468 A Practical Guide to Security Assessments
2. Is physical access adequately addressed in the termination policy and
procedure?
Guidance: Employee termination is a significant risk, and it is critical that
physical access is removed as part of the process. If physical access is not
removed, former personnel (especially disgruntled ones) can cause signif-
icant damage.
Client Response:
3. Is the list of people who have physical access periodically reviewed?
Guidance: As a mitigating control for the termination process, physical
access lists should be periodically reviewed. Any unneeded access should
be removed as part of the process. This will vary with the size of the com-
pany. In smaller companies, guards and other employees probably know
who should or should not be on the premises so the process is not as criti-
cal. In larger companies, this is absolutely critical.
Client Response:
4. Have facility access requirements been addressed in the disaster recovery
plan and emergency mode operation?
Guidance: Although the facility access requirements are listed separate
from the disaster recovery and emergency mode requirements, they are an
integral part of both. If the facility access requirements are not addressed
in the disaster recovery or emergency mode operations, where are they ad-
dressed? More importantly, are the facility access requirements in sync
with the disaster recovery plan and emergency mode operations?
Client Response:
5. When the disaster recovery plan is tested, are the people in charge of
facility access involved? Are they made aware of updates to the plan?
Guidance: Similar to the previous question, the disaster recovery plan
should involve those individuals in charge of facility access. The plan test and
update process is covered in more detail in the disaster recovery checklist.
AU1706_book.fm Page 468 Tuesday, August 17, 2004 11:02 AM
Appendix Q 469
Client Response:
6. Are there any awareness programs for the people in charge of facility
access?
Guidance: Like all security policies and procedures, awareness programs
should extend to those individuals in charge of facility access. At the min-
imum, they should understand and be aware of their roles in the event of a
disaster.
Client Response:
ii. Facility Security Plan
“Implement policies and procedures to safeguard the facility and the equipment therein
from unauthorized physical access, tampering, and theft.
35
Essentially, this part of the requirement is having physical security policies and
procedures in place. Refer to the Physical Security checklist for further questions
regarding physical security.
iii. Access Control and Validation Procedures
“Implement procedures to control and validate a person’s access to facilities based on
their role or function, including visitor control, and control of access to software
programs for testing and revision.
36
Procedures should be in place to control and validate individuals’ access to facilities,
and their access should be based on their role in the company. This specification
also calls for controlling visitors (e.g., logging when they come and go, ensuring
visitors walk with authorized personnel). Refer to the Physical Security checklist
for questions relevant for this specification.
iv. Maintenance Records
“Implement policies and procedures to document repairs and modifications to the
physical components of a facility, which are related to security (for example, hardware,
walls, doors, and locks).
37
This specification is asking for records to be kept when making any repairs or
modifications to security-related components. In addition to the question below, the
AU1706_book.fm Page 469 Tuesday, August 17, 2004 11:02 AM
470 A Practical Guide to Security Assessments
Physical Security questionnaire in these appendices should be referenced for other
relevant questions.
1. For any given facility, are the “security-related components” identified
so that changes can be appropriately documented?
Guidance: To ensure that this HIPAA requirement is met, the specific se-
curity components should be identified. Ideally, all significant changes
(regardless of whether related to security components or not) should be
documented, and these records should be securely kept.
Client Response:
WORKSTATION-RELATED REQUIREMENTS
The next two requirements deal with the use and security of workstations. Before
going into the actual requirements, it is worth clarifying the definition of “work-
station” as stated in the Federal Register:
Workstation An electronic computing device, for example, a laptop or desktop
computer, or any other device that performs similar functions, and electronic media
stored in its immediate environment.
This definition and terminology were a result of comments that the previous
terminology “Secure workstation location” (used in the initial drafts of the HIPAA
Security regulations) was vague. With the current definition of workstation, this
could mean items such as personal digital assistants and other devices.
2. STANDARD — WORKSTATION USE (REQUIRED)
“Implement policies and procedures that specify the proper functions to be performed,
the manner in which those functions are to be performed, and the physical attributes
of the surroundings of a specific workstation or class of workstation that can access
electronic protected health information.
38
This specification is meant to ensure that personnel use their workstations in a secure
manner.
1. Identify what workstations as well as other devices can be used to access
electronic protected health information.
Guidance: Because of the definition of workstation, other computing de-
vices such as personal digital assistants and other wireless devices can be
AU1706_book.fm Page 470 Tuesday, August 17, 2004 11:02 AM
Appendix Q 471
subject to this requirement. This question will help you in determining the
scope as well as the associated risk.
Client Response:
2. Does a policy exist that addresses secure workstation use? Some of the
things that should be addressed include:
What functions should be performed by the workstation
•How those functions should be performed
What the physical attributes are for the workstation environment
Guidance: This requirement also calls for having secure practices at the
workstation to help ensure that electronic protected health information is
protected. For example, the entity might require the use of screen saver
passwords so other people cannot see sensitive information when the
workstation is unattended. The specific function will vary based on the
workstation. As part of this question, you should also ensure that personnel
are aware of this policy.
Client Response:
3. STANDARD — WORKSTATION SECURITY (REQUIRED)
Implement physical safeguards for all workstations that access electronic protected
health information, to restrict access to authorized users.
39
One clarification of this specification is that the physical safeguards used are based
on the entity’s risk analysis process. Consequently, companies have flexibility in
implementing this requirement.
1. Identify what workstations as well as other devices can be used to access
electronic protected health information.
Guidance: Because of the definition of workstation, other computing de-
vices like personal digital assistants and other wireless devices can be sub-
ject to this requirement. This question will help you in determining the
scope as well as the associated risk.
Client Response:
AU1706_book.fm Page 471 Tuesday, August 17, 2004 11:02 AM
472 A Practical Guide to Security Assessments
2. What physical security measures are taken to protect these devices or
machines?
Guidance: Once these machines and devices have been identified, they
should be secured based on risk. Protection will vary based on the device
and can involve such things as locking down laptops with cables or other
measures to protect devices such as PDAs.
Client Response:
3. Who has access to the physical workstations besides the individual user?
Are there facilities people who can potentially access the workstations?
If so, what security measures are taken to ensure that these individuals
do not gain unauthorized access?
Guidance: One of the significant areas of weakness in many companies is
that too many people have physical access to machines that access elec-
tronic protected health information. Some examples include computers in
public areas such as nurses’ stations or in cubicles in a typical office.
Facilities personnel also have master key access to sensitive areas.
Depending on the risk, physical security measures such as locking cables
and other devices should be used.
Client Response:
4. Were there any workstation security–related findings in the initial risk
assessment and if so, were they addressed?
Guidance: Workstation security should have been addressed in the initial
risk assessment at the start of the HIPAA security compliance process. Any
findings should be reviewed to determine whether or not those findings
have been addressed.
Client Response:
AU1706_book.fm Page 472 Tuesday, August 17, 2004 11:02 AM
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.218.184.214