Académique Documents
Professionnel Documents
Culture Documents
IMPLEMENTATION
HANDBOOK
PENNSYLVANIA DEPARTMENT OF PUBLIC WELFARE
March 2008
April 2005
Forward
The Security Implementation Handbook is intended only for Pennsylvania Department of Public
Welfare use.
The Security Implementation Handbook contains references to policies and procedures which
were in effect as of its writing. The Department cannot ensure the accessibility of these policies
and procedures through the hyperlinks provided in the online version of this handbook.
Additional information may be obtained from the Department of Public Welfare Security Office at:
PW, IT-Security@state.pa.us
Version Information
Version #
1.0
Date
04/20/2005
By
F. Morrow
Page
1.1
05/17/2010
April 2005
C. VanScyoc
Page
April 2005
Table of Contents
Forward
................................................................................................................................................2
Version Information.......................................................................................................................................2
Table of Contents............................................................................................................................................3
1.0
1.1
1.2
Introduction......................................................................................................................................5
Overview......................................................................................................................................5
Purpose of the Handbook...........................................................................................................5
2.0
Definitions.........................................................................................................................................6
Administrative Safeguards..........................................................................................................................11
3.0
Security Management Process......................................................................................................11
3.1
Risk Analysis..............................................................................................................................11
3.2
Risk Management......................................................................................................................13
3.3
Sanction Policy...........................................................................................................................13
3.4
Information System Activity Review.......................................................................................14
4.0
Assign Security Responsibility......................................................................................................16
4.1
Department Security Officer....................................................................................................16
4.2
Program Office Security Monitor............................................................................................17
4.3
Program Office Security Administrator..................................................................................17
4.4
Program Office Contact (POC)................................................................................................18
5.0
Workforce Security........................................................................................................................18
5.1
Authorization and/or supervision............................................................................................18
5.2
Workforce Clearance Procedure..............................................................................................19
5.3
Termination Procedures............................................................................................................19
6.0
Information Access Management.................................................................................................20
6.1
Isolating health care clearinghouse functions.........................................................................20
6.2
Access authorization.................................................................................................................20
6.3
Access establishment and modification...................................................................................21
7.0
Security Awareness and Training.................................................................................................21
7.1
Security reminders....................................................................................................................21
7.2
Protection from malicious software.........................................................................................22
7.3
Log-in monitoring.....................................................................................................................22
7.4
Password management.............................................................................................................23
8.0
Security Incidents Procedures.......................................................................................................23
Response and Reporting..........................................................................................................................23
9.0
Contingency Plan...........................................................................................................................24
9.1
Data Backup Plan......................................................................................................................24
9.2
Disaster Recovery Plan.............................................................................................................24
9.3
Emergency Mode Operation Plan...........................................................................................25
9.4
Testing and Revision Procedures.............................................................................................25
9.5
Applications and Data Criticality Analysis.............................................................................26
10.0
Evaluation.......................................................................................................................................26
11.0
Business Associate Agreements and Other Arrangements.........................................................26
Physical Safeguards......................................................................................................................................28
12.0
Facility Access Controls.................................................................................................................28
12.1
Contingency Operations...........................................................................................................28
12.2
Facility Security Plan................................................................................................................28
12.3
Access Control and Validation Procedures.............................................................................29
12.4
Maintenance Records................................................................................................................29
13.0
Workstations...................................................................................................................................30
13.1
Workstation Use........................................................................................................................30
13.2
Workstation Security................................................................................................................30
Page
April 2005
14.0
Device and Media Controls...........................................................................................................31
14.1
Disposal......................................................................................................................................31
14.2
Media re-Use..............................................................................................................................32
14.3
Accountability............................................................................................................................32
14.4
Data backup and storage..........................................................................................................33
Technical Safeguards....................................................................................................................................34
15.0
Access Control................................................................................................................................34
15.1
Unique User Identification.......................................................................................................34
15.2
Emergency Access Procedure...................................................................................................34
15.3
Automatic Logoff.......................................................................................................................35
15.4
Encryption and Decryption......................................................................................................35
16.0
Audit Controls................................................................................................................................35
17.0
Integrity...........................................................................................................................................36
Mechanism to Authenticate EPHI..........................................................................................................36
18.0
Person or entity authentication.....................................................................................................36
19.0
Transmission security....................................................................................................................37
19.1
Integrity controls.......................................................................................................................37
19.2
Encryption..................................................................................................................................37
Policies, Procedures and Documentation Requirements..........................................................................38
20.0
Documentation...............................................................................................................................38
Appendix A. Summary of HIPAA Security Standards............................................................................40
164.308 Administrative Safeguards.....................................................................................................40
164.310 Physical Safeguards................................................................................................................42
164.312 Technical Safeguards..............................................................................................................43
164.316 Policies and procedures and documentation requirements................................................43
Appendix B. HIPAA Security Standards Matrix......................................................................................45
Appendix C. Commonwealth and Department Security Standards and Practices...............................46
Page
1.0
April 2005
Introduction
1.1
Overview
Among other things, the Federal Health Insurance Portability and Accountability
Act (HIPAA) of 1996 required issuance of comprehensive Federal regulations for
protection of certain individually identifiable health information. Final regulations
governing storage, use, and disclosure of electronic protected health information
(EPHI) were published on February 20, 2003. These regulations are commonly
referred to as the as the HIPAA security regulations. Most covered entities,
including the Department, are required to comply with these regulations by April
20, 2005.
