidelines
SEC.11 Termination Procedures § .308(a)(11)
Category I Guidelines-Actions must be taken to address
these
.
When workforce members either terminate employment or
lose clearance, or their
authorization or need-to-know no longer exists, take the
following actions:
_
Recover keys, identification cards, physical tokens, and any
other objects that
facilitate physical access to property, buildings, and
equipment;
_
Change locks and/or combinations that control physical
access to areas and
equipment (this must also be done on a recurring basis);
_
Revoke user accounts that provide access to information,
services, and resources;
_
Remove them from lists that document authorized access to
controlled areas and
information, services, and resources;
_
Document these processes as formal instructions.
Category II Guidelines-Actions should be taken to address
these
.
Establish a policy and process to promptly report all
terminations and ensure that the
revocation process works promptly.
.
Document explicit maximum time intervals that are
permissible for:
_
Reporting terminations;
_
Communicating terminations to security administrators;
_
Disabling access.
.
Develop and document a process to ensure that, in instances
of involuntary termination,
the action is immediately reported to security administrators
and that items that enable
access are collected or inactivated immediately.
.
Consider revoking access prior to employment termination,
particularly in instances of
involuntary termination.
.
Consider conditions in which people put on administrative
leave (e.g. pending an
investigation of misuse of access) should have their access
privileges altered.
.
Revise access when roles change.
.
Disable access privileges for any user account that shows no
activity for a pre-determined
period of time (e.g. three months).
.
Review all suspended accounts for activity or attempted
activity and report any such
activity for investigation as a potential breach.
.
Periodically audit the effectiveness of the process for
disabling access in the event of a
termination to ensure that procedures and guidelines are
being followed.
.
Record the completion of inactivation activities.
.
Perform exit interviews for any termination in which a
potential security concern has
been identified.
.
Maintain a record of any changes made to an individual's
access privileges, and retain it
long enough so it is possible to determine the extent of an
individual's historic access in
case it is relevant to an investigation.
SEC.12 Security Training § .308(a)(12)
Category I Guidelines-Actions must be taken to address
these
.
Establish a formal, documented security awareness training
program for all workforce
members that addresses, at a minimum, the following topics:
Page 7
AMC HIPAA Security Guidelines
Category I and I Guidelines
_
Protection against, and reporting of, viruses;
_
Reporting
security incidents;
_
Managing individual passwords.
.
Establish a formal, documented security awareness program
tailored to system users that
addresses, at a minimum:
_
Virus protection;
_
Potential harm viruses can cause;
_
How to prevent the introduction of viruses into a computer
system;
_
What to do if a virus is detected;
_
The importance of monitoring log-in success or failure;
_
How to report discrepancies in the log-in process;
_
Rules for creating and changing passwords;
_
Safeguarding passwords.
.
Provide periodic security awareness reminders to all
workforce members
.
Category II Guidelines-Actions should be taken to address
these
.
Make training role and/or job-specific.
.
Assign responsibility for security training.
.
Document the training that has been provided to each
individual.
.
Develop a training program that demonstrates mastery of
the material presented.
.
Evaluate the effectiveness of training.
SEC.13 Assigned Security Responsibility § .308(b)(1)
Category I Guidelines-Actions must be taken to address
these
.
Assign overall responsibility for securing protected health
information to an individual
security officer or a group specifically charged to do so.
.
Make this person or group accountable for the information
security program to include:
_
Processes employed to safeguard protected health
information;
_
Technologies and architectures employed to safeguard
protected health information;
_
Conduct of personnel in relation to the safeguarding of
protected health information.
Category II Guidelines-Actions should be taken to address
these
.
Have the organization's governing body assign this
responsibility and instill the authority
to effectively accomplish the task.
.
Ensure that the security officer possesses the necessary
body of knowledge, skill set, and
experience to effectively oversee the security program.
.
Extend the security officer's responsibility to the entire
entity.
.
If the organization has multiple security officers, coordinate
their efforts.
.
Avoid combining the responsibilities of the security officer
and the privacy official, as
the knowledge bases and skill sets required for each differ.
SEC.14 Media Controls § .308(b)(2)
Category I Guidelines-Actions must be taken to address
these
.
Establish accountability and access controls for media
containing protected health
information, including equipment with media installed and
hardcopies containing
protected health information, from creation to disposition.
