Your (re)login has failed.
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
technical_safeguards [2016/06/15 16:05] jillian_nadette_de_leon |
technical_safeguards [2016/07/04 16:00] (current) jillian_nadette_de_leon |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ##TECHNICAL SAFEGUARDS | ##TECHNICAL SAFEGUARDS | ||
| - | |||
| - | * Disclaimer: For information purposes only. Standard terms, definition, sentence construction will still be edited. \\ | ||
| **A. Access Controls**\\ | **A. Access Controls**\\ | ||
| Line 8: | Line 6: | ||
| I. Information access management (required)\\ | I. Information access management (required)\\ | ||
| 1. Implementation specifications:\\ | 1. Implementation specifications:\\ | ||
| - | (A) Isolating health care clearinghouse functions (required). If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.\\ | + | (A) Isolating health care clearinghouse functions (required). If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information from unauthorized access by the larger organization.\\ |
| - | (B) Access authorization (addressable). Implement policies and procedures for granting access to electronic protected health information, for example through access to a workstation, transaction, program, process, or other mechanism.\\ | + | (B) Access authorization (addressable). Policies and procedures for granting access to electronic health information such as access to a workstation, transaction, program, process or other mechanisms shall be implemented by the health facility. Guidelines on the access of health information are provided in Rule III (Access of Health Information) in the SOR.\\ |
| - | (C) Access establishment and modification (addressable). Implement policies and procedures that, based upon the data controller and/or data processor's access authorization policies, establish, document, review, and modify a user's rights of access to a workstation, transaction, program, or process.\\ | + | (C) Access establishment and modification (addressable). Based upon the access authorization policy of the data controller and/or data processor, policies and procedures on the establishment, documentation, review and modification of a user's rights to access a workstation, transaction, program or process shall be implemented.\\ |
| - | II. Unique user identification (required). A process for unique user identification is made within a policy ad procedure of the organization.\\ | + | II. User identification (required). A process for unique user identification shall be made within a policy and procedure of the health facility.\\ |
| 1. Implement specifications: \\ | 1. Implement specifications: \\ | ||
| - | (A) A unique user name and/or number for identifying user identity throughout all levels of the organization.\\ | + | (A) There shall be a user name and/or number for identifying user identity throughout all levels of the organization.\\ |
| - | (B) User identity cannot be shared, delegated or assigned to a group or individual.\\ | + | (B) User identity shall not be shared, delegated or assigned to a group or individual.\\ |
| - | (C) Unique user identity that was previously used cannot be reused for new and/or existing users.\\ | + | (C) User identity that was previously used shall not be reused for new and/or existing users.\\ |
| - | III. Emergency Access Procedure (Required). Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.\\ | + | III. Emergency Access Procedure (Required). Procedures for obtaining necessary electronic health information during an emergency.\\ |
| - | 1. Identify, define, describe types of situations that may require emergency access.\\ | + | 1. Situations that may require emergency access shall be identified, defined, and described by health facilities.\\ |
| - | 2. Identify authorized personnel who will need to access health information.\\ | + | 2. There shall be identification of authorized personnel who will need to access health information during emergency situations.\\ |
| - | 3. Establish and implement procedures for obtaining necessary health information during emergency situations.\\ | + | 3. Procedures for obtaining necessary health information during emergency situations shall be established and implemented.\\ |
| - | 4. Create policies and procedures for governing access to health information.\\ | + | 4. Policies and procedures for governing access to health information shall be created.\\ |
| - | IV. Automatic log-off (addressable). Implement electronic procedures that terminate and electronic session after a predetermined time of inactivity.\\ | + | IV. Automatic log-off (addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.\\ |
| - | 1. Create a policy and procedure that governs how automatic log-off is used.\\ | + | 1. A policy and procedure that governs how automatic log-off is used shall be created.\\ |
| - | 2. A predetermined time should be documented within the policy based on the application.\\ | + | 2. A predetermined time shall be documented within the policy based on the application.\\ |
| - | V. Encryption and decryption (addressable). Method of converting an original message of regular text into encoded text using an algorithm.\\ | + | V. Encryption and decryption (addressable). The method of converting an original message of regular text into encoded text using an algorithm.\\ |
| - | 1. Encryption in transit Secure Socket Layer (SSL) (addressable).\ | + | 1. For encryption in transit, the standard security technology shall be Secure Socket Layer (SSL) (addressable).\ |
| - | 2. Minimum requirement AES 128\\ | + | 2. Minimum requirement AES (Advanced Encryption Standard) 128\\ |
| - | 3. Encryption in storage TKE\\ | + | 3. Encryption in storage TKE (Trusted Key Entry)\\ |
| VI. Multi-factor authentication (addressable). Policy, operational, and technical mechanisms must be in place to use multi-factor authentication for those systems identified to have significant risk (e.g. servers, unified threat management, etc.)\\ | VI. Multi-factor authentication (addressable). Policy, operational, and technical mechanisms must be in place to use multi-factor authentication for those systems identified to have significant risk (e.g. servers, unified threat management, etc.)\\ | ||