The HIPAA security regulations create national standards which require covered
entities to:
ensure the confidentiality, integrity and availability of EPHI
protect against any reasonably anticipated threats or hazards to EPHI
protect against reasonably anticipated inappropriate disclosures
ensure compliance with the rule by the covered entitys workforce.
These regulations require the Department to implement various security-related
safeguards. Some of these are required for compliance; others are considered
addressable and depend on the circumstances of the Departments environment.
Specifically, these safeguards must cover the following areas:
1.2
Page
2.0
April 2005
Definitions
Access. The ability or the means necessary to read, write, modify, or communicate
data/information or otherwise use any system resource.
Administrative safeguards. Administrative actions and policies and procedures, to
manage the selection, development, implementation, and maintenance of security
measures to protect electronic protected health information (EPHI) and to manage the
conduct of the covered entity's workforce in relation to the protection of that information.
Authentication. Corroboration that a person is the one claimed.
Availability. The property that data or information is accessible and useable upon
demand by an authorized person.
BIS. The Bureau of Information Systems under the Pennsylvania Department of Public
Welfares Office of Administration.
Business associate. A person or entity who, on behalf of a covered entity or an
organized health care arrangement, performs or assists in the performance of one of the
following:
1. A function or activity involving the use or disclosure of individually identifiable health
information, including claims processing or administration, data analysis, processing
or administration, utilization review, quality assurance, billing, benefit management,
practice management and repricing.
2. Other than as a member of the covered entitys workforce, provides legal, actuarial,
accounting, consulting, data aggregation, management, administrative, accreditation
or financial services for such covered entity or organized health care arrangement.
Business associate agreement. A contract or other arrangement between a covered
entity and a business associate that does all of the following:
1. Establishes the permitted and required uses and disclosures of protected health
information (PHI), including EPHI, by the business associate.
2. Provides that the business associate will use PHI only as permitted by the agreement
or as required by law, use appropriate safeguards, report any disclosures not
permitted by the agreement, ensure that agents to whom it provides PHI will abide by
the same restrictions and conditions, make PHI available to individuals and make its
record available to U.S. Department of Health and Human Services (DHHS).
3. Authorizes termination of the agreement by the Department if the Department
determines that there has been a violation of the contract.
The business associate agreement is often part of a contract made in the procurement
process, but can be part of a Memorandum of Understanding (MOU), grant agreement or
other document.
CMS. Centers for Medicare & Medicaid Services within the DHHS.
Commonwealth. The Commonwealth of Pennsylvania.
Page
April 2005
Compliance date. The date by which a covered entity must comply with a standard,
implementation specification, requirement or modification specified in this handbook.
Confidential information. Data to be used or disclosed only by those authorized to do
so.
Confidentiality. The property that data or information is not made available or disclosed
to unauthorized persons or processes.
Covered entity. A health care provider who transmits any health information in electronic
form in connection with a transaction covered by the privacy rule, a health care plan or a
health care clearinghouse.
Covered functions. Those functions of a covered entity, the performance of which
makes the entity a health care plan, health care provider or health care clearinghouse.
DHHS. The U.S. Department of Health and Human Services.
Department. The Pennsylvania Department of Public Welfare.
