hipaa checklist - information security

S.no Standard Clause

1 Security Management Process 164.308(a)(1)




5 Assigned Security Responsibility 164.308(a)(2)

6 Workforce security 164.308(a)(3)(i)







13 Information Access management 164.308(a)(4)(i)





18 Security Awareness & Training 164.308(a)(5)(i)











29 Security Incident procedures 164.308(a)(6)(i)




33 Contigency Plan 164.308(a)(7)(i)












45 Evaluations 164.308(a)(8)

46 Evaluations 164.308(a)(8)

47

Business Associates contracts and

other arrangements 164.308(b)(1)

48

Business Associates contracts and

other arrangements 164.308(b)(1)

49 Facility Access control 164.310(a)(1)







56 Workstation Use 164.310(b)



59 Device and Media control 164.310(d)(1)




63 Access control 164.312(a)(1)









72 Audit controls 164.312(b)



75 Integrity 164.312©(1)

76 Person or entity authentication 164.312(d)

77 Transmission Security 164.312€(1)




81

Business Associate contracts and

other arrangements 164.314 (a)(1)

82



83



84

Requirements for Group Health

plans 164.314 (b)(1)

85 Policy & Procedures 164.316 (a)

86 Policy & Procedures 164.316 (a)

87 Documentation 164.316 (b)(1)


Specifications

Risk Analysis

Risk Management

Sanction Policy

Information Systems activity

review

Authorization and/or Supervision

Workforce clerance procedures

Workforce clerance procedures

Termination Procedures




Isolating healthcare clearinghouse

function

Access Authorization

Access establishment and

modification


modification


modification

Security Reminders

Security Reminders

Security Reminders

Protection from malicious software



Log-in monitoring

Log-in monitoring

Password Management

Password Management

Password Management

Response & Reporting




Data Backup plan

Data Backup plan

Data Backup plan

Data Backup plan

Data Backup plan

Data Backup plan

Disaster Recovery plan

Emergency mode operation plan

Emergency mode operation plan

Testing and Revision Procedure

Applications and data criticality

analysis

Applications and data criticality

analysis

Written contract or other

arrangement

Written contract or other

arrangement

Contigency Operations

Facility Security plan

Facility Security plan

Access control and validation

procedures

Maintenance records

Maintenance records

Maintenance records

No Implementation Specification



Disposal

Media Re-use

Accountability

Data backup and storage

Unique User Identification



Emergency access procedures

Automatic logoff

Automatic logoff

Encryption and Decryption






Mechanism to Authenticate EPHI


Integrity Controls

Integrity Controls

Encryption

Encryption

Business associate contracts

Other Arrangement

Other Arrangement

Plan Documents

Plan Documents


Time Limit

Availability

Updates

Questions

Is a risk anlaysis process used to ensure cost-effective

security measures are used to mitigate expected losses ?

If yes, is the Risk Anlaysis process documented ?

Are secuirty measures implemented to reduce risks and vulnerabilities

to an appropriate level to the organization.

Do documented policies and procedures exist regarding disciplinary

actions (stipulations for misuse or misconduct) ? Have they been

communicated to the employees?

Are audit logs reviewed ? If yes, how often ? Is there a responsible entity? If the

effort documented ? Is audit logging for communication enabled.

Has the Security responsibilities for the organization been issued to

an individual or group ? If yes, is it documented ?

Are procedures in place to ensure personnel performing technical

system maintenance activities are supervised by authorized/knowledgeable

individuals, and that operational personnel are appropriately authorized to access

systems ? Are these

procedures documented ?

Are personnel procedures established and maintained ? Are these

procedures documented ?

Does the organization follow personnel clerance procedures to verify

access privileges before admissions? Are these procedures documented ?

Are access lists up-dated in a timely manner when employee accesses

change? If yes, are they documented and updated consistently ?

Does the organization follow termination procedures that include checklist for

collecting access-providing materials? If yes,are these

procedures followed consistently? Are these termination procedures

documented ?