| Line 37: | Line 35: | ||
| **B. Audit Controls**\\ | **B. Audit Controls**\\ | ||
| A record that shows who has accessed a computer system when it was accessed and what operations were performed.\\ | A record that shows who has accessed a computer system when it was accessed and what operations were performed.\\ | ||
| - | I. Recording information (required). Recorded information must include, but not limited to, unique user identified, date and time of use/access, location (if applicable), etc.\\ | + | I. Recording of information (required). Recorded information must include, but is not limited to, unique user identified, date and time of use/access, location (if applicable).\\ |
| - | II. Audit Data Life Span (addressable). A policy must be in place to specify the length of time the data must be stored and how it will be destroyed.\\ | + | II. Audit Data Life Span (addressable). A policy shall be made by health facilities to specify the length of time the data must be stored and how it will be destroyed.\\ |
| - | III. Access to Audit Data (addressable). Implement policies and procedures to ensure only authorized personnel have access to audit data.\\ | + | III. Access to Audit Data (addressable). The Medical Records Officer alongside with the Privacy Officer shall be authorized to audit the shared health record. |
| **C. Integrity Controls**\\ | **C. Integrity Controls**\\ | ||
| - | Implement policies and procedures to protect electronic health information from improper alteration or destruction. \\ | + | Protection of electronic health information from improper alteration or destruction. \\ |
| I. Implementation specifications:\\ | I. Implementation specifications:\\ | ||
| - | (A) Mechanism to authenticate electronic protected health information (addressable). Implement electronic mechanisms to corroborate that electronic health information has not been altered or destroyed in an unauthorized manner.\\ | + | (A) Mechanism to authenticate electronic protected health information (addressable). Mechanisms to corroborate that electronic health information has not been altered or destroyed in an unauthorized manner shall be implemented.\\ |
| (B) Digital signatures (required). Digital signatures shall be used to identify authenticity of the entry in an electronic system.\\ | (B) Digital signatures (required). Digital signatures shall be used to identify authenticity of the entry in an electronic system.\\ | ||
| (C) Sum Verification (required) shall be used to determine if the input data matches the source data.\\ | (C) Sum Verification (required) shall be used to determine if the input data matches the source data.\\ | ||
| Line 50: | Line 48: | ||
| (E) Data storage encryption (required). Data storage and transmission shall be encrypted. For websites, https encryption shall be used. \\ | (E) Data storage encryption (required). Data storage and transmission shall be encrypted. For websites, https encryption shall be used. \\ | ||
| (F) Transmission encryption (required). Data transmission via wireless networks or the internet shall always be encrypted. \\ | (F) Transmission encryption (required). Data transmission via wireless networks or the internet shall always be encrypted. \\ | ||
| - | (G) Proper Handling of Mechanical Components. Training on the proper use and handling of CPUs, Servers, flash drives, external hard drives shall be given to user of electronic systems. (addressable)\\ | + | (G) Proper Handling of Mechanical Components. Training on the proper use and handling of CPUs, Servers, flash drives, external hard drives shall be given to the user of electronic systems. (addressable)\\ |
| - | (H) Back-up components such as servers, flashdrives, external hard drives shall be stored away from possible electromagnetic interference. (addressable)\\ | + | (H) Back-up components such as servers, flash drives, external hard drives shall be stored away from possible electromagnetic interference. (addressable)\\ |
| - | (I) Offline modes and Caching. Electronic systems shall ave online and offline modes. (addressable)\\ | + | (I) Offline modes and Caching. Electronic systems shall have online and offline modes. (addressable)\\ |
| (J) Interface Integration of Information Systems. Data transmission from electronic medical records shall follow a standard for integration and interfacing to facilitate interoperability and data compatibility. (addressable)\\ | (J) Interface Integration of Information Systems. Data transmission from electronic medical records shall follow a standard for integration and interfacing to facilitate interoperability and data compatibility. (addressable)\\ | ||
| **D. Transmission Security**\\ | **D. Transmission Security**\\ | ||
| - | Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.\\ | + | Technical security measures to guard against unauthorized access to electronic health information that is being transmitted over an electronic communications network shall be implemented.\\ |
| **E. Identity Authentication**\\ | **E. Identity Authentication**\\ | ||
| - | Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. \\ | + | Procedures to verify that a person or entity seeking access to electronic health information is the one claimed shall be implemented. Rule III (Access of Health Information) provides guidelines on authentication of access. \\ |
| **F. Storage Security**\\ | **F. Storage Security**\\ | ||
| Implementation Specifications:\\ | Implementation Specifications:\\ | ||
| - | (A) Data stored in portable data storage devices (e.g. USB drive, portable hard drives, etc.) must be encrypted. | + | (A) Data stored in portable data storage devices (e.g. Flash drive, portable hard drives, etc.) must be encrypted. |
| (B) Data stored in cloud storage services (e.g. Dropbox, OneDrive, Google Drive, etc.) must be encrypted. | (B) Data stored in cloud storage services (e.g. Dropbox, OneDrive, Google Drive, etc.) must be encrypted. | ||
| - | |||
| - | |||
| - | |||
| - | |||
| - | |||
| ---- | ---- | ||