Designated record set. The medical records and billing records, including electronic
records, about individuals maintained by or for a covered health care provider; the
enrollment, payment, claims adjudication and case or medical management record
systems maintained by or for a health care plan; or medical records and billing records
used by or for the covered entity to make decisions about individuals.
For purposes of implementing HIPAA requirements, the Department intends to treat all
client records as if they were part of the designated record set and afford them the
corresponding privacy protection.
Disclosure. The release, transfer, provision of access to or divulging of information
outside the entity holding the information.
DPW. The Pennsylvania Department of Public Welfare.
Electronic media. Electronic storage media including memory devices in computers
(internal memory or hard drives) and any removable/ transportable digital memory
medium, such as magnetic tape or disk, optical disk, or digital memory card; or
transmission media used to exchange information already in electronic storage media.
Transmission media include, for example, the internet (wide-open), extranet (using
internet or other technology to link a business with information accessible only to
collaborating parties), leased lines, dial-up lines, private networks, and the physical
movement of removable/transportable electronic storage media. Certain transmissions,
including of paper, via facsimile, and of voice, via telephone, are not considered to be
transmissions via electronic media, because the information being exchanged did not
exist in electronic form before the transmission.
Electronic protected health information (EPHI). Information in an electronic media that
comes within of the definition of PHI as specified in this section.
Encryption. The use of an algorithmic process to transform data into a form in which
there is a low probability of assigning meaning without use of a confidential process or
key.
Facility. The physical premises and the interior and exterior of one or more buildings.
Page
April 2005
Health care. Care, services or supplies related to the health of an individual. Health
care includes, but is not limited to preventive, diagnostic, therapeutic, rehabilitative,
maintenance, mental health or palliative care and sale or dispensing of a drug, device,
equipment or other item in accordance with a prescription.
Health care clearinghouse. A public or private entity that does either of the following:
1.
2.
2.
3.
4.
Underwriting, premium rating and other activities relating to the creation, renewal
or replacement of a contract of health insurance or health benefits and ceding,
securing or placing a contract for reinsurance of risk relating to claims for health
care.
5.
Conducting or arranging for medical review, legal services and auditing functions
including fraud and abuse detection and compliance programs.
6.
7.
Health care plan. An individual or group plan, including Medical Assistance (MA)
Programs, that provides, or pays the cost of, medical care.
Health care provider. A provider of services and any other person or organization who
furnishes, bills or is paid for health care in the normal course of business .
Health information. Any information, whether oral or recorded in any form or medium,
that does both of the following:
1.
Is created or received by a health care provider, health care plan, public health
authority, employer, life insurer, school or university or health care clearinghouse.
2.
Page
April 2005
For purposes of implementing HIPAA requirements, the Department intends to treat all
client records as if they were health information and afford them the corresponding
privacy protection.
Health maintenance organization (HMO). A federally qualified HMO and an
organization recognized as an HMO under State law.
Health oversight agency. An agency or authority of the United States, Pennsylvania or
a political subdivision of a state, or a person or entity acting under a grant of authority
from or contract with such public agency, authorized by law to oversee the health care
system or government programs in which health information is necessary to determine
eligibility or compliance, or to enforce civil rights laws for which health information is
relevant.
Individual. The person who is the subject of PHI.
Individually identifiable health information. Health information, including demographic
(such as names, addresses, telephone numbers, etc.) information that identifies the
individual or for which there is a reasonable basis to believe the information can be used
to identify an individual.
For purposes of implementing HIPAA requirements, the Department will treat all
individual records (including electronic records) as if they were health information and
afford them the corresponding privacy protection.
Information system. A system, whether automated or manual, comprised of people,
machines, and/or methods organized to collect, process, transmit and disseminate data.
Integrity. The property that data or information have not been altered or destroyed in an
unauthorized manner.
Malicious software. Software, for example, a virus, designed to damage, disrupt, or
otherwise compromise an electronic information system or network.
OA/OIT. The Office of Information Technology under the Commonwealth of
Pennsylvanias Governors Office of Administration.
Organized health care arrangement. A clinically integrated care setting in which
individuals typically receive health care from more than one health care provider or an
organized system of health care in which more than one covered entity participates, and
in which the participating covered entities hold themselves out to the public as
participating in a joint arrangement and participate in joint activities.
Password. Protected/private alphanumeric string used to authenticate an identity or to
authorize access to data.
