WIXLIB

NDSU HIPAA Security Procedures Resource ManualSeptember 2010This section associates NDUS Policy and Procedure 1901.2 (Computer and Network Usage) and NDSU 158(Acceptable Use of Electronic Communications Devices) and 710 (Computer and Electronic CommunicationsFacilities), with the respective Security Rule topic standards to facilitate their use in applying the HIPAA SecurityRule. Each HIPAA Security Rule standard is outlined in a tabular module format. The modules are composed of thefollowing components:The Key Activities column lists for each HIPAA Security Rule standard some suggested key activities that areusually associated with a particular security function. The activities are not all-inclusive, and there may be manyadditional activities an entity will need to consider, specific to its own operations. Note that the HIPAA SecurityRule associates several “implementation specification: for each standard, as listed in Table 1. Not all modulesaddress all of the standard’s associated implementation specifications, as they are meant to serve as a generalintroduction to the security topics raised by the standards of the HIPAA Security Rule.The Descriptive column includes an expanded explanation about the key activities. The descriptions include types ofactivities an organization may pursue in addressing a specific security function. These abbreviated explanations aredesigned to help get an entity started in addressing the HIPAA Security Rule.The Questions will help to determine whether or not the elements described have actually been considered orcompleted. They serve as a starting point for the entity to examine its security practices as they relate to the HIPAASecurity Rule. Affirmative answers to the questions do not imply that the entity is meeting all of the requirements ofthe HPAA security requirement. However, if an entity has already incorporated considerations raised by thesequestions into its information security program, those efforts may signal that the entity is taking appropriate steps. Itis expected that many entities with existing information security infrastructures already in place will have consideredthe HIPAA Security Rule and have taken steps to incorporate policies and procedures tailored to fit the requirementsof the HIPAA Security Rule.9

NDSU HIPAA Security Procedures Resource ManualSeptember 20102. Administrative Safeguards2.1 Security Management Process (§ 164.308(a)(1))HIPAA Standard: Implement policies and procedures to prevent, detect, contain, and correct security violations.Key Activities1.Identify Relevant Information Systems2. Conduct Risk AssessmentDescriptionQuestionsIdentify all information systems thathouse individually identifiablehealth information.Include all hardware and softwarethat are used to collect, store, process, or transmit protected healthinformation.Analyze business functions andverify ownership and control ofinformation system elements asnecessary.Has all the hardware and softwarefor which the organization is responsible been identified and inventoried?Is the current information systemconfiguration documented, including connections to other system?Have the types of information anduses of that information been identified and the sensitivity of each typeof information been evaluated?(See NDUA 1901.2 - data section- for more on categorization of sensitivity levels.)Risk assessment typically includes thefollowing steps:Determine system characterization:HardwareSoftwareSystem interfacesData and informationPeopleSystem mission.Identify any vulnerability or weakness in security procedures or safeguards.Identify events that negatively impact security.Identify the potential impact that asecurity breach could have on anentity’s operations or assets, including loss of integrity, availability, orconfidentiality.Recommend security controls forthe information and the system,including all the technical and nontechnical protections in place toaddress security concerns.Determine residual risk.Document all outputs and outcomesfrom the risk assessment activities.Are there any prior risk assessments, audit comments, securityrequirements, and/or security testresults?Are there resources available? (I.e.,ITS, NDUS, Listservs, mass media,virus alerts, vendors, etc.)What are the current and plannedcontrols?Is the facility located in a regionprone to any natural disasters suchas earthquakes, floods, or fires?Has responsibility been assigned tocheck all hardware and software todetermine whether selected settingsare enabled? And, unnecessary settings disabled?Is there an analysis of current safeguards on effectiveness relative tothe identified risks?10

