Appendix Q 473
4. STANDARD — DEVICE AND MEDIA CONTROLS
“Implement policies and procedures that govern the receipt and removal of hardware
and electronic media that contain electronic protected health information into and out
of a facility, and the movement of these items within the facility.”
40
This specification calls for policies and procedures to help ensure that any media
containing electronic protected health information is adequately secured when it
leaves or comes back to the facility.
a. REQUIRED Implementation Specifications
i. Disposal
“Implement policies and procedures to address the final disposition of electronic pro-
tected health information, and/or the hardware or electronic media on which it is
stored.”
41
This can apply to hard drives, backup tapes, etc. where electronic protected health
information is stored. Measures such as overwriting disks must be performed to
ensure that sensitive electronic protected health information cannot be compromised.
The disposal requirement is essentially based on best practices, and nothing is
particular just to HIPAA. Questions related to data disposal are documented in the
Media Handling questionnaire in the appendices and should be used to evaluate this
requirement.
ii. Media Re-Use
“Implement procedures for removal of electronic protected health information from
electronic media before the media are made available for re-use.”
42
This requirement is similar to the disposal requirement in the sense that electronic
protected health information must be properly destroyed. This will require multiple
overwriting to ensure that information cannot be recovered once the electronic media
is available for reuse. Like the disposal requirement, there are no aspects that are
particular to just HIPAA. As such, questions from the Media Handling questionnaire
in the appendices should be used to evaluate compliance with this requirement.
b. ADDRESSABLE Implementation Specifications
i. Accountability
“Maintain a record of the movements of hardware and electronic media and any person
responsible therefore.”
43
AU1706_book.fm Page 473 Tuesday, August 17, 2004 11:02 AM
474 A Practical Guide to Security Assessments
This specification requires that some type of audit trail be kept of any movement of
electronic media and hardware where electronic protected health information resides.
One clarification made in the comments section of the regulation is that this speci-
fication does not address audit trails within systems or software. The idea here is
that because of the sensitive nature of information on the electronic media, it should
be secure, and there should be accountability for it.
1. Are there clear roles and responsibilities for who can handle electronic
media?
Guidance: Because of the sensitivity of the electronic protected health
information and the media where it resides, only certain individuals should
be authorized to take it. A policy should identify what roles in the organi-
zation are authorized. In a security assessment, one of the main aspects
reviewed in virtually any area is roles and responsibilities. Similar to this
HIPAA specification, it helps establish accountability.
Client Response:
2. When there is movement of electronic media, are there logs of who takes
it and when they take and return it?
Guidance: This is a process question that maps back to the requirement.
There should be a log that records the movement of media. This log should
be accessed by a limited number of individuals.
Client Response:
3. Is there proper segregation of duties relative to maintaining the log? (The
people who are taking the electronic media should not be updating the
logs.)
Guidance: With any log, segregation of duties is important because it
speaks to the quality and integrity of the information contained in it. To
achieve accountability, the logs are critical because they establish who had
the electronic media and when they had it. If there is even a perception that
the information in the log can be altered, the log loses value. The ideal sce-
nario is to ensure that the individuals who take and handle the electronic
media do not have access to the logs.
AU1706_book.fm Page 474 Tuesday, August 17, 2004 11:02 AM
Appendix Q 475
Client Response:
4. Is the log kept in a secure manner?
Guidance: Related to the question above, the logs should be kept securely.
If electronic, they should have proper access controls (see User ID Admin-
istration checklist) and if paper based, they should be properly locked with
only a limited number of people having access.
Client Response:
ii. Data Backup and Storage
“Create a retrievable, exact copy of electronic protected health information, when
needed, before movement of equipment.”
44
The purpose of this specification is to minimize the risk related to electronic protected
health information when moving systems and equipment. Like many of the other
specifications, entities have considerable latitude in determining what is best for
their environment. The comments received on this specification led to a number of
clarifications:
• What is backed up (a retrievable and exact copy) is largely dependent on
the risk analysis — i.e., where is the risk great enough to require a
retrievable and exact copy?