Physical safeguards. Physical measures, policies, and procedures to protect a covered
entity's electronic information systems and related buildings and equipment, from natural
and environmental hazards, and unauthorized intrusion.
Privacy Rule. The Federal privacy regulations promulgated under the Health Insurance
Portability and Accountability Act (HIPAA) of 1996, which created national standards to
protect PHI.
Protected health information (PHI). Individually identifiable health information that is
maintained or transmitted in any form or medium. Protected health information excludes
Page
April 2005
Page
April 2005
Administrative Safeguards
3.0
Page
April 2005
Software updates and patches are tested and reviewed by appropriate staff
prior to installation.
OA/OIT, through a MOU with agencies under the Governors Office, will
develop an enterprise security initiative including centralized review and
auditing of Department systems and administration.
These various surveys and evaluations cover a range of different aspects of the
Departments IT and data assets, including:
Hardware
Software and applications
Database systems
Network access and related defenses
User background checks
User authorization
Additional sources of information:
ITB I.6.1. Requires agencies to conduct periodic risk assessments.
Page
April 2005
CAPs are filed with the OA/OIT. These are reviewed, implemented, and
updated on a quarterly basis, noting progress made and issues closed.
Application security controls must be reviewed and approved prior to
applications move to production as a part of the applications ECSA.
Anti-virus and anti-spyware files are updated as released by the vendor
through an automated process.
IT staff subscribe to various hardware and software notification lists (CERT,
CISCO, Microsoft, etc.) to keep up-to-date on hardware and software
vulnerabilities and related patches. BIS staff members evaluate the impact
of these vulnerabilities on our systems. Patches are tested and applied as
deemed appropriate.
Department Business and Technical Standards are reviewed on a regular
basis (at least every 6 months) and updated as necessary.
Security information is sent out to Department staff as appropriate in the form
of posters, newsletters, and bulletins.
Systems are continually monitored (24x7) by a combination of onsite
programs (Sightline, SMS, HP OpenView, etc.) as well as offsite services
(e.g., Verizon NOC).
Page
April 2005
All users must sign the Commonwealth Internet and Computer usage
agreement prior to being granted access to the Department and/or
Commonwealth systems.
Users requesting remote dial-in access to Department systems must sign the
Internet/Remote/Dialout Access form and agree to its terms of usage.
Users requiring access to the Mainframe systems must complete the Unisys
2200 Demand Access Request Form.
Users requiring access to the restricted systems area must complete the
Willow Oak Building Badge and Data Center Access Card Request form.
Access to individual applications is granted by the Program Office security
monitor based on the applicants job requirements.
Page
April 2005
Page
4.0
April 2005
Page
April 2005
In addition to appointing a security officer, the Department has appointed program office
security monitors, administrators, and contacts. Each performs security-related duties as
follows:
4.2
Page
April 2005
4.3
4.4
Page
5.0
April 2005
Workforce Security
164.308(a)(3) The Department must implement policies and procedures to ensure that
all members of its workforce have appropriate access to EPHI, as provided under
paragraph (a)(4) of this section, and to prevent those workforce members who do not
have access under paragraph (a)(4) of this section from obtaining access to EPHI.
5.1
5.2
Page
5.3
April 2005
6.0
6.2
Page
April 2005
7.0
Page
April 2005
7.3
Page
April 2005
7.4
Server logins are monitored and recorded through the Windows Security log
files.
Application logins are monitored and recorded by the Unified Security system
and/or application log files.
Database logins are monitored through database tools.
Network access to the Internet is monitored by the CheckPoint firewalls and
webSense.
8.0
Page
April 2005
Contingency Plan
164.308(a)(7) The Department must establish (and implement as needed) policies and
procedures for responding to an emergency or other occurrence (for example, fire,
vandalism, system failure, and natural disaster) that damages systems that contain
EPHI.
9.1
9.2
Page
April 2005
Page
9.4
April 2005
9.5
10.0
Evaluation
164.308(a)(8)
Page
April 2005
evaluation, based initially upon the standards implemented under this rule and
subsequently, in response to environmental or operational changes affecting the security
of EPHI, that establishes the extent to which an entitys security policies and procedures
meet the requirements of this subpart.
The Department complies with this requirement in the following manner:
Members of the Departments Technical Review Team review the DPW Business and
Technical Standards in each area of expertise and update or revise them as necessary
(at least every six months, based on the age of a given standard).