.
Ensure that policies and procedures address access control,
accountability, data backup,
data storage, and data disposal.
Page 8
AMC HIPAA Security Guidelines
Category I and I Guidelines
Category II Guidelines-Actions should be taken to address
these
.
Establish uniform terminology and guidelines for
classifying and marking materials as
"confidential," "proprietary," "patient-confidential,"
etc.
.
Establish procedures for assigning accountability for
newly created media, including
hardcopy when created and recording/removing the media
from accountability when
properly destroyed.
.
Establish guidelines to restrict
the
use of "unofficial" or
"shadow" records to ensure the
integrity and protection of
protected health information.
.
Mark temporary working materials, whether on computer
media or hard copy, that
contain protected health information appropriately when
created and establish a date for
either destroying the working materials or bringing them
under
control as record
documents.
.
Ensure that appropriate secure storage and destruction
facilities, such as shredders, are
readily available, clearly marked, and used.
.
Ensure that protected health information in hardcopy format
is disposed of properly.
.
Responsible personnel should authorize the shipping and
receiving of protected media
and maintain appropriate records. Establish a formal system
for shipping and
transporting materials containing protected health
information with receipts to ensure that
shipped materials have been properly received and
accountability has been transferred to
the receiving office. Establish standards for wrapping and
marking shipped media that
both minimize the likelihood of its being identified as
containing protected health
information and prevent tampering.
.
Set a standard for purging protected health information from
magnetic media, and adhere
to it. Degaussing and overwriting are acceptable methods.
(See Comments.)
.
Before releasing any magnetic media that may contain
protected health information
outside the entity, process it to purge any information
residing on it.
.
If media is left unattended, secure it and use reasonable
care.
.
Do not leave printed versions (hardcopy) of protected health
information unattended and
open to compromise, and do not copy it indiscriminately.
.
Establish and maintain accountability for all equipment
used to process protected health
information, including requirements for regular inventory and
resolving any loss of
accountability.
.
Ensure that essential patient care information is properly
backed up in a secure location.
Periodically check to ensure that data can be restored from
backup media.
.
Consider periodic audits by outside agencies to ensure that
appropriate media controls are
maintained.
SEC.15 Physical access controls § .308(b)(3)
Category I Guidelines-Actions must be taken to address
these
.
House critical or sensitive protected health information
processing facilities in secure
areas, protected by a defined security perimeter, with
Page 9
AMC HIPAA Security Guidelines
Category I and I Guidelines
appropriate security barriers and
entry controls. Physically
protect them from unauthorized access, damage, and
interference.
.
Establish and maintain a specific disaster recovery plan.
.
Supervise or clear contractors and other visitors to secure
areas, and record their date and
time of entry and departure.
.
Control access to protected health information and
information processing facilities, and
restrict it to authorized persons only.
.
Provide security for off-site equipment that is equivalent to
that provided for on-site
equipment used for the same purpose, taking into account the
risks of working outside the
covered entity's premises.
.
Keep records of maintenance of equipment.
.
Restrict testing and revision to authorized personnel.
Category II Guidelines-Action should be considered to
address these
.
Provide protection commensurate with the identified risks.
.
Regularly review and update access rights to secure areas.
.
Grant contractors and visitors access only for specific,
authorized purposes and issue
them with instructions on the security requirements of the
area and on emergency
procedures.
.
Require all workforce members to wear some form of
visible identification and
encourage them to challenge unescorted strangers and anyone
not wearing visible
identification.
.
Physically protect equipment from security threats and
environmental hazards.
.
Maintain equipment in accordance with the supplier's
recommended service intervals and
specifications.
.
Use authentication controls, e.g. swipe card plus PIN, to
authorize and validate all access.
Maintain a secure audit trail of all access.
.
Require management authorization for the use of any
equipment outside a covered
entity's premises for processing of protected health
information.
.
Ensure that only authorized maintenance personnel carry
out repairs and service
equipment.
.
Maintain records of all suspected or actual faults and all
preventative and corrective
maintenance.
.
Establish appropriate controls when sending equipment off
premises for maintenance.
.
Comply with all requirements imposed by insurance
policies.
.
Check all items of equipment containing storage media, e.g.
fixed hard disks, to ensure
that any protected health information and licensed software
has been removed or
overwritten prior to disposal.