Does the organization follow procedures for changing combination

and locking mechanism ? Are these procedures documented ?

Does the organization have documented termination checklists which

include procedures for removing user accounts in a timely manner.

If the organization includes a healthcare clearinghouse, what policies

and procedures are in place to isolate the clearinghouse electronic

protected healthcare information from the rest of the organization ?

Are the rules established to determine the initial level of access an

individual may have ? Are these rules documented ?

Does the organization follow procedures for governing access to information on a

need to know basis ? If yes, who is responsible for

maintaining documentation of these procedures ?

Does the organization have different level of access to health information/data ?

Are these rules established for granting access and authorization? If yes, are these

rules documented ?

Are these rules established for the modication of individual access? If

yes, are these rules documented ?

Are Periodic security reminders issued to all employees? If yes, are these reminders

documented and do you feel that it is effective?

Is formal information Security awareness training conducted for all

employees, agents and contractors? Yes, how often it is performed and is periodic

re-attendance required ? Is the security awareness training program documented ?

Does the organization conduct customized training conducted to all

employees, agents, and contractors? Yes, how often it is performed and is periodic

attendance required? Is the security awareness training

awareness documented ?

If security awareness training is conducted does it includes (at a minimum): (A) Virus

protection, (B) importance of monitoring login Success/failure, and ©Password

management? Are these minimal requirements for Security Awareness training

documented ?

Are procedures in place to make sure virus checking software is installed

and running on all computer system within the organization ?

Do these procedures include the requirements that virus definitions

be consistently updated ?If yes, what procedures do you use to update

them and how often ?

Are procedures implemented that provide for monitoring of failed log-in

attempts in an organizations server ?

What procedures are in place to ensure failed log-in attemtps are

reported to the proper authority ?

What password guidelines exist and what procedures are followed to ensure the

user makes a good selection ?

Do users sign a security statement when issued a password ?

What password guidelines are in place to protect integrity of

administrator type account ?

Is there a formal process in place to allow the reporting the security breaches? If

yes, to whom are these breaches reported to and are these

process documented ?

Are formal procedures follwoed for responding to incidents? If yes, which

entity is reposible and are handled in a timely manner? Are these procedures

documented ?

Are procedures followed for mitigating incidents that may occur ? Do the

procedures also identify a team assigned to handle these incidents ?

At the conclusion of an incident, are procedures followed to document

the outcome of the incident investigation? Are the results maintained in

an historical file for subsequent review ?

Has a data backup plan been implemented and followed within your

organization? If yes, is the data backup plan documented?

Does the Data backup plan contain procedures for testing and revision? If

so, are these procedures documented ?

Does the organization follow data backup plan procedures that allow for

an exact copy of information to be retrieved? If yes, are data backup plan policies

and procedures formally documented?

What type of backup does the Data backup plan call for? Full or incremental ?

Where is backup media stored ? For how long ?

What phsyical protection mechanism exist for local and remote copies of

backups? What handling instructions are in place ?

Has a disaster recovery plan been developed? If yes, is the disaster recovery plan

documented ?

Has an emergency mode operation plan been tested to determine continual

operations ?If yes, is the emergency mode operations plan and

procedures fully documented?

Does the emergency mode operation plan and disaster recovery plan

address physical access to appropriate personnel ? Is the emergency Mode

operations plan and procedures formally documented ?

Is the disaster recovery plan periodically tested to insure adequacy ? If yes,is the

testing documented ? What types of testing documented ? What types of testing

are accomplished ?

Have critical systems been identified within your organization and documented

within the contigency plan ?

What other types of mechanism are in place to allow for mission for critical hosts or

systems to properly shutdown.

Has internal or external entity performed an assessment on any network

or individual systems within the network to determine if they meet a pre

specified set of security standards ? If yes, has the assessment(s) been documented

?