11.0
The Department must document the satisfactory assurances required by paragraph (b)
(1) of this section through a written contract or other arrangement with the business
associate that meets the applicable requirements of 164.314(a).
The Department complies with this requirement in the following manner:
The Department requires written business associate agreements with all business
associates. These agreements are negotiated by the Program Offices and reviewed by
the OGC. Contracts and agreements in existence prior to the compliance date of HIPAA
Privacy Regulations have been amended accordingly.
Additional sources of information:
DPW Business Associate Agreement.
DPW HIPAA Privacy Implementation Handbook, Section 6.0.
Page
April 2005
Physical Safeguards
12.0
12.2
Page
April 2005
not used to exit as well, re-entry is barred. All accesses are logged. Key cards
are issued as required by an individuals job requirements and are approved by
their supervisor and Department security officers. Access can be restricted to
only those areas that are appropriate for a given user. In addition, the WillowOak Building, which houses the Datacenter and Server Rooms, is secured by
security guards who require IDs of all users and visitors before granting them
admission to the facility.
Security at outlying offices (County Assistance Offices, hospital and treatment
facilities, detention facilities, etc.) is managed by the local administrators and/or
facility managers and is customized to the needs of the particular facility.
Additional sources of information:
ITB I.1.5.1. Provides an overview of and a sample policy for overall
accessibility to Commonwealth facilities.
Willow-Oak Building Security. Details security procedures in place at the
Willow-Oak Building (the Department and Commonwealth Datacenter).
12.3
12.4
Page
April 2005
13.0
Workstations
13.1
13.2
Page
April 2005
desktop has also been provided with an icon which the user may click to
immediately lock the desktop without waiting for the inactivity timeout.
In addition to the workstation lockout, the Unified Security system enforces a 20minute inactivity lockout for the applications after which the user must reauthenticate to Unified Security. Unified Security also enforces a 24-hour
session timeout.
Facilities containing workstations are secured after hours (generally between
6:00 pm and 7:00 am on weekdays, all day on weekends). While individual
workstations within a facility may not be secured behind a locked door, the facility
itself is secured and access to it controlled and tracked by the facilitys
management.
Through its training programs, the Department instructs users to secure their
work area when they are away from it. This and other related practices (locking
their desk, putting away papers, CD, diskettes, etc.) are also covered in the
Departments HIPAA security training program.
Additional sources of information:
ITB I.6.2.1. All PCs will automatically lock (that is, will require entry of
username and password to unlock and use) after 15 minutes of non-use. In
addition, users are strongly encouraged to manually lock their PC when the
PC will be left unattended
ITB I.6.1. Transportable computers containing unencrypted "restricted" or
"confidential" Commonwealth information must not be checked in airline
luggage systems, with hotel porters, or other unsupervised handling or
storage processes. These computers must remain in the possession of the
traveler as hand luggage.
14.0
Disposal (Required)
164.310(d)(2)(i) The Department must implement policies and procedures to
address the final disposition of EPHI, and/or the hardware or electronic media on
which it is stored.
The Department complies with this requirement in the following manner:
The Commonwealth requires that storage devices be removed from all systems
prior to their disposal (or return upon the end of their lease) and either sanitized
of data or destroyed. Storage devices are removed from any systems that must
be sent out for repair or replacement and reinstalled when the system is
returned.
The Department maintains drop-off boxes through the building managers office
for the disposal of removable media such as floppy diskettes and CD-ROMs.
Page
April 2005
The Department requires pre-approval by the Department Security Office for the
use of memory sticks and other such electronic media and requires encryption
and/or password protection of data on such devices as deemed appropriate.
Simple deletion of files on these devices is sufficient.
Additional sources of information:
ITB C.11. The hard drive in all equipment owned by agencies under the
Governors jurisdiction must be erased. The hard drive is then removed from
the computer collected by DGS for destruction and recycling.
ITB C.3. Hard drives in state-owned PCs, servers and printer/peripheral
devices must be cleansed prior to transfer to a new user.
Decommissioning of State-Owned PC's. Specifies the process for sanitizing
a hard drive prior to decommissioning a Department computer according to
U.S. Department of Defense guidelines (overwriting the drive with at least (6)
passes of three (3) writing cycles).
Policy Regarding Portable Storage Devices and Removable Media.
Specifies policy on the use of memory sticks.
