Appendix Q 443
approvals. Approvers of the access should understand that the access is to
be given on a “least privilege” basis.
Client Response:
3. Can the authorization be controlled so that access is given to only those
records that are required for a person to do his or her job?
Guidance: If access to the electronic protected health information can be
controlled at a granular level, it should be done. Keep in mind that there
are maintenance issues associated with that type of access, so when mak-
ing any related recommendations, make sure you understand the security
and operational needs of the client.
Client Response:
4. Is the data owner involved in the approval process?
Guidance: The data owner is ultimately responsible for his data. As a re-
sult, any process for authorization should involve the data owner. The data
owner should at least be informed and ideally, should be one of the indi-
viduals who approves access.
Client Response:
5. Is sharing of IDs prohibited?
Guidance: If personnel share IDs, accountability is lacking and enforce-
ment becomes difficult. Also, because different people have different lev-
els of access, each should have his or her own ID. If cases exist where it is
operationally not feasible to have separate IDs, some form of supervision
or logging and review should occur.
Client Response:
AU1706_book.fm Page 443 Tuesday, August 17, 2004 11:02 AM
444 A Practical Guide to Security Assessments
6. When users require passwords reset, is this done in a secure manner?
Guidance: In an attack scenario, password resets are one of the social en-
gineering tools often used to gain unauthorized access to critical systems
and data. Support desks or people handling the support function should
properly authenticate people asking for password resets. In a small envi-
ronment, most people know each other and that knowledge of someone is
used to authenticate a person. Although this might be a valid method, it can
be a problem in environments where there is significant turnover. It is best
to have a secure method for doing password resets regardless of the size of
the environment.
Client Response:
ii. Workforce Clearance Procedures
“Implement procedures to determine that the access of a workforce member to elec-
tronic protected health information is appropriate.”
9
This specification is relevant once it is determined that someone needs access to
electronic protected health information. It requires that access to electronic protected
health information be given on a “need to have” basis. Below are some questions
to help determine compliance with this requirement.
1. Are roles and responsibilities and job descriptions clearly defined so that
access can be provided to personnel on a “need to have” basis?
Guidance: Assigning access is dependent on knowing what a person does
in the company and what that person will need to access to do his or her
job. Roles and responsibilities are not always clearly defined, and this may
cause problems when providing access. When performing a security as-
sessment, lack of clear roles and responsibilities should be flagged as a
weakness as this has a ripple effect on many other security processes such
as user ID administration, incident management, and terminations.
Client Response:
2. How granular is the access control to electronic protected health infor-
mation? Is this functionality used in providing personnel access to only
what is required?
AU1706_book.fm Page 444 Tuesday, August 17, 2004 11:02 AM
Appendix Q 445
Guidance: What the system can do in terms of access control is very im-
portant because automated system measures are the best way to enforce it.
With granular access control, a balance must be maintained between secu-
rity and the ongoing maintenance of providing very granular access.
Client Response:
3. Does the data owner (the person responsible for the electronic protected
health information records) approve access? If not, is that person made
aware?
Guidance: The data owner is ultimately responsible for the handling and
security of the electronic protected health information, so that individual
should approve or at least be aware of who is accessing the data. This helps
provide the necessary accountability as it pertains to the safeguarding of
the data.
Client Response:
4. If access cannot be controlled by the system, what mitigating controls are
in place to ensure that personnel are accessing only what they need?
Guidance: In some cases, there may be systems where there is little or no
access control. In these cases, some type of supervision or other mitigating
controls should be present. The client may consider log review or review-
ing edit reports of key electronic protected health information to help en-
sure the integrity of the data.
Client Response:
iii. Termination Procedures
“Implement procedures for terminating access to electronic protected health informa-
tion when the employment of a workforce member ends or as required by determina-
tions made as specified in the Workforce Clearance Procedures paragraph.”
10
The main point of this specification is to ensure that if an employee is terminated
or leaves a company, any access that individual had to electronic protected health
AU1706_book.fm Page 445 Tuesday, August 17, 2004 11:02 AM
446 A Practical Guide to Security Assessments
information should be disabled or deleted. Like other HIPAA security requirements,
strong termination procedures are a generally accepted information security best prac-
tice. Below are some questions to help determine compliance with this requirement.
1. Do documented policies and procedures for terminations exist?
Guidance: Termination policies and procedures should be documented so
that all personnel know their responsibilities in the termination process.
Client Response:
2. As part of the termination process, are specific termination activities
performed — e.g., return of items assigned to the individual (such as
security badges and keys), change of locks, change of shared account
passwords, change any systems where an individual shared access or had
privileged access, etc.?
Guidance: Ideally, there should be a central repository where information
is stored about what items an employee has to ensure that all are returned
upon termination.
Client Response:
3. Is access periodically reviewed to ensure that personnel have access only
to what they need (relative to electronic protected health information)?
Guidance: With access to critical systems, periodic review of access or
“purging” is a key control that should be performed periodically as a mit-
igating control in case access has not been assigned properly or in case ter-
minated employees’ access was not properly removed.
Client Response:
4. STANDARD — INFORMATION ACCESS MANAGEMENT
“Implement policies and procedures for authorizing access to electronic protected
health information.”
11
AU1706_book.fm Page 446 Tuesday, August 17, 2004 11:02 AM
Appendix Q 447
This standard addresses the process for actually accessing electronic protected health
information. This standard is different from the Workforce Security Standard in that
this one is more concerned with access to where the electronic protected health
information resides, but the other is focused on the people who have the access.
a. REQUIRED Implementation Specifications
i. Isolating Health Care Clearinghouse Functions
“If a health care clearinghouse is part of a larger organization, the clearinghouse must
implement policies and procedures that protect the electronic protected health infor-
mation of the clearinghouse from unauthorized access by the larger organization.”
1. Does the entity qualify as a health care clearinghouse? (See earlier part
of checklist).
Guidance: Before going further with this set of requirements, it should be
confirmed whether the entity is a health care clearinghouse based on the
criteria from the first section of this questionnaire.
Client Response:
2. If the entity is a health care clearinghouse, are there documented policies
and procedures that address access to electronic protected health infor-
mation?
Guidance: Look for documented policies and procedures that address ac-
cess to electronic protected health information for the health care clearing-
house. The policies should address how authorized access to electronic
protected health information is obtained. In addition, all of the other relat-
ed policies and procedures such as employee terminations should also be
included.
Client Response:
3. Does anyone from the larger organization have access to the electronic
protected health information on the health care clearinghouse systems?
Guidance: If someone from the larger organization does have access to
the health care clearinghouse systems, is this access authorized and has it
gone through the proper approvals? Also, does the covered entity have a
way of knowing who uses that access and whether those individuals should
AU1706_book.fm Page 447 Tuesday, August 17, 2004 11:02 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.