|
§ 142.308 Security standard.
Each entity designated in § 142.302 must assess potential
risks and vulnerabilities to the individual health data in its possession and
develop, implement, and maintain appropriate security measures. These measures
must be documented and kept current, and must include, at a minimum, the
following requirements and implementation features:
(a) Administrative procedures to guard data integrity,
confidentiality, and availability (documented, formal practices to manage
the selection and execution of security measures to protect data, and to manage
the conduct of personnel in relation to the protection of data). These
procedures include the following requirements:
(1) Certification. (The technical evaluation performed as
part of, and in support of, the accreditation process that establishes the
extent to which a particular computer system or network design and
implementation meet a pre-specified set of security requirements. This
evaluation may be performed internally or by an external accrediting agency.)
(2) A chain of trust partner agreement (a contract entered
into by two business partners in which the partners agree to electronically
exchange data and protect the integrity and confidentiality of the data
exchanged).
(3) A
contingency plan, a routinely updated plan for
responding to a system emergency, that includes performing backups, preparing
critical facilities that can be used to facilitate continuity of operations in
the event of an emergency, and recovering from a disaster. The plan must
include all of the following implementation features:
(i) An applications and data criticality analysis (an
entity’s formal assessment of the sensitivity, vulnerabilities, and
security of its programs and information it receives, manipulates, stores,
and/or transmits).
(ii) Data backup plan (a documented and routinely updated
plan to create and maintain, for a specific period of time, retrievable
exact copies of information).
(iii) A disaster recovery plan (the part of an overall
contingency plan that contains a process enabling an enterprise to restore
any loss of data in the event of fire, vandalism, natural disaster, or
system failure).
(iv) Emergency mode operation plan (the part of an overall
contingency plan that contains a process enabling an enterprise to continue
to operate in the event of fire, vandalism, natural disaster, or system
failure).
(v) Testing and revision procedures (the documented
process of periodic testing of written contingency plans to discover
weaknesses and the subsequent process of revising the documentation, if
necessary).
(4) Formal mechanism for processing records (documented
policies and procedures for the routine, and nonroutine, receipt,
manipulation, storage, dissemination, transmission, and/or disposal of health
information).
(5) Information
access control (formal, documented policies
and procedures for granting different levels of access to health care
information) that includes all of the following implementation features:
(i)
Access authorization (information-use policies and
procedures that establish the rules for granting access, (for example, to a
terminal, transaction, program, process, or some other user.)
(ii)
Access establishment (security policies and rules
that determine an entity’s initial right of access to a terminal, transaction, program, process or some other user).
(iii)
Access modification (security policies and rules
that determine the types of, and reasons for, modification to an entity’s
established right of access, to a terminal, transaction, program, process,
or some other user.)
(6) Internal audit (in-house review of the records of system
activity (such as logins, file accesses, and security incidents) maintained by
an organization).
(7) Personnel security (all personnel who have
access to any
sensitive information have the required authorities as well as all appropriate
clearances) that includes all of the following implementation features:
(i) Assuring supervision of maintenance personnel by an
authorized, knowledgeable person. These procedures are documented formal
procedures and instructions for the oversight of maintenance personnel when
the personnel are near health information pertaining to an individual.
(ii) Maintaining a record of
access authorizations
(ongoing documentation and review of the levels of access granted to a user,
program, or procedure accessing health
information).
(iii) Assuring that operating and maintenance personnel
have proper access authorization (formal documented policies and procedures
for determining the access level to be granted to individuals working on, or
near, health information).
(iv) Establishing personnel clearance procedures (a
protective measure applied to determine that an individual’s access to
sensitive unclassified automated information is admissible).
(v) Establishing and maintaining personnel security
policies and procedures (formal, documentation of procedures to ensure that
all personnel who have access to sensitive information have the required
authority as well as appropriate clearances).
(vi) Assuring that system users, including maintenance
personnel, receive security awareness training.