.
Require authorization in order to take any equipment,
protected health information, or
software off site. Where necessary and appropriate, require
equipment to be logged out
and logged back in when returned. Perform spot checks to
detect unauthorized removal
of property, and make individuals aware that spot checks will
take place.
.
Forbid users to connect unauthorized devices to the
enterprise network.
.
Escort and supervise maintenance personnel; assign
knowledgeable persons to this task.
Page 10
AMC HIPAA Security Guidelines
Category I and I Guidelines
SEC.16 Policy/guideline on workstation use § .308(b)(4)
Category I Guidelines-Actions must be taken to address
these
.
Develop a Workstation Use Policy.
.
Position workstations to minimize unauthorized viewing of
protected health information
either by shoulder surfing or by other direct physical means
of obtaining access to data
present on the workstation.
.
Grant workstation access only to those who need it in order
to perform their job function.
Category II Guidelines-Actions should be taken to address
these
.
Develop a policy/guideline to protect the workstations from
exposure to physical threats
including theft.
.
Consider establishing automatic logoff to minimize
opportunities for unauthorized use of
a workstation.
.
Educate users about their responsibilities for workstation
security.
.
Monitor workstation sites for good user practice including
logoff and password usage.
.
Consider two-factor login for user authentication.
.
Avoid login methods that may require the use of multiple
passwords by an individual.
SEC.17 Secure work station location § .308(b)(5)
Category I Guidelines-Actions must be taken to address
these
.
Establish workstation location criteria to eliminate or
minimize the possibility of
unauthorized access to protected health information.
.
Employ physical safeguards as determined by risk analysis,
such as locating workstations
in controlled access areas or installing covers or enclosures to
preclude passerby access to
protected health information.
Category II Guidelines-Actions should be taken to address
these
.
When practical, locate workstations used to access protected
health information in areas
that are continuously monitored by cleared personnel when
open for business and
otherwise securely locked and alarmed with a 24 hour
security monitoring service.
.
Locate workstations to minimize the possibility of
unauthorized personnel viewing
screens or data.
.
Establish workstation inactivity timeouts and use timed,
password-protected screen
savers.
.
Consider the use of proximity detectors to reduce exposure
at unattended workstations.
SEC.18 Security Awareness training § .308(b)(6)
Category I Guidelines-Actions must be taken to address
these
.
Provide job-specific security awareness training to all
workforce members.
.
Focus the training on use of protected health information
(privacy) and security.
Category II Guidelines-Actions should be taken to address
these
Page 11
AMC HIPAA Security Guidelines
Category I and I Guidelines
.
Make this aspect of training a supervisory or departmental
responsibility, as appropriate.
.
Consider the security guidelines in this document-
Category I and Category II
Guidelines-and determine which pertain to each job class.
Develop a training program
to communicate them.
SEC.19 Access Control § .308(c)(1)(i)
Category I Guidelines-Actions must be taken to address
these
.
Define a context-based, role-based, and/or user-based
access policy as appropriate for
each of the various situations in the covered entity and adopt
implementation procedures
to enforce need-to-know accordingly.
.
Enact a clearly stated and widely understood "break the
glass" procedure for allowing
access via alternate and/or manual methods in the event of an
emergency requiring access
to protected health information.
Category II Guidelines-Actions should be taken to address
these
.
Establish a centrally administered service to define access
profiles-context-based, rolebased,
or user-based-and oversee consistent implementation of
access control
mechanisms.
.
Document and test the emergency access procedure.
.
Evaluate information technology projects, proposals,
contracts, and existing services for
access control features and implementation.
.
Consider adopting ASTM-defined healthcare roles.
SEC.20 Audit Controls § .308(c)(1)(ii)
Category I Guidelines-Actions must be taken to address
these
.
Employ event logging on systems that process or store
protected health information
where warranted by risk analysis.
Category II Guidelines-Actions should be taken to address
these
.
Log system administration events:
_
Creation and removal of accounts;
_
Assigning and changing of privileges;
_
Installation, maintenance, and changing of software;
_
Changes in hardware configurations.
.
Log user activities:
_
Logon and logoff, both successful and unsuccessful;
_
Read, write, create, and delete actions at the file level;
_
Individual user access to individual patient records;
_
Attempts to access unauthorized data and/or services.
.