Data Classification Standards. Establishes the Department policy for the
storage, transmission, and encryption of data.
14.2
14.3
Accountability (Addressable)
164.310(d)(2)(iii) The Department must maintain a record of the movements of
hardware and electronic media and any person responsible therefore.
The Department complies with this requirement in the following manner:
Page
April 2005
14.4
Page
April 2005
Technical Safeguards
15.0
Access Control
164.312(a)(1) The Department must implement technical policies and procedures for
electronic information systems that maintain EPHI to allow access only to those persons
or software programs that have been granted access rights as specified in 164.308(a)
(4).
15.1
15.2
Page
15.3
April 2005
DPW Disaster Recovery Plan (details available through the DPW Security
Office).
M245.4. Overview of computer and network security standards for the
Commonwealth.
15.4
16.0
Page
17.0
April 2005
Integrity
164.312(c)(1) The Department must implement policies and procedures to protect
EPHI from improper alteration or destruction.
Mechanism to Authenticate EPHI (Addressable)
164.312(c)(2)(i) The Department must implement electronic mechanisms to
corroborate that EPHI has not been altered or destroyed in an unauthorized manner.
The Department complies with this requirement in the following manner:
The Department has procedures in place to authenticate, authorize, and validate
changes to the data and to ensure the proper application of those changes to the
data store. The Department implements these procedures through a combination of
application-, data transfer-, and database- level processes to validate that the data
being processed conforms to business/application data requirements and that it is not
accidentally replaced or deleted.
18.0
Page
19.0
April 2005
Transmission security
164.312(e)(1) The Department must implement technical security measures to guard
against unauthorized access to EPHI that is being transmitted over an electronic
communications network.
19.1
19.2
Encryption (Addressable)
164.312(e)(2)(ii) The Department must implement a mechanism to encrypt
EPHI whenever deemed appropriate.
The Department complies with this requirement in the following manner:
The Department uses 128-bit SSL (3DES) to encrypt data as it is served to
outside entities over the Internet. The Department Secure eMail system also
uses this standard.
Additional sources of Information:
Page
April 2005
Documentation
164.316(a he Department must implement reasonable and appropriate policies and
procedures to comply with the standards, implementation specifications, or other
requirements of this subpart, taking into account those factors specified in 164.306(b)(2)
(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action
that violates any other standard, implementation specification, or other requirements of
this subpart. A covered entity may change its policies and procedures at any time,
provided that the changes are documented and are implemented in accordance with this
subpart.
(b)(1)
Standard: Documentation.
(i) Maintain the policies and procedures implemented to comply with this
subpart in written (which may be electronic) form; and
(ii) If an action, activity or assessment is required by this subpart to be
documented, maintain a written (which may be electronic) record of the
action, activity, or assessment.
(b)(2) Implementation specifications:
(i) Time limit (Required).
Retain the documentation required by paragraph (b)(1) of this section for
6 years from date of its creation or the date when it last was in effect,
whichever is later.
(ii) Availability (Required).
Make documentation available to those persons responsible for
implementing the procedures to which the documentation pertains.
(iii) Updates (Required).
Review documentation periodically, and update as needed, in response
to environmental or operational changes affecting the security of the
EPHI.
The Department complies with this requirement in the following manner:
The Department stores the Business and Technical Standards referred to in this
Handbook in the Departments FileNet system. Obsolete standards are purged from
time-to-time as space requirements dictate; however, copies of them are recoverable
from appropriate data backups as required. From within the FileNet system, the current
standards are automatically published to both a Department Intranet site as well as to a
restricted-access Internet site. OA/OIT maintains the Commonwealth standards (ITBs
and Management Directives) in a similar fashion.
The Department requires all security-related policies and procedures to be documented
in written form, which may be electronic. All documentation required by HIPAA (including
the Security and Privacy Rules) must be retained for at least 6 years from the date of its
creation or the date when it was last in effect, whichever is later.
In addition, the Commonwealth requires retention of all Commonwealth business-related
records through a variety of procedures as outlined below.
Additional sources of information:
Page
April 2005
Page
April 2005
Page
(5)
(6)
(7)
(8)
April 2005
Page
April 2005
Page
April 2005
information.
(c) Standard: Workstation security. Implement physical safeguards for all
workstations that access electronic protected health information, to restrict
access to authorized users.
