Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | Next revision Both sides next revision | ||
technical_safeguards [2016/06/15 17:22] jillian_nadette_de_leon |
technical_safeguards [2016/06/15 17:50] jillian_nadette_de_leon |
||
---|---|---|---|
Line 24: | Line 24: | ||
4. Policies and procedures for governing access to health information shall be created.\\ | 4. Policies and procedures for governing access to health information shall be created.\\ | ||
- | IV. Automatic log-off (addressable). Implement electronic procedures that terminate and electronic session after a predetermined time of inactivity.\\ | + | IV. Automatic log-off (addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.\\ |
- | 1. Create a policy and procedure that governs how automatic log-off is used.\\ | + | 1. A policy and procedure that governs how automatic log-off is used shall be created.\\ |
- | 2. A predetermined time should be documented within the policy based on the application.\\ | + | 2. A predetermined time shall be documented within the policy based on the application.\\ |
- | V. Encryption and decryption (addressable). Method of converting an original message of regular text into encoded text using an algorithm.\\ | + | V. Encryption and decryption (addressable). The method of converting an original message of regular text into encoded text using an algorithm.\\ |
- | 1. Encryption in transit Secure Socket Layer (SSL) (addressable).\ | + | 1. For encryption in transit, the standard security technology shall be Secure Socket Layer (SSL) (addressable).\ |
- | 2. Minimum requirement AES 128\\ | + | 2. Minimum requirement AES (Advanced Encryption Standard) 128\\ |
- | 3. Encryption in storage TKE\\ | + | 3. Encryption in storage TKE (Trusted Key Entry)\\ |
VI. Multi-factor authentication (addressable). Policy, operational, and technical mechanisms must be in place to use multi-factor authentication for those systems identified to have significant risk (e.g. servers, unified threat management, etc.)\\ | VI. Multi-factor authentication (addressable). Policy, operational, and technical mechanisms must be in place to use multi-factor authentication for those systems identified to have significant risk (e.g. servers, unified threat management, etc.)\\ | ||
Line 37: | Line 37: | ||
**B. Audit Controls**\\ | **B. Audit Controls**\\ | ||
A record that shows who has accessed a computer system when it was accessed and what operations were performed.\\ | A record that shows who has accessed a computer system when it was accessed and what operations were performed.\\ | ||
- | I. Recording information (required). Recorded information must include, but not limited to, unique user identified, date and time of use/access, location (if applicable), etc.\\ | + | I. Recording of information (required). Recorded information must include, but is not limited to, unique user identified, date and time of use/access, location (if applicable).\\ |
- | II. Audit Data Life Span (addressable). A policy must be in place to specify the length of time the data must be stored and how it will be destroyed.\\ | + | II. Audit Data Life Span (addressable). A policy shall be made by health facilities to specify the length of time the data must be stored and how it will be destroyed.\\ |
- | III. Access to Audit Data (addressable). Implement policies and procedures to ensure only authorized personnel have access to audit data.\\ | + | III. Access to Audit Data (addressable). The Medical Records Officer alongside with the Privacy Officer and/or Health Information Security Committee shall be authorized to audit data. |
**C. Integrity Controls**\\ | **C. Integrity Controls**\\ |