(8) Security configuration management (measures, practices,
and procedures for the security of information systems that must be
coordinated and integrated with each other and other measures, practices, and
procedures of the organization established in order to create a coherent
system of security) that includes all of the following implementation
features:
(i) Documentation (written security plans, rules,
procedures, and instructions concerning all components of an entity’s
security).
(ii) Hardware and software installation and maintenance
review and testing for security features (formal, documented procedures for
connecting and loading new equipment and programs, periodic review of the
maintenance occurring on that equipment and programs, and periodic security
testing of the security attributes of that hardware/software).
(iii) Inventory (the formal, documented identification of
hardware and software assets).
(iv) Security testing (process used to determine that the
security features of a system are implemented as designed and that they are
adequate for a proposed applications environment; this process includes
hands-on functional testing, penetration testing, and verification).
(v) Virus checking. (The act of running a computer program
that identifies and disables:
(A) Another "virus" computer program,
typically hidden, that attaches itself to other programs and has the
ability to replicate.
(B) A code fragment (not an independent program) that
reproduces by attaching to another program.
(C) A code embedded within a program that causes a copy
of itself to be inserted in one or more other programs.)
(9) Security incident procedures (formal documented
instructions for reporting security breaches) that include all of the
following implementation features:
(i) Report procedures (documented formal mechanism
employed to document security incidents).
(ii) Response procedures (documented formal rules or
instructions for actions to be taken as a result of the receipt of a
security incident report).
(10) Security management process (creation, administration,
and oversight of policies to ensure the prevention, detection, containment,
and correction of security breaches involving risk analysis and risk
management). It includes the establishment of accountability, management
controls (policies and education), electronic controls, physical security, and
penalties for the abuse and misuse of its assets (both physical and
electronic) that includes all of the following implementation features:
(i) Risk analysis, a process whereby cost-effective
security/control measuresmay be selected by balancing the costs of various
security/control measures against the losses that would be expected if these
measures were not in place.
(ii) Risk management (process of assessing risk, taking
steps to reduce risk to an acceptable level, and maintaining that level of
risk).
(iii) Sanction policies and procedures (statements
regarding disciplinary actions that are communicated to all employees,
agents, and contractors; for example, verbal warning, notice of disciplinary
action placed in personnel files, removal of system privileges, termination
of employment, and contract penalties). They must include employee, agent,
and contractor notice of civil or criminal penalties for misuse or
misappropriation of health information and must make employees, agents, and
contractors aware that violations may result in notification to law
enforcement officials and regulatory, accreditation, and licensure
organizations.
(iv) Security policy (statement(s) of information values,
protection responsibilities, and organization commitment for a system). This
is the framework within which an entity establishes needed levels of
information security to achieve the desired confidentiality goals.
(11) Termination procedures (formal documented instructions,
which include appropriate security measures, for the ending of an employee’s
employment or an internal/external user's access) that include procedures for
all of the following implementation features:
(i) Changing locks (a documented procedure for changing
combinations of locking mechanisms, both on a recurring basis and when
personnel knowledgeable of combinations no longer have a need to know or
require access to the protected facility or system).
(ii) Removal from
access lists (physical eradication of an
entity's access privileges).
(iii) Removal of user
account(s) (termination or deletion
of an individual’s access privileges to the information, services, and
resources for which they currently have clearance, authorization, and
need-to-know when such clearance, authorization and need-to-know no longer
exists).
(iv) Turning in of keys,
tokens, or cards that allow
access (formal, documented procedure to ensure all physical items that allow
a terminated employee to access a property, building, or equipment are
retrieved from that employee, preferably before termination).
(12) Training (education concerning the vulnerabilities of
the health information in an entity’s possession and ways to ensure the
protection of that information) that includes all of the following
implementation features:
(i) Awareness training for all personnel, including
management personnel (in security awareness, including, but not limited to,
password maintenance, incident reporting, and viruses and other forms of
malicious software).