(d) (1) Standard: Device and media controls. Implement policies and procedures
that govern the receipt and removal of hardware and electronic media that
contain electronic protected health information into and out of a facility,
and the movement of these items within the facility.
(2) Implementation specifications:
(i) Disposal (Required). Implement policies and procedures to address the
final disposition of electronic protected health information, and/or the
hardware or electronic media on which it is stored.
(ii) Media re-use (Required). Implement procedures for removal of
electronic protected health information from electronic media before
the media are made available for re-use.
(iii) Accountability (Addressable). Maintain a record of the movements of
hardware and electronic media and any person responsible therefore.
(iv) Data backup and storage (Addressable). Create a retrievable, exact
copy of electronic protected health information, when needed, before
movement of equipment.
164.312 Technical Safeguards.
A covered entity must, in accordance with 164.306:
(a) (1) Standard: Access control. Implement technical policies and procedures for
electronic information systems that maintain electronic protected health
information to allow access only to those persons or software programs
that have been granted access rights as specified in 164.308(a)(4).
(2) Implementation specifications:
(i) Unique user identification (Required). Assign a unique name and/ or
number for identifying and tracking user identity.
(ii) Emergency access procedure (Required). Establish (and implement as
needed) procedures for obtaining necessary electronic protected
health information during an emergency.
(iii) Automatic logoff (Addressable). Implement electronic procedures that
terminate an electronic session after a predetermined time of
inactivity.
(iv) Encryption and decryption (Addressable). Implement a mechanism to
encrypt and decrypt electronic protected health information.
(b) Standard: Audit controls. Implement hardware, software, and/or procedural
mechanisms that record and examine activity in information systems that
contain or use electronic protected health information.
(c) (1) Standard: Integrity. Implement policies and procedures to protect
electronic protected health information from improper alteration or
destruction.
(2) Implementation specification: Mechanism to authenticate electronic
protected health information (Addressable). Implement electronic
mechanisms to corroborate that electronic protected health information
has not been altered or destroyed in an unauthorized manner.
(d) Standard: Person or entity authentication. Implement procedures to verify that
a person or entity seeking access to electronic protected health information is
the one claimed.
(e) (1) Standard: Transmission security. Implement technical security measures to
guard against unauthorized access to electronic protected health
information that is being transmitted over an electronic communications
network.
Page
April 2005
Page
April 2005
Sections
Implementation Specifications
Administrative Safeguards
Security Management Process
164.308(a)(1)
164.308(a)(2)
164.308(a)(3)
164.308(a)(4)
164.308(a)(5)
164.308(a)(6)
164.308(a)(7)
Evaluation
Business Associate Contracts and
Other Arrangement
164.308(a)(8)
164.308(b)(1)
Physical Safeguards
Facility Access Controls
164.310(a)(1)
Workstation Use
Workstation Security
Device and Media Controls
164.310(b)
164.310(c)
164.310(d)(1)
Technical Safeguards
Access Control
164.312(a)(1)
Audit Controls
Integrity
164.312(b)
164.312(c)(1)
164.312(d)
164.312(e)(1)
Page
April 2005
Documentation
Documentaton
164.316(b)(2)(i)
164.316(b)(2)(ii)
164.316(b)(2)(iii)
(R) Required
(A) -- Addressable
Page
April 2005
164.308(a)(1)
Req (R) or
Addr (A)
Commonwealth
DPW
164.308(a)(1)(ii)(B)
Risk Management
Page 48
164.308(a)(1)(ii)(D)
Information System Activity Review
164.308(a)(2)
April 2005
Req (R) or
Addr (A)
R
Commonwealth
DPW
Page 49
164.308(a)(3)
April 2005
Req (R) or
Addr (A)
Commonwealth
DPW
Workforce Security
164.308(a)(3)(ii)(A)
Authorization and/or Supervision