NDSU HIPAA Security Procedures Resource ManualSeptember 2010Key ActivitiesDescription3.Acquire IT Systems and ServicesAlthough the HIPAA Security Rule doesnot require purchasing any particulartechnology, additional hardware, software, or services may be needed to adequately protect information. Consideration for their selection should include thefollowing:Applicability of the IT solution tothe intended environment.The sensitivity of the data.The organization’s security policies,procedures and standards.Other requirements such as resources available for operation,maintenance, and training.How will new security controlswork with the existing IT structure?Have the security requirements ofthe organization been comparedwith the security features of existingor proposed hardware and software?Has a cost-benefit analysis beenconducted to determine the reasonableness of the investment given thesecurity risks identified?Has a training strategy been developed?4.Create and Deploy Policies andProceduresDocument the decisions concerning themanagement, operational, and technicalcontrols selected to mitigate identifiedrisks.Create policies that clearly establishroles and responsibilities and assignultimate responsibility for the implementation of each control to particular individuals or offices.Create procedures to be followed toaccomplish particular security related tasks.Are policies and procedures in placefor security? (Refer to currentNDUS/NDSU security policies andprocedures in place.)Are there user manuals availableand are they up-to-date? (Refer tocurrent HR manuals and employee/staff manuals available.)Is there a formal documented system/department security plan?Is there a process for communicating policies and procedures reviewed and updated as needed?(e.g., is this addressed during regularly scheduled staff meetings?)5.Supplemental ReferencesNDUS 1901.2NDSU 710NDSU 158NDSU HIPAA Privacy Policies andProcedures11Questions

NDSU HIPAA Security Procedures Resource ManualSeptember 20102.2 Assigned Security Responsibility (§ 164.308(a)(2))HIPAA Standard: Identify the security official who is responsible for the development and implementation of thepolicies and procedures required.Key ActivitiesDescription1.Select a Security Official to be Assigned Responsibility for HIPAASecurityIdentify the individual who willultimately be responsible for securitySelect an individual who is able toassess the effective security and toserve as a point of contact for security policy, implementation andmonitoring.22.Assign and Document the Individual’s ResponsibilityDocument the individual’s responsibilities in a job description.Communicate this assigned role tothe entire organization.3.Supplemental ReferencesNDUS 1901.2All policies pertaining to personnelfor NDSU Human ResourcesNDSU HIPAA Privacy Policies andProceduresQuestionsWho in the organization:Oversees the development and communication of security policies andprocedures?Is responsible for conducting therisk assessment?Handles the results of periodic security evaluations?Directs IT security purchasing andinvestment?Ensures that security concerns havebeen addressed in system implementation?Is there a complete job descriptionthat accurately reflects the assignedsecurity duties and responsibilities?Have the staff members in the organization been notified as to whomto call in the event of a securityproblem?2Theresa Semmens, NDSU IT Security Officer has been appointed the NDSU Security Official for the HIPAA Privacy and Security Rules12

NDSU HIPAA Security Procedures Resource ManualSeptember 20102.3 Workforce Security (§ 164.308(a)(3))HIPAA Standard: Implement policies and procedures to ensure that all members of the workforce have appropriateaccess to electron protected health information, as provided under paragraph (a)(4) of this section, and to preventthose workforce members who do not have access under paragraphs (a)(4) of this section from obtaining access toelectronic protected health information.Key ActivitiesDescriptionQuestions1.Establish Clear Job Descriptionsand ResponsibilitiesDefine roles and responsibilities forall job functions.Assign appropriate levels of securityoversight, training, and access.Identify, in writing, who has thebusiness need - and who has beengranted permission - to view, alter,retrieve, and store electronic healthinformation, and at what times, under what circumstances, and forwhat purposes.Are there written job descriptionsthat are correlated with appropriatelevels of access?Is there an implementation strategythat supports the designated accessauthorities?2.Establish Criteria and Proceduresfor Hiring and Assigning TasksEnsure that staff members have thenecessary knowledge, skills, andabilities to fulfill particular roles,e.g., positions involving access anduse of sensitive information.Ensure that these requirements areincluded as part of the personnelhiring process.Are applicant’s employment andeducation references checked?Have appropriate backgroundchecks been completedHave confidentiality agreementsstressing privacy and security beensigned by the staff member?3.Establish Termination ProceduresDevelop a standard set of procedures that should b e followed torecover access control devices(Identification [ID] badges, keys,access cards, etc.) when employment ends.Deactivate computer access accounts (e.g., disable user IDs andpasswords). See the Access Controls Standards.Are there separate procedures forvoluntary termination (retirements,promotion, change of employment)vs. involuntary terminations(termination for cause, reduction inforce, involuntary transfer, andcriminal or disciplinary actions)?Is there a standard checklist for allaction items that should be completed when an employee leaves(return of all access devices, deactivation of log-on accounts, deliveryof any needed data solely under theemployee’s control)?4.Supplemental ReferencesNDSU HIPAA Privacy Policies andProcedures13

