438
A Practical Guide to Security Assessments
4. Do sanctions for noncompliance exist and are they based on severity?
Guidance:
Sanctions are a key component of handling noncompliance is-
sues. Without sanctions, no repercussion exists for personnel who do not
follow the policy. Ideally, the sanctions should be based on severity and
other relevant circumstances.
Client Response:
5. Is an internal audit process in place?
Guidance:
Internal audit will be covered later in this checklist; however,
it is an important point when discussing sanctions. Audits provide manage-
ment with a view of where some of the control weaknesses and noncom-
pliance issues are. The audit process is also an excellent way to enforce
HIPAA security requirements. Ideally, the internal audit process should
audit for many of the HIPAA security requirements to help ensure compli-
ance with HIPAA security.
Client Response:
iv. Information Systems Activity Review
“Implement procedures to regularly review records of information system activity, such
as audit logs, access reports, and security incident tracking reports.”
5
This specification is a “monitoring” requirement as it pertains to ensuring that
information systems and data remain secure. Below are some questions to help
determine compliance with this requirement.
1. Do documented procedures detail what reports should be reviewed to
effectively monitor the systems (e.g., system logs, audit logs)?
Guidance: Activity review should be a planned activity that is document-
ed. The level of review should be based on the criticality of systems, the
level of activity on the relevant systems, and any other relevant factors. De-
pending on the amount of information generated, it might make sense to
recommend that the entity use third-party tools to automate the log review
process and provide exception reports. There should also be a process that
outlines the frequency and nature of review based on the risk.
AU1706_book.fm Page 438 Tuesday, August 17, 2004 11:02 AM
Appendix Q 439
Client Response:
2. Are specific people responsible for log review?
Guidance: In many organizations, if log review is not assigned to some-
one, it is not done or if it is, it is purely reactionary. Although being reactive
in some cases may be appropriate, it may not be when it comes to critical
systems. Assigning this responsibility to specific individuals and having
clear expectations with respect to logging will help ensure that logs are be-
ing reviewed appropriately.
Client Response:
3. Who has access to the various logs used to monitor system activity? Can
the people who have access to the logs change the information in the logs
without being detected?
Guidance: Access to the logs and the ability to change them should be
closely monitored. Segregation of duties should be considered so that peo-
ple cannot perform any malicious activity and hide their tracks. This will
especially be a problem in small companies, where the staff is typically
very small. In these cases, recommendations for alternative methods pro-
viding some mitigating controls should be suggested.
Client Response:
b. ADDRESSABLE Implementation Specifications
i. None
2. STANDARD — REQUIRED — ASSIGNED SECURITY RESPONSIBILITY
“Identify the security official who is responsible for the development and implemen-
tation of the policies and procedures required by this subpart for the entity.”
6
This standard requires someone to be identified who owns the responsibility for the
development and implementation of the policies and procedures required by HIPAA
security standards. This person can have different titles including Chief Security
Officer, HIPAA Security Officer, Compliance Officer, etc. Note that this standard
AU1706_book.fm Page 439 Tuesday, August 17, 2004 11:02 AM
440 A Practical Guide to Security Assessments
does not have any specifications — i.e., the standard serves as both the policy and
instructions for implementing. Below are some questions to help determine compli-
ance with this requirement. Note — there are no implementation specifications for
this standard.
1. Does someone in the organization have the responsibility for development
and implementation of policies and procedures relative to the HIPAA
security standards?
Guidance: In the final regulations, the intent was that one person have the
ultimate responsibility for security. Even in cases where different divisions
of a larger company may assign responsibility at the division level, there
still must be one person who has overall ownership for security. This per-
son might have the title “Security Officer” or some other managerial secu-
rity–type title. The “Security Officer” should ensure that the development
and implementation of policies and procedures involve both business and
technology representatives. If this is not the case, it should be flagged and
a recommendation should be provided. Ideally, the “Security Officer”
should be able to facilitate a coordinated effort in developing and imple-
menting security policies and procedures.
Client Response:
2. Does a security awareness program exist to help ensure that implemen-
tation of security policies and procedures is successful?
Guidance: Awareness is an important part of implementation to help en-
sure that personnel know and understand security policies and procedures.
Once they know about them, they are more likely to follow them, and from
management’s perspective, they can be held accountable. When evaluating
the awareness program, keep in mind that not all personnel have to attend
all of the training — i.e., personnel should attend the training they need.
Client Response:
3. Are security policies and procedures readily accessible so that personnel
can refer to them as needed?
Guidance: Personnel will have questions as they apply the policy in their
daily jobs. You should ensure that security policies and procedures reside
AU1706_book.fm Page 440 Tuesday, August 17, 2004 11:02 AM
Appendix Q 441
where personnel can easily access them if they need to. If personnel cannot
access these documents, it is difficult to enforce them.
Client Response:
4. Does the “Security Officer” (or whatever that person’s title is) ensure
that security policies and procedures are updated as the business and IT
environment change?
Guidance: Maintenance of security measures is a HIPAA requirement.
Also, it is critical to ensure that policies and procedures are updated as
needed. In addition, there should be a process to communicate updates to
personnel. If needed, additional security awareness training might also be
necessary.
Client Response:
5. Does the Security Officer (or the person who owns security) have the
ability to escalate issues to upper management?
Guidance: The Security Officer is something that is new and often, it does
not get the visibility that is required for the role to be effective. Security
policies and procedures are difficult to implement because people some-
times do not see their value, and they might need to change the way they
do things. Aside from the education and awareness that users are provided,
the Security Officer needs to have access to upper management to escalate
issues and gain resolution.
Client Response:
3. STANDARD — WORKFORCE SECURITY
“Implement policies and procedures to ensure that all members of its workforce have
appropriate access to electronic protected health information, …and to prevent those
workforce members who do not have access, …from obtaining access to electronic
protected health information.”
7
This requirement basically states that only those personnel who require access to
electronic protected health information should have it and those who do not require
AU1706_book.fm Page 441 Tuesday, August 17, 2004 11:02 AM
442 A Practical Guide to Security Assessments
access should be prevented from having access. Access should be given on a “need
to have” basis. Note that this standard does not have any required specifications.
When conducting the HIPAA security review for this standard, you should review
the questions from other questionnaires such as User ID Administration and Termi-
nations.
a. REQUIRED Implementation Specifications
i. None
b. ADDRESSABLE Implementation Specifications
i. Authorization and/or Supervision
“Implement procedures for the authorization and/or supervision of workforce members
who work with electronic protected health information or in locations where it might
be accessed.”
8
This specification pertains to access control pertaining to electronic protected health
information. Access and authorization are at multiple levels including network, appli-
cation, and database. The process should address these different aspects of access.
Below are some questions to help determine compliance with this requirement.
1. Does a documented process exist for obtaining authorization to access
electronic protected health information? If formal authorizations are not
granted, does supervision exist for personnel working with electronic
protected health information?
Guidance: Ideally, a documented process should exist for obtaining au-
thorization, at a minimum. The extent and granularity of the procedure will
vary depending on the size and nature of the organization. The standard
has given considerable flexibility in making this decision.
Client Response:
2. Is there a form that is filled out or some type of workflow application to
facilitate and document the process for obtaining access?
Guidance: Depending on the organization, this may be done on paper or
via some type of workflow application such as Lotus Notes. The form or
workflow process should document what information the individual will
be able to access and, in the case of a contractor, how long the access is
required. Access should be given once the form goes through the proper
AU1706_book.fm Page 442 Tuesday, August 17, 2004 11:02 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.