Does the organization maintain a history of technical evaluations for

computer systems and network(s)

Has an inventory of all electronic data exchanges with third parties, vendors or

business partners taken place ? If yes, has a business associate agreement been

executed ? Is the inventory and agreement documented ?

Are you aware of any trusted internal or external business connections, or

any third party connections or accesses? What are they ?

Have procedures been implemented that provide for facility access and other

business functions during contigency operations ?

Does the organization have a facility security plan ? Is the facility Security plan

formally documented?

Has the organization implemented procedures within the facility to sign in

visitors and provide escorts, if appropriate ? Are these formally documented

procedures for visitor escort and sign in ?

What procedures are in place to ensure that maintenance personnel have proper

access and authorization ? Are these procedures documented ?

Does the organization retain facility maintenance records ? Is there formal

documentation for this procedure ?

Does the organization retain facility maintenance records ? Is there formal

documentation for this procedure ?

Does the organization maintain a access authorization records? If so, how long are

these records retained ? Are these authorization documented ?

Does the organization follow procedures for defined acceptable workstation

use ? Are documented procedures which outline proper fucntions ?

Has the organization implemented physical safeguards to eliminate or

minimize unauthorized access/viewing of health information on

workstations ?

Does the organization implement console locking features ?

Does the organization follow procedures for the final disposition of electronic data

(including PHI) and the hardware that it resides on ? Are these procedures

documented ?

Have procedures been developed for removing electronic protected health

information from media before it is scheduled for re-use?

Does the organization follow procedures for taking hardware and software

into or out of a facility ? Are these procedures documented ? Who is

accountable for the movement of media ?

Does the organization follow data storage procedures for electronic retention of

individual health care information ? Are these formally documented policies and

procedures ?

Are unique user id(s) in place/use (network and application) ? If yes, for

which systems and are they governed by writtent security procedures ?

Are they any shared ID's or non-unique ID's in use ?

Do all end users of network resources have a unique user ID ?

Is an emergency access procedures documented and followed ?

Are controls in place and configured to allow for automatic logoffs (network

and application ) ?

Are controls in place to ensure that data has not been altered or destroyed

during transmission ?

Is encryption currently in use with any access control solutions that are in place? If

yes how ?

Are access control or encryption technologies used to secure transmission

of sensitive information ? If yes, what and for which systems ?

Are encryption technologies used to secure data at rest ? If yes, for which

systems ?

Are networked systems configured to allow event reporting ? If yes, which

types of systems ?

Are auditing capabilities enabled for file/record accesses modifications or

deletions ? If yes, for which systems and what activites are audited ?

Are software or hardware solutions in place that will provide notifications

of abnormal conditions that may occur networked systems ?

What process exist to determine who will have the authority to change or

manipulate health information ? Is this process documented ?

How is the signature on the document/data verified as trust-worthy? IS online or

offline validation as well as entity or non-entity certificate used ?

What policies, procedures, and technical mechanisms are in place to protect

health information as it is transmitted across internal and external networks? Are

these policies, procedures and technical mechanisms documented ?

What technical and administrative processes, and mechanisms are in place to

ensure secure storage of health information ? Are these processes documented ?

Is the message encrypted,or signed ? What practice are in place for the storage

private (secret) keys ?

What crytpographic methods and parameters are used to ensure the integrity of the

message during transmission unaltered?

Are business associate contracts in place between the organization and any

business associate that might common in contact with the organization electronic

protected health information ?

Are both the organization and the business associate a government agency ?

If yes, does a memorandum of understanding exist between the organization and

the business associate that requires the business associate implement reasonable

and appropriate administrative, physical and technical safeguards to protect ephi ?

IS the business associate required by law to perform a function or activity

on behalf of the organization? If yes, describe what steps the organization

completed in order to ensure the business associate complied with the

provisions of the HIPAA security rule

Does the organization have a group health plan ? If yes, do the plan documents

require the plan sponsor reasonably and appropriately safeguard EPHI ?

Does the organization have a group health plan ? If yes, do the plan documents

require the plan sponsor reasonably and appropriately safeguard EPHI?