NDSU HIPAA Security Procedures Resource ManualSeptember 20102.4 Information access Management (§ 164.308(a)(4))HIPAA Standard: Implement policies and procedures for authorizing access to electronic protected healthinformation that are consistent with the applicable requirements for subpart E of this part.Key ActivitiesDescriptionQuestions1.Determine Criteria for EstablishingAccessDecide how the person with theassigned security responsibility willconsistently grant access to otherswithin the organization.Document which process will beused to select the basis for restricting access.Choose between identity-based access (by name) or role-based access(by job or other appropriate means).Does the organization’s IT operating system have the capacity to setaccess controls?Are there documented job descriptions that accurately reflect assignedduties and responsibilities and enforce segregation of duties?Will access be identity-based ontheir job requirements?2.Determine Who Should be Authorized to Access Information SystemsEstablish standards for grantingaccess.Provide formal authorization fromthe appropriate authority beforegranting access to sensitive information.Are duties separated such that onlythe minimum necessary electronichealth information is made availableto each staff member based on theirjob requirements?3.Evaluate Existing Security Measures Related to Access ControlsEvaluate access controls already inplace or implement new access controls as appropriate.Coordinate with other existing management, operational, and technicalcontrols, such as policy standardsand personnel procedures, maintenance and review of audit trails,identification, and authentication ofusers, and physical access controls.Are access policies reviewed andupdated routinely?Do all employees receive appropriate security training?Are authentication mechanismsused to verify the identity of thoseaccessing systems?Does management regularly reviewthe list access authorizations andupdate as necessary?What policies and procedures arealready in place for access controlsafeguards?4.Supplemental ReferencesNDSU HIPAA Privacy Policies andProceduresNDUS 1901.2NDSU 158NDSU 71014

NDSU HIPAA Security Procedures Resource ManualSeptember 20102.5 Security Awareness and Training (§ 164.308(a)(5))HIPAA Standard: Implement security awareness and training program for all members of its workforce (includingmanagement).Key ActivitiesDescriptionQuestions1.Conduct a Training Needs AssessmentDetermine the training needs of theorganization.Interview and involve key personnelin assessing security training needs.What awareness, training, and education programs are needed (e.g.,what is required)?What is the current status regardinghow these needs are being addressed (e.g., how well are currentefforts working)?Where are the gaps between theneeds and what is being done (e.g.,what more needs to be done)?What are the training priorities?2.Develop and Approve a TrainingStrategy and a PlanAddress the specific HIPAA policies that require awareness andtraining in the written training strategy.Outline the written training plan, thescope of the awareness and trainingprogram; the goals; the target audiences; the learning objectives; thedeployment methods, evaluation,and measurement techniques; andthe frequency of training.Is there a procedure in place to ensure that everyone in the organization receives security awarenesstraining?What type of security training isneeded to address specific technicaltopics based on job responsibility?When should training be scheduledto ensure that compliance deadlinesare met?Is security awareness discussed withall new hires (e.g., employee orientation)?Are security topics reinforced during routine staff meetings?3.Develop Appropriate Awarenessand Training Content; Create Training Materials; and Determine BestDelivery MethodsSelect the topics that may need to beincluded in the training materialssuch as the following:Security reminders.Incident reporting.How to protect and guard the system from malicious software.Procedures for monitoring loginattempts and reporting discrepancies.Password management and use.Use new and “hot” informationfrom e-mail advisories, online ITsecurity daily news web sites, andperiodicals.Have employees received a copy ofor do they have easy access to thesecurity procedures and policies?Do employees know whom to contact and how to handle a securityincident?Do employees understand the consequences of noncompliance withthe stated security policy?Are employees who travel aware ofboth physical laptop security issuesand how to handle them?Do employees know the importanceof timely application of systempatches?15

NDSU HIPAA Security Procedures Resource ManualKey ActivitiesDescriptionSeptember 2010Questions3.Develop Appropriate Awarenessand Training Content; Create Training Materials; and Determine BestