Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
technical_safeguards [2016/06/09 18:43] jillian_nadette_de_leon |
technical_safeguards [2016/06/15 18:11] jillian_nadette_de_leon |
||
|---|---|---|---|
| Line 4: | Line 4: | ||
| **A. Access Controls**\\ | **A. Access Controls**\\ | ||
| - | Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights:\\ | + | Technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights:\\ |
| I. Information access management (required)\\ | I. Information access management (required)\\ | ||
| 1. Implementation specifications:\\ | 1. Implementation specifications:\\ | ||
| - | (A) Isolating health care clearinghouse functions (required). If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.\\ | + | (A) Isolating health care clearinghouse functions (required). If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information from unauthorized access by the larger organization.\\ |
| - | (B) Access authorization (addressable). Implement policies and procedures for granting access to electronic protected health information, for example through access to a workstation, transaction, program, process, or other mechanism.\\ | + | (B) Access authorization (addressable). Policies and procedures for granting access to electronic health information such as access to a workstation, transaction, program, process or other mechanisms shall be implemented by the health facility. Guidelines on the access of health information are provided in Rule III (Access of Health Information) in the SOR.\\ |
| - | (C) Access establishment and modification (addressable). Implement policies and procedures that, based upon the data controller and/or data processor's access authorization policies, establish, document, review, and modify a user's rights of access to a workstation, transaction, program, or process.\\ | + | (C) Access establishment and modification (addressable). Based upon the access authorization policy of the data controller and/or data processor, policies and procedures on the establishment, documentation, review and modification of a user's rights to access a workstation, transaction, program or process shall be implemented.\\ |
| - | II. Unique user identification (required). A process for unique user identification is made within a policy ad procedure of the organization.\\ | + | II. Unique user identification (required). A process for unique user identification shall be made within a policy and procedure of the health facility.\\ |
| 1. Implement specifications: \\ | 1. Implement specifications: \\ | ||
| - | (A) A unique user name and/or number for identifying user identity throughout all levels of the organization.\\ | + | (A) There shall be a unique user name and/or number for identifying user identity throughout all levels of the organization.\\ |
| - | (B) User identity cannot be shared, delegated or assigned to a group or individual.\\ | + | (B) User identity shall not be shared, delegated or assigned to a group or individual.\\ |
| - | (C) Unique user identity that was previously used cannot be reused for new and/or existing users.\\ | + | (C) Unique user identity that was previously used shall not be reused for new and/or existing users.\\ |
| - | III. Emergency Access Procedure (Required). Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.\\ | + | III. Emergency Access Procedure (Required). Procedures for obtaining necessary electronic health information during an emergency.\\ |
| - | 1. Identify, define, describe types of situations that may require emergency access.\\ | + | 1. Situations that may require emergency access shall be identified, defined, and described by health facilities.\\ |
| - | 2. Identify authorized personnel who will need to access health information.\\ | + | 2. There shall be identification of authorized personnel who will need to access health information during emergency situations.\\ |
| - | 3. Establish and implement procedures for obtaining necessary health information during emergency situations.\\ | + | 3. Procedures for obtaining necessary health information during emergency situations shall be established and implemented.\\ |
| - | 4. Create policies and procedures for governing access to health information.\\ | + | 4. Policies and procedures for governing access to health information shall be created.\\ |
| - | IV. Automatic log-off (addressable). Implement electronic procedures that terminate and electronic session after a predetermined time of inactivity.\\ | + | IV. Automatic log-off (addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.\\ |
| - | 1. Create a policy and procedure that governs how automatic log-off is used.\\ | + | 1. A policy and procedure that governs how automatic log-off is used shall be created.\\ |
| - | 2. A predetermined time should be documented within the policy based on the application.\\ | + | 2. A predetermined time shall be documented within the policy based on the application.\\ |
| - | V. Encryption and decryption (addressable). Method of converting an original message of regular text into encoded text using an algorithm.\\ | + | V. Encryption and decryption (addressable). The method of converting an original message of regular text into encoded text using an algorithm.\\ |
| - | 1. Encryption in transit Secure Socket Layer (SSL) (addressable).\ | + | 1. For encryption in transit, the standard security technology shall be Secure Socket Layer (SSL) (addressable).\ |
| - | 2. Minimum requirement AES 128\\ | + | 2. Minimum requirement AES (Advanced Encryption Standard) 128\\ |
| - | 3. Encryption in storage TKE\\ | + | 3. Encryption in storage TKE (Trusted Key Entry)\\ |
| VI. Multi-factor authentication (addressable). Policy, operational, and technical mechanisms must be in place to use multi-factor authentication for those systems identified to have significant risk (e.g. servers, unified threat management, etc.)\\ | VI. Multi-factor authentication (addressable). Policy, operational, and technical mechanisms must be in place to use multi-factor authentication for those systems identified to have significant risk (e.g. servers, unified threat management, etc.)\\ | ||
| Line 37: | Line 37: | ||
| **B. Audit Controls**\\ | **B. Audit Controls**\\ | ||
| A record that shows who has accessed a computer system when it was accessed and what operations were performed.\\ | A record that shows who has accessed a computer system when it was accessed and what operations were performed.\\ | ||
| - | I. Recording information (required). Recorded information must include, but not limited to, unique user identified, date and time of use/access, location (if applicable), etc.\\ | + | I. Recording of information (required). Recorded information must include, but is not limited to, unique user identified, date and time of use/access, location (if applicable).\\ |