Does the organization have a process for developing, approving, and publishing

formal security policies ?

Are documented related to EPHI maintained for the time period prescribed

by this rule ?

Is this documentation available to those persons responsible for implementing the

various procedures required by HIPAA rule ?

Are the policies and procedures reviewed on a periodic basis to ensure adequacy

and timeliness ?

Example

For example, does the organization use a process to determine

cost effective security control measures in a relation to the loss

that would occur if these measures were not in place .

Each organization must accept a certain level of risk and must be able to determine and document that

appropriate level.

These would be a displinary actions for misuse or misaapropriation of health

information (e.g verbal warning, notice disciplinary action placed in personnel

files, removal of system privileges, termination of employment, and contract

penalties).

Organizations will be required to provide and maintain ongoing analysis/reviews of the records of system

activity (logins, file access, security incidents) to help identify security violations. This will include

operating systems, applications and networked systems.

Organization will be required to assign security resposibility to a particular or

individual or group. They will be responsible to ensuring security measures to

protect data and ensure individuals act accordingly in the protection of data.

This is important in providing an organizational focus towards security and

ability to pinpoint responsibility.

Example, Maintenance personnel are directly monitored by escorts near health

information. Operational personnel should also have the appropriate access to

data or systems.

Organization will be required to have formal documented policies and procedures for validating the

access privileges of an entity before granting those privileges.

Despite the nature of access lists, employees must be removed upon termination or modified to reflect

when a job function or role changes.

Termination procedures will be required to be documented are implemented.

These are important to prevent the possibility of unauthorized access to secure data by those who are no

longer authorized to access data (e.g voluntary or

inoluntary exit). Organizations will need to collect keys, tokens, and identification cards.

Documented procedures for changing of combinations and locking mechanism,

on a defined time schedule, and when personnel no longer have a need to

know.

Organization will be responsible for removing user accounts from computer

systems (emails), in a timely manner.

Organizations are required to implement policies and procedures to protect

against unauthorized or inadvertent disclosure of electronic protected healthcare information from the

larger organization.

Organization will be required to track the establishment of initial access through documentation efforts.

For example documentation on why individual will require access.

Organization will be required to support a users given access level information.

A user should have access only to the data needed to perform a particular function.

Organization will be required to maintain policies and procedures for identified

access levels of access to a terminal transaction, program, process or X of that user?

Organization will be required to track the modification of an individual access. For

example, procedures for why access for an existing individual may change.

It's purpose is to refresh knowledge of policies and procedures and to keep all

employees alert to the latest types of security threats (occuring incidents or CERT

alerts).

The information Security awareness training should include at a minimum: virus protection, password use

and protection.

Information Security training should address issues that are directly related to the

employee duties (e.g appropriate handling indivdual health information and

unattended workstation procedures)

Employees must understand virus protection efforts, why login are monitored,

and how to effectively manage their passwords.

Virus protection will be required on computer system(s), that can detect virus

programs that attach to other files or program to replicate, a code fragment that

reproduce by attaching itself to another program, or an embedded code that can

copy or insert itself into one or more programs.

Accurate virus protection relies on the update of definition on a timely manner.

Procedures must be implemented to provide methods of monitoring attempts

access to servers containing sensitive informations.

procedures requiring the monitoring of failed lon-in attempts must contain

instructions on reporting discrepancies.

Guidelines would be (minimum length, minimum time, maximum time, prevention of re-use, force of

change for default and initial passwords, maximum number of change times). It is a good pratice to run

password crackers and verification tools to ensure that users have selected solid passwords.

This statement should explain appropriate use and selection along with change

management procedures for the password.

Guidelines and restrictions should be placed on the use of administrator, root &

default accounts. Minimal numbers to employees should be allowed access to

these types of acounts, different levels of access should be used, and tracking

should be enforced for the use of these types of accounts.