•A guideline that can be used when determining what to back up is —
what information would be required by the entity to continue “business
as usual”? This information should be available in the analysis done to
determine what is required to run in “emergency mode.”
For other questions related to this specification, refer to the Backup and Recovery
questionnaire in the Appendices.
TECHNICAL SAFEGUARDS
1. STANDARD — A
CCESS CONTROL
“Implement technical policies and procedures for electronic information systems that
maintain electronic protected health information to allow access only to those persons
or software programs that have been granted access rights as specified in §
164.308(a)(4) [Information Access Management standard].”
45
AU1706_book.fm Page 475 Tuesday, August 17, 2004 11:02 AM
476 A Practical Guide to Security Assessments
These policies and procedures should be designed to allow access only to those
persons or software that has been granted access rights as specified in the Admin-
istrative Safeguards section on Information Access Management. Although the
Administrative Safeguards section required entities to have policies and procedures
to grant access to systems where electronic protected health information is main-
tained, this Access Control requirement is essentially requiring that these policies
and procedures be translated into technical policies at the technical level. With this
requirement, entities should take advantage of the technical capabilities relative to
access control to ensure that access is limited to only those who require it. Based
on some of the comments received, access control was further clarified to include:
• Context-based access
• Role-based access
• User-based access
a. REQUIRED Implementation Specifications
i. Unique User Identification
“Assign a unique name and/or number for identifying and tracking user identity.”
46
Unique user identification is generally accepted as an information security best
practice and is one of the items covered in the user ID administration checklist. The
ideas behind this requirement are making users accountable for what they do and
enforcing the HIPAA security requirements. One item to note here is that there are
several levels of access to be concerned about. Access is at several levels within
organizations including network, application, and remote access. This requirement
is specifically for access related to electronic information systems containing elec-
tronic protected health information.
1. Identify the systems that contain electronic protected health information
and how they can be accessed.
Guidance: This information should already be available from the initial
analysis but it is a good idea to confirm what systems contain electronic
protected health information. In addition, all the different ways the sys-
tems can be accessed should be identified.
Client Response:
2. Do individuals accessing the identified systems have unique IDs for
access?
Guidance: Systems containing electronic protected health information
should be using unique IDs. There may be situations where applications
AU1706_book.fm Page 476 Tuesday, August 17, 2004 11:02 AM
Appendix Q 477
access electronic protected health information and the applications do not
have unique IDs for users. One potential issue is people who do not access
the systems very often (e.g., a backup person or someone who is tempo-
rarily helping) so when they do, they use someone else’s ID.
Client Response:
3. Do the systems have any default IDs or guest IDs and if so, 1) are they
used? 2) have their default passwords been changed? 3) if not needed,
are they (can they be) disabled?
Guidance: Default and guest IDs are a significant risk when it comes to
unauthorized access to systems. These IDs are usually there out of the box,
so if administrators do not change passwords or disable them, they can be
used by someone with knowledge of the application or the system to gain
unauthorized access. In fact, a malicious user can utilize the Internet to re-
search what the different default IDs and passwords are and use that
knowledge to gain unauthorized access. The default or guest ids should be
taken care of during the initial deployment if possible.
Client Response:
4. Do these systems have a way of tracking individuals’ activities? For
example, can specific transactions on these systems such as report gen-
eration be tracked to specific individuals? If specific information is
accessed, can it be tracked to an individual?
Guidance: Tracking someone’s activity relating to accessing electronic
protected health information is necessary according to this requirement.
This tracking can include just accessing specific files or creating and mod-
ifying information via an application. At the application level, specific
transactions should be tracked as that will provide a record of who made
what changes. Besides the built-in mechanisms available in applications
and systems, other mechanisms for fulfilling this requirement include tools
such as integrity checkers.
Client Response:
AU1706_book.fm Page 477 Tuesday, August 17, 2004 11:02 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.