448 A Practical Guide to Security Assessments
have it? This is related to measures such as purging IDs on a regular basis
and ensuring that a solid user ID administration policy and procedure are
in place.
Client Response:
b. ADDRESSABLE Implementation Specifications
i. Access Authorization
“Implement policies and procedures for granting access to electronic protected health
information, for example, through access to a workstation, transaction, program, pro-
cess, or other mechanism.”
12
This specification addresses access to electronic protected health information wher-
ever it resides.
1. Do documented policies and procedures for granting access to electronic
protected health information exist? Are these policies and procedures
readily accessible?
Guidance: For this specification, look for the documented policies and
procedures. They might just be a part of the overall user ID administration
policies and procedures. Situations where this might not be necessary in-
clude very small entities, where a limited number of people have access.
Client Response:
2. Are there specific workstations (or other devices) that are dedicated to
certain functions and from which electronic protected health information
can be accessed? If so, are there strict access controls to ensure that only
those who require access have it?
Guidance: In health care facilities, there are often workstations used for
certain medical functions where doctors, nurses, etc. can access electronic
protected health information about patients. Access to these workstations
should be restricted. Also, users should log out of the application after us-
ing it so other, unauthorized individuals cannot view sensitive information.
Client Response:
AU1706_book.fm Page 448 Tuesday, August 17, 2004 11:02 AM
Appendix Q 449
3. Where systems can facilitate access control to electronic protected health
information at the transaction level, is this functionality used?
Guidance: If the electronic protected health information is accessed via
some application, the access control features might allow access to be con-
trolled at the transaction level. This is important because we sometimes
tend to think of access at the network or file level. At the application level,
features may exist that allow more granular control. Keep in mind, howev-
er, that there is maintenance associated with providing this type of access.
Client Response:
ii. Access Establishment and Modification
“Implement policies and procedures that, based upon the entity’s access authorization
policies, establish, document, review, and modify a user’s right of access to a work-
station, transaction, program, or process.”
13
This requirement addresses the modification of a user’s access based on that indi-
vidual’s job requirements.
1. Is there a policy and procedure for the establishment and subsequent
adjustment or modification of a user’s access based on change in positions
or other changes in status?
Guidance: This is very much related to the earlier specification on Access
Authorization. The user ID administration policy and procedure should al-
low for people’s jobs to be changed and their access be changed accord-
ingly. Look for human resources (HR), department management, and IT to
be involved in this process.
Client Response:
2. Is users’ access reviewed on a regular basis?
Guidance: Although this is not a required item, it is a good idea in most
cases. If the termination process is not effective, reviewing user access is
a good mechanism for ensuring, on a regular basis, that only authorized us-
ers have access and that the level of access is appropriate. In very small en-
tities, this probably will not be as important because “everyone knows
everyone.”
AU1706_book.fm Page 449 Tuesday, August 17, 2004 11:02 AM
450 A Practical Guide to Security Assessments
Client Response:
5. STANDARD — SECURITY AWARENESS AND TRAINING
“Implement a security awareness and training program for all members of its workforce
(including management).”
14
As discussed in various parts of this book, awareness is a key component in the
success of an information security program. This also holds true for HIPAA security
requirements. During the initial comment phase of the HIPAA security regulation,
some interesting comments, which are worth noting for clarification purposes, were
submitted:
•Covered entities are not required to provide training to business associates
or anyone else who is not a member of their workforces. Business asso-
ciates must, however, be made aware of the entity’s security policies and
procedures.
•Covered entities have significant latitude in how much and what type of
training they provide. Training should be based on the specific security
risks the entity faces.
• The intention of this requirement is that awareness training is not a one-
time process but an evolving one as changes occur in personnel and in
the business.
Some general questions that should be asked to assess the level of security
awareness include the following. Although these requirements referenced in the
questions below have not been specifically stated in the regulations, they help provide
a good assessment of the level of awareness:
1. Are any security awareness programs in place?
Guidance: Before going further into the specifications, you should deter-
mine whether any security awareness programs are currently in place.
Awareness programs do not have to be formal in nature but can include
such things as newsletters, security tips sent out over e-mail, etc.
Client Response:
AU1706_book.fm Page 450 Tuesday, August 17, 2004 11:02 AM
Appendix Q 451
2. Are security policies and procedures readily accessible by employees?
Guidance: Having security policies and procedures easily accessible can
help promote awareness. Some companies have a central repository on the
company’s intranet site where employees can easily find them. If a ques-
tion arises about what should be done from a security perspective, the in-
formation is readily accessible.
Client Response:
3. Does the entity have an orientation program for new employees and does
it incorporate security policies and procedures?
Guidance: Orientation programs for new employees are a very effective
way to communicate security policies and procedures. Relative to HIPAA,
key provisions affecting employees can be communicated so that new per-
sonnel understand their responsibilities relative to security. If there is an
orientation that addresses security policies and procedures, employees
should formally acknowledge that they were made aware of these policies.
Client Response:
4. If personnel have questions about policies and procedures, are there
people identified to whom they can go?
Guidance: Security policies and procedures can sometimes be difficult to
understand, and it is helpful if employees have the opportunity to ask
someone if they do not know what a policy means or whether their imple-
mentation of it is compliant. There is a greater likelihood of noncompli-
ance if personnel do not understand and are unable to interpret security
policies. This interaction is a very key component of a security program
and will help promote compliance.
Client Response:
AU1706_book.fm Page 451 Tuesday, August 17, 2004 11:02 AM
452 A Practical Guide to Security Assessments
a. REQUIRED Implementation Specifications
i. None
b. ADDRESSABLE Implementation Specifications
i. Security Reminders
“Implement periodic security updates.”
15
This requirement calls for periodic security reminders for employees.
1. What type of ongoing security awareness program is in place?
Guidance: With security, the more awareness, the better. Often, it takes
more than one education session to raise security awareness to the appro-
priate level. With HIPAA security, awareness is even more important, con-
sidering the potential impacts of noncompliance, including fines and
damage to the company’s reputation. Some of the common ongoing type
of “reminder” programs include newsletters, security tips via e-mail, and
focused security education sessions.
Client Response:
2. What is the process for communicating any changes to security policies
and procedures?
Guidance: There should be a formal process for communicating changes
to security policies and procedures. Depending on the complexity of the
policy, varying methods such as e-mail and formal education sessions can
be used for communicating changes. Someone should be responsible and
accountable for making and communicating changes to security policies
and procedures. This function should be centralized to the extent possible
to ensure that changes are communicated and that there is a common under-
standing of what changes were made. This communication should include
the change and what the implications are for personnel from both the pro-
cess and technology perspectives.
Client Response:
AU1706_book.fm Page 452 Tuesday, August 17, 2004 11:02 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.