These procedures will allow employees to effectively report security incidents or

breaches. The organization's will be required to document these procedures, and

the employees should be aware of the policies and procedures and willing to use them

The organization will be required to document reporting review, and response

policies and procedures in relation to security violations and should handle security violations promplty.

Procedures should be developed and implemented that provide guidance on selected type of incident and

how to mitigate them.

Incident reporting should include documenting the results of the incident investigations. These results

should be reviewed and maintained to assist in future investigations.

For example, a formally documented and routinely updated plan to create and maintain, for a specific

period of time, retrievable exact copies of information for the organization.

For example, formally documented and regularly maintained testing and revision

procedures.

Organization must be able to retrieve an exact copy of data while maintaining

accountability and access control integrity.

Incremental and fullbackup should be specified within the databackup plan, each

serves a different purpose and these time frames should be planned appropriately.

Backup tapes should be stored offsite or in a safe. (e.g Medium types may be tape

, cd, diskettes).

Data backup should not be left in an insecure environment as it contains sensitive

network and system data.

Most specifically, the Disaster recovery plan should address IT and information

security breaches and allow for the restoration of data loss to the entity in the event of fire, vandalism,

natrual disaster or system failure ?

For example, formally documented plans and processes to enable the continuing

operation of the organization in the short term (48 hours or less). This may be result of fire, vandilism,

minor natural disaster or system failure).

For example, formally documented plans and processes to enable the continuing

operation of the organization in the short term (48 hours or less).

Regularly maintained, formally documented plans and processes to enable the

continuing operation of the organization in the short term (48 hours or less)

Crtical systems include those systems that provide services that if lost could result in significant backlog

and monetary loss.

A proper shutdown will allow current sessions, applications and transcations to close before the system

powers off.

Such as a technical member of your internal audit team or IT team responsible for

evaluation, and testing . Technical evaluations include vendor certification or

applications prior to go-live. External entities include any accrediting agency

completing annual external penetrations, and/or infrastrcuture integrity testing

to ensure they meet industry best practices for information security.

The information maintained should support certification of the computer systems

or network designs as having implemented appropriate security.

If the data is processed through a third party, the parties must enter into a Business associate agreement.

This contract states the agreement to exchange data electronically and assurance of data transmission

integrity and storage. Third parties are vendors, business partners, or internal entities that have access to

your computer systems and infrastrucuture. These third parties will require business associate

agreements. For example, a provider may contract with a clearinghouse to transmit claims.

Third parties are vendors, business partners, or internal entities that have access to your computer

systems and infrastrucuture. These third parties types of accesses are considered less-trusted and will

require a business associate agreement.

These procedures would assist the organization in recovering the business functions after a crisis. This is

completely separate from recovering the data and involves planning for office space, communications,

equipment needs etc.

Facility Security is a group of plans that encompass all aspects of the identified

facility (e.g Cameras, perimeter protection)

Organization will be required to have formally documented procedures governing

the reception and hosting of visitors. For example: vendors, maintenance personnel.

The organization will be required to maintain ongoing documentation for granting

access to individuals working on near health information.

Organization will be required to have documentation of repairs and modification to

the physical components of a facility (e.g walls, doors, lights and rocks).

Organization will be required to have documentation of repairs and modification to hardware /software

and computer systems. Note: a helpdesk tracking system

may be used to record maintenance records.

The organization will be required to retain ongoing documentation of levels of access granted to user,

program, procedures, assessing health information.

Each organization will be required to have guidelines delineating the proper function to be performed,

and the manner in which the functions are performed.

Each organization will be required to put in place physical safeguards for workstations that will prevent

public areas from accidentally dispensing patient identifiable health information from workstation. For

example, privacy screens, monitor postions,cubicle walls or locked rooms.

Different systems will allow for the use of different types of mechanism to be used to lock workstations.

(e.g Monitor, NLM,Screen savers with passwords)

Organization will be required to document policies and procedures for the disposition`of electronic data

and the hardware on which it resides. (e.g wiping hard drives, or other method of destruction.