(ii) Periodic security reminders (employees, agents, and
contractors are made aware of security concerns on an ongoing basis).
(iii) User education concerning virus protection (training
relative to user awareness of the potential harm that can be caused by a
virus, how to prevent the introduction of a virus to a computer system, and
what to do if a virus is detected).
(iv) User education in importance of monitoring log-in
success or failure and how to report discrepancies (training in the user’s
responsibility to ensure the security of health care information).
(v) User education in
password management (type of user
training in the rules to be followed in creating and changing passwords and
the need to keep them confidential).
(b) Physical safeguards to guard data integrity,
confidentiality, and availability. Protection of physical computer systems
and related buildings and equipment from fire and other natural and
environmental hazards, as well as from intrusion. It covers the use of locks,
keys, and administrative measures used to control access to computer systems and
facilities. Physical safeguards must include all of the following requirements
and implementation features:
(1) Assigned security responsibility (practices established
by management to manage and supervise the execution and use of security
measures to protect data and to manage and supervise the conduct of personnel
in relation to the protection of data).
(2) Media controls (formal, documented policies and
procedures that govern the receipt and removal of hardware/software (such as
diskettes and tapes) into and out of a facility) that include all of the
following implementation features:
(i)
Access control.
(ii) Accountability (the property that ensures that the
actions of an entity can be traced uniquely to that entity).
(iii) Data backup (a retrievable, exact copy of
information).
(iv) Data storage (the retention of health care
information pertaining to an individual in an electonic format).
(v) Disposal (final disposition of electronic data, and/or
the hardware on which electronic data is stored).
(3) Physical
access controls (limited
access) (formal,
documented policies and procedures to be followed to limit physical access to
an entity while ensuring that properly authorized access is allowed) that
include all of the following implementation features:
(i) Disaster recovery (the process enabling an entity to
restore any loss of data in the event of fire, vandalism, natural disaster,
or system failure).
(ii) An emergency mode operation
(access controls in place
that enable an entity to continue to operate in the event of fire,
vandalism, natural disaster, or system failure).
(iii) Equipment control (into and out of site) (documented
security procedures for bringing hardware and software into and out of a
facility and for maintaining a record of that equipment. This includes, but
is not limited to, the marking, handling, and disposal of hardware and
storage media.)
(iv) A facility security plan (a plan to safeguard the
premises and building (exterior and interior) from unauthorized physical
access and to safeguard the equipment therein from unauthorized physical
access, tampering, and theft).
(v) Procedures for verifying
access authorizations before
granting physical access (formal, documented policies and instructions for
validating the access privileges of an entity before granting those
privileges).
(vi) Maintenance records (documentation of repairs and
modifications to the physical components of a facility, such as hardware,
software, walls, doors, and locks).
(vii) Need-to-know procedures for personnel
access (a
security principle stating that a user should have access only to the data
he or she needs to perform a particular function).
(viii) Procedures to sign in visitors and provide escorts,
if appropriate (formal documented procedure governing the reception and
hosting of visitors).
(ix) Testing and revision (the restriction of program
testing and revision to formally authorized personnel).
(4) Policy and guidelines on work station use (documented
instructions/procedures delineating the proper functions to be performed, the
manner in which those functions are to be performed, and the physical
attributes of the surroundings of a specific computer terminal site or type of
site, dependent upon the sensitivity of the information accessed from that
site).
(5) A secure work station location (physical safeguards to
eliminate or minimize the possibility of unauthorized access to information;
for example, locating a terminal used to access sensitive information in a
locked room and restricting access to that room to authorized personnel, not
placing a terminal used to access patient information in any area of a
doctor’s office where the screen contents can be viewed from the reception
area).
(6) Security awareness training (information security
awareness training programs in which all employees, agents, and contractors
must participate, including, based on job responsibilities, customized
education programs that focus on issues regarding use of health information
and responsibilities regarding confidentiality and security).