| - | II. Audit Data Life Span (addressable). A policy must be in place to specify the length of time the data must be stored and how it will be destroyed.\\ | + | II. Audit Data Life Span (addressable). A policy shall be made by health facilities to specify the length of time the data must be stored and how it will be destroyed.\\ |
| - | III. Access to Audit Data (addressable). Implement policies and procedures to ensure only authorized personnel have access to audit data.\\ | + | III. Access to Audit Data (addressable). The Medical Records Officer alongside with the Privacy Officer and/or Health Information Security Committee shall be authorized to audit data. |
| **C. Integrity Controls**\\ | **C. Integrity Controls**\\ | ||
| - | Implement policies and procedures to protect electronic health information from improper alteration or destruction. \\ | + | Protection of electronic health information from improper alteration or destruction. \\ |
| I. Implementation specifications:\\ | I. Implementation specifications:\\ | ||
| - | (A) Mechanism to authenticate electronic protected health information (addressable). Implement electronic mechanisms to corroborate that electronic health information has not been altered or destroyed in an unauthorized manner.\\ | + | (A) Mechanism to authenticate electronic protected health information (addressable). Mechanisms to corroborate that electronic health information has not been altered or destroyed in an unauthorized manner shall be implemented.\\ |
| - | (B) Digital signatures shall be used to identify authenticity of the entry in an electronic system.\\ | + | (B) Digital signatures (required). Digital signatures shall be used to identify authenticity of the entry in an electronic system.\\ |
| - | (C) Sum Verification shall be used to determine if the input data matches the source data.\\ | + | (C) Sum Verification (required) shall be used to determine if the input data matches the source data.\\ |
| - | (D) Anti-virus software. Computers shall have an Industry Standard Antivirus Software with automatic updates turned on. The software shall be configured regularly and automatically download updates for the latest threats.\\ | + | (D) Anti-virus software (required). Computers shall have an Industry Standard Antivirus Software with automatic updates turned on. The software shall be configured regularly and automatically download updates for the latest threats.\\ |
| - | (E) Data storage and transmission shall be encrypted. For websites, https encryption shall be used. | + | (E) Data storage encryption (required). Data storage and transmission shall be encrypted. For websites, https encryption shall be used. \\ |
| + | (F) Transmission encryption (required). Data transmission via wireless networks or the internet shall always be encrypted. \\ | ||
| + | (G) Proper Handling of Mechanical Components. Training on the proper use and handling of CPUs, Servers, flash drives, external hard drives shall be given to the user of electronic systems. (addressable)\\ | ||
| + | (H) Back-up components such as servers, flashdrives, external hard drives shall be stored away from possible electromagnetic interference. (addressable)\\ | ||
| + | (I) Offline modes and Caching. Electronic systems shall have online and offline modes. (addressable)\\ | ||
| + | (J) Interface Integration of Information Systems. Data transmission from electronic medical records shall follow a standard for integration and interfacing to facilitate interoperability and data compatibility. (addressable)\\ | ||
| - | ------------------- | + | **D. Transmission Security**\\ |
| - | **ACCESS CONTROLS**\\ | + | Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.\\ |
| - | * Standard user IDs shall be given to each staff whose work entails the need to access or process heath information.\\ | + | |
| - | * There shall be a three way process for authentication of users: something they know (password), something they have (secure token), and something they are (biometrics).\\ | + | |
| - | * Multi-factor authentication shall be implemented, especially for admin and supervisory accounts. | + | |
| - | * Passwords shall have the following characteristics: minimum of eight characters in length, have an upper case, lower case and special character in it.\\ | + | |
| - | * The last user ID that logged in must not be displayed on the log-in screen.\\ | + | |
| - | * There shall be an automatic screen or keyboard locking after 5 minutes of inactivity.\\ | + | |
| - | //Leave of Absence// | + | **E. Identity Authentication**\\ |
| - | * User IDs of employees/staff who are on extended leave of absence shall be disabled until they return for work.\\ | + | Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. \\ |
| + | **F. Storage Security**\\ | ||
| + | Implementation Specifications:\\ | ||
| + | (A) Data stored in portable data storage devices (e.g. USB drive, portable hard drives, etc.) must be encrypted. | ||
| + | (B) Data stored in cloud storage services (e.g. Dropbox, OneDrive, Google Drive, etc.) must be encrypted. | ||
| - | **DATA PROTECTION**\\ | ||
| - | * Data on many computer devices can be damaged by being moved, knocked or even when turned off. If there is a hard disk, the heads on the drive should be "parked" before moving the system to avoid destroying stored information (devices with solid state drives have a different system and are less vulnerable to movement).\\ | ||
| - | * Due to the different variations of computers and types of connections, it is important to seize all the different cables and chargers for the seized equipment.\\ | ||
| - | * Antivirus software must be loaded in every computer possible. The software needs to be configured regularly and automatically download updates for the latest threats. \\ | ||
| - | * Complete back-ups of the system shall be done periodically- once a month or every few months.\\ | ||
| - | * Back-up data tapes shall not be stored near a computer monitor or uninterruptible power supply-the electromagnetic interference coming from these devices can corrupt data on them or completely delete them.\\ | ||
| - | **CONFIGURATION MANAGEMENT** | ||
| - | * It is important to document how the computer system is organized to know when and how to disconnect additional pieces of equipment such as telephone modems, auto-dialers, and printers from the system. Otherwise, important information can be lost.\\ | ||
| - | * There shall be a regular monitoring and maintenance of database and networks of health facilities to be conducted by the Database and Network administrator of the PHIE group.\\ | ||
| - | **POINTS TO CONSIDER**\\ | ||
| - | * The minimum server configuration shall be specified.\\ | ||
| - | * Provide detailed and specific protocols on encryption (e.g. encryption of data at rest).\\ | ||
| - | (//Specific technical requirements should ideally be developed by DOST-ICTO.//)\\ | ||
| - | * Security features shall be incorporated in the system requirements.\\ | ||
| - | * HIS should only be for recording and record keeping, but access to the medical records should be under the MRS.\\ | ||