Perform prospective audits of user activity where risk levels
warrant.
.
Maintain log data for a specified period of time.
.
Protect system logs, especially those containing personally
identifiable healthcare
information, from unauthorized access or alteration.
.
Employ audit reduction tools and/or "intelligent" methods
of correlating log data to
detect unauthorized activity and reduce volumes to
manageable size.
SEC.21 Authorization Control § .308 (c)(3)
Category I Guidelines-Actions must be taken to address
these
Page 12
AMC HIPAA Security Guidelines
Category I and I Guidelines
.
Employ a system or application-based mechanism to
authorize activities within system
resources in accordance with the Least Privilege Principle.
(See Comments.)
.
Implement:
_
A role-based mechanism where users with common
information needs are provided
access and privileges through common security authorization
classes; or
_
A user-based mechanism where users' information access
and privilege needs are
determined and provided on an individual basis.
.
Maintain individual accountability for actions taken by
forbidding group (shared, generic,
trusted, etc.) logons.
Category II Guidelines-Actions should be taken to address
these
None.
SEC.22 Data Authentication § .308 (c)(4)
Category I Guidelines-Actions must be taken to address
these
.
Employ technical controls such as checksums, digital
signatures, double keying, and
message authentication codes where feasible and appropriate
to the level of risk.
Category II Guidelines-Actions should be taken to address
these
.
Employ technical integrity controls for critical automated
functions such as physicians'
orders and prescriptions.
.
Procedural aspects closely related to technical
authentication and integrity:
_
Maintain separation of duties. Avoid overlapping
responsibilities of application and
system programmers, data center operators, data base
administrators, network
operations, and user functions.
_
Establish and demonstrate change management discipline.
SEC.23 Entity Authentication § .308 (c)(5)
Category I Guidelines-Actions must be taken to address
these
.
Uniquely identify each user and authenticate identity.
.
Implement at least one of the following methods to
authenticate a user:
_
Password;
_
Biometrics;
_
Personal Identification Number (PIN);
_
Physical token;
_
Call-back or strong authentication for dial-up remote access
users.
.
Implement automatic log-offs to terminate sessions after set
periods of inactivity.
Determine appropriate periods based on the levels of risk and
exposure.
Category II Guidelines-Actions should be taken to address
these
.
Include procedures for initiating user access, resetting
passwords/tokens, and providing
administrative access in the authentication system, and ensure
it is fully documented.
.
Employ a formal risk management methodology to identify
risks and threats to the
authentication process.
.
Employ secure architectures, where risk appropriate, to
authenticate entities. These may
include Kerberos, RADIUS, TACACS, PKI, or similar
methods.
Page 13
AMC HIPAA Security Guidelines
Category I and I Guidelines
.
Encrypt hard-coded passwords that reside on client
machines or in applications.
.
Securely authenticate contractors. Device-to-device or
firewall-to-firewall authentication
is acceptable provided the contractor demonstrates individual
accountability for access.
.
Change passwords periodically.
.
Specify time-out intervals based on business need and levels
of risk and exposure.
.
Allow users to select and change their own passwords.
SEC.24 Communications/network controls § .308(d)
Category I Guidelines-Actions must be taken to address
these
.
If the covered entity employs an internal, private, or value-
added network, the covered
entity must:
_
Employ alarms to sense abnormal conditions;
_
Enact an audit trail to recreate events in the instance of
violations or compromises;
_
Identify and authenticate authorized users, programs, and
processes;
_
Deny access to unauthorized users, programs, and
processes;
_
Employ event reporting to identify operational irregularities
and occurrences of
significant tasks.
.
If the covered entity employs the public switched telephone
system, the covered entity
must:
_
Enact integrity controls to ensure the validity of protected
health information
transmitted;
_
Enact message authentication to ensure that content is not
altered in transmission;
_
Enact access controls or risk appropriate encryption to
preclude unauthorized access,
interception, or interpretation.
.
If the covered entity employs the public Internet, the
covered entity must enact the
controls listed for the public switched telephone system as
well as using risk appropriate
encryption. (See Comments.)
Category II Guidelines-Actions should be taken to address
these
.
Do not store or transmit system passwords in the clear.
.
Control network access through individual identification
and authentication.
.
Employ encryption keys of the length specified by the
HCFA Internet Security
Policy.