These procedures would inlude some form of sanitization process for the media

and a form of written verification tha the media has been cleansed prior to re-use.

Organization will be required to govern the receipt, movement, and removal of hardware /software and

in and out of the facility. This includes the marking, handling, and disposal of hardware and storage

media. This will impact your offsite backup procedures.

Organizations will be required to document electronic data retention policies and

procedures. This is to include length of time, storage, receipt and format.

Unique user ids are a combination name/number assigned to identify and track

individuals.

High profile shared accounts could be a lan admin ID or business unit that is highly

impacted by login/logout inefficiencies (nurses)

Organization will be required to irrefutably identify authorized users and processes, and to deny access to

those unauthorized. An example best praticse woule be "no group User ID's are permitted. Entity

authentication can be done through name and password through the network or application and by IP

address, service or protocol at the firewall)

Emergency Access can include access to a system or appplication immediately for

a user without current access (normal changes bypassed). Also, short system outages requiring manual

procedures.

Application will be required to provide automatic user logoff

Organization will be required to provide corroboration that data in its possession

has not been altered or destroyed in an unauthorized manner. For example:

Check Sums, double keying, message authentication code, digital signature applied to files or data.

Encryption is optional within the proposed regulations for section 142.308 c in relation to access control

methods. Encryption with access control example are VPNs, SSL

SSh.

For example PKI, IPSEC, VPN, SMARTcard or SSL.

For example, database content, file contents, directory contents containing

sensitive data.

Different types of systems will allow for different types of logging to take place

(e.g syslog server, application event logs (IIS, exchange), specific service use (ftp, http), specific activities,

NT event logging, Firewall events or intrusion detection.

Audit will be required to record and examine system activity such as who has read,accessed, or changed a

file (e.g system actives could be audited for applications,operating systems or network devices.

Any software of hardware device that can sense an abnormal condition within the

system and provide a signal. The signal can be a contact, auto showdown or restart.For example intrusion

detection system, firewalls, NT event logging)

Changes to health information should be audited to ensure proper use and accesses

Online validation of offline validation. Online validation allow the user to ask the CA directly about a

certificates validity everytime is used. Offline validation gives a validity period a pair of dates defining the

valid range of the certificate. Entity certificates are known as identity certificates (charateristics), and non-

entity

certificates are known as credential certificates

Policies and procedures would ensure that security of health information as it is

transmitted from start, middle, to end point.

Storage of health information should be secure, and follow appropriate retention

guidelines.

Encrypted message is encrypted by the symmetric key and the public key encrypts

the symmetric key. Signed message is hashed and encrypted with the senders

private key. Signed and encrypted is signed by the senders private key, and the message is encrypted with

the senders public key.

For example, please describe the parameters used for signing a message (e.g hash algorithm(md5 or SHA1

and encrypting the message (DES, Diffie hellman, RSA, or elliptic curve)

These contracts should stipulate the business associate implement reasonable and

appropriate safeguards to protect this sensitive information.

The memorandum of understanding should detail the measures the business assocaite

has in place to provide reasonable and appropriate security protection for EPHI.

When the business associate is required by law to perform certain activities, the organization needs to

document its attempts to ensure the business associate has reasonable an appropriate security measures

to protect the organizations EPHI.

The plan documents must require the plan to sponsor to implement administrative,

physical and technical safeguards to protect EPHI.

The plan document must require the plan sponsor to implement administrative, physical and technical

safeguards to protect EPHI.

A formal Security policy process ensures the right people in the organization assist in the

development, approval, and dissemination of the organization's Security policies

The final HIPAA Security rule calls for documentation related to EPHI to be maintained to a period of six

years from the date of its creation or last was it used, whichever is later .

Either written and electronic forms of all documentation should be available to those persons

responsible for implementing the procedures described in the HIPAA security rule.

All policies and procedures should undergo a periodic review to ensure the organization remain

in its security posture in order to protect EPHI.

hipaa checklist - information security

Technology