164.308(a)(3)(ii)(B)
Workforce Clearance Procedure
Page 50
164.308(a)(4)
April 2005
Req (R) or
Addr (A)
A
Commonwealth
DPW
R
EDS performs this function
A
Page 51
164.308(a)(5)
April 2005
Req (R) or
Addr (A)
A
Commonwealth
DPW
Page 52
April 2005
Req (R) or
Addr (A)
A
164.308(a)(5)(ii)(C)
Log-in Monitoring
164.308(a)(5)(ii)(D)
Password Management
Commonwealth
DPW
Page 53
164.308(a)(6)
Req (R) or
Addr (A)
Commonwealth
DPW
McAfee anti-virus
164.308(a)(7)
April 2005
Contingency Plan
164.308(a)(7)(ii)(A)
Data Backup Plan
Page 54
April 2005
Req (R) or
Addr (A)
R
164.308(a)(7)(ii)(C)
Emergency Mode Operation Plan
164.308(a)(7)(ii)(D)
Testing and Revision Procedure
164.308(a)(7)(ii)(E)
Applications and Data Criticality Analysis
Commonwealth
DPW
Page 55
164.308(a)(8)
Req (R) or
Addr (A)
Commonwealth
DPW
Evaluation
164.308(a)(8)
Evaluation
164.308(b)
April 2005
Page 56
Physical Safeguards
164.310(a)(1)
April 2005
Req (R) or
Addr (A)
Commonwealth
DPW
164.310(a)(2)(ii)
Facility Security Plan
164.310(a)(2)(iii)
Access Control and Validation
164.310(a)(2)(iv)
Maintenance Records
Page 57
164.310(b)
Req (R) or
Addr (A)
Commonwealth
DPW
Workstation Use
164.310(b)
Workstation Use
164.310(c)
April 2005
Workstation Security
164.310(c)
Workstation Security
Page 58
164.310(d)(1)
April 2005
Req (R) or
Addr (A)
Commonwealth
DPW
Decommissioning of State-Owned
PC's - Specifies the process for
sanitizing a hard drive prior to
decommissioning a Department
computer according to US
Department of Defense
guidelines (overwriting the drive
with at least (6) passes of three
(3) writing cycles).
Policy Regarding Portable Storage
Devices and Removable Media
Specifies policy on the use of
memory sticks.
Page 59
April 2005
Req (R) or
Addr (A)
R
Commonwealth
DPW
Decommissioning of State-Owned
PC's - Specifies the process for
sanitizing a hard drive prior to
decommissioning a Department
computer according to US
Department of Defense
guidelines (overwriting the drive
with at least (6) passes of three
(3) writing cycles).
164.310(d)(2)(iii)
Accountability
Page 60
April 2005
Req (R) or
Addr (A)
A
Commonwealth
ITB C.11 - The hard drive in all
equipment owned by agencies under
the Governors jurisdiction must be
erased. The hard drive is then
removed from the computer collected
by DGS for destruction and recycling
ITB C.3 - Prior to replacing any
personal computer or
laptop/notebook computer or
replacing their hard drives, agency IT
personnel must copy all information
that resides locally on these devices
to a durable and secure storage
medium.
ITB I.2.3 Each agency must make
arrangements to store mission-critical
resources at a remote storage site
that provides geographic separation
in the event of a local disaster.
Agencies are encouraged to use the
off-site storage services of the vendor
currently on state contract.
Guidelines for frequency of backups
are provided in ITB I.6.2 under "Data
and Program Back-up".
Page 61
DPW
DPW Server Backup and Restore
Standard establishes the software
and procedures used for DPW data
backups.
DPW Recovery Planning Standard
establishes the process for backup
and contingency planning.
Technical Safeguards
164.312(a)(1)
April 2005
Req (R) or
Addr (A)
Commonwealth
DPW
Access Control
164.312(a)(2)(i)
Unique User Identification
164.312(a)(2)(ii)
Emergency Access Procedure
164.312(a)(2)(iii)
Automatic Logoff
164.312(a)(2)(iv)
Encryption and Decryption
Page 62
164.312(b)
Commonwealth
DPW
Integrity
164.312(c)(2)(i)
Mechanism to Authenticate Electronic
Protected Health Information
164.312(d)
Req (R) or
Addr (A)
Audit Controls
164.312(b)
Audit Controls
164.312(c)(1)
April 2005
Page 63
164.312(e)(1)
April 2005
Req (R) or
Addr (A)
R
Commonwealth
DPW
Unified Security provides for user/entity
authentication.
Application specific security is also in
place where appropriate.
Transmission Security
164.312(e)(2)(i)
Integrity Controls
164.312(e)(2)(ii)
Encryption
Page 64
Documentation
164.316(a)
April 2005
Req (R) or
Addr (A)
Commonwealth
DPW
Documentation
164.316(b)(2)(i)
Time Limit
164.316(b)(2)(ii)
Availability
164.316(b)(2)(iii)
Updates
Page 65