(c) Technical security services to guard data integrity,
confidentiality, and availability (the processes that are put in place to
protect information and to control individual access to information). These
services include the following requirements and implementation features:
(1) The technical security services must include all of the
following requirements and the specified implementation features:
(i)
Access control that includes:
(A) A procedure for emergency
access (documented
instructions for obtaining necessary information during a crisis), and
(B) At least one of the following implementation
features:
(1) Context-based
access (an access control procedure
based on the context of a transaction (as opposed to being based on
attributes of the initiator or target)).
(2)
Role-based access.
(3)
User-based access.
(C) The optional use of
encryption.
(ii) Audit controls (mechanisms employed to record and
examine system activity).
(iii) Authorization control (the mechanism for obtaining
consent for the use and disclosure of health
information) that includes at
least one of the following implementation features:
(A)
Role-based access.
(B)
User-based access.
(iv) Data
authentication. (The corroboration that data has
not been altered or destroyed in an unauthorized manner. Examples of how
data corroboration may be assured include the use of a check sum, double
keying, a message authentication code, or digital signature.)
(v) Entity
authentication (the corroboration that an
entity is the one claimed) that includes:
(A) Automatic logoff (a security procedure that causes
an electronic session to terminate after a predetermined time of
inactivity, such as 15 minutes), and
(B) Unique user identifier (a combination name/number
assigned and maintained in security procedures for identifying and
tracking individual user identity).
(C) At least one of the following implementation
features:
(1) Biometric identification (an identification system
that identifies a human from a measurement of a physical feature or
repeatable action of the individual (for example, hand geometry, retinal
scan, iris scan, fingerprint patterns, facial characteristics, DNA
sequence characteristics, voice prints, and hand written signature)).
(2)
Password.
(3) Personal identification number (PIN) (a number or
code assigned to an individual and used to provide verification of
identity).
(4) A telephone callback procedure (method of
authenticating the identity of the receiver and sender of information
through a series of "questions" and "answers" sent
back and forth establishing the identity of each). For example, when the
communicating systems exchange a series of identification codes as part
of the initiation of a session to exchange information, or when a host
computer disconnects the initial session before the authentication is
complete, and the host calls the user back to establish a session at a
predetermined telephone number.
(5)
Token.
(2) Reserved.
(d) Technical security mechanisms (processes that are
put in place to guard against unauthorized access to data that is transmitted
over a communications network).
(1) If an entity uses communications or network controls,
its security standards for technical security mechanisms must include the
following:
(i) The following implementation features:
(A) Integrity controls (a security mechanism employed to
ensure the validity of the information being electronically transmitted or
stored).
(B) Message
authentication (ensuring, typically with a
message authentication code, that a message received (usually via a
network) matches the message sent).
(ii) One of the following implementation features:
(A)
Access controls (protection of
sensitive communications transmissions over open or private networks so
that they cannot be easily intercepted and interpreted by parties other
than the intended recipient).
(B)
Encryption.
(2) If an entity uses network controls (to protect sensitive
communication that is transmitted electronically over open networks so that it
cannot be easily intercepted and interpreted by parties other than the
intended recipient), its technical security mechanisms must include all of the
following implementation features:
(i) Alarm. (In communication systems, any device that can
sense an abnormal condition within the system and provide, either locally or
remotely, a signal indicating the presence of the abnormality. The signal
may be in any desired form ranging from a simple contact closure (or
opening) to a time-phased automatic shutdown and restart cycle.)
(ii) Audit trail (the data collected and potentially used
to facilitate a security audit).
(iii) Entity
authentication (a communications or network
mechanism to irrefutably identify authorized users, programs, and processes
and to deny access to unauthorized users, programs, and processes).
(iv) Event reporting (a network message indicating
operational irregularities in physical elements of a network or a response
to the occurrence of a significant task, typically the completion of a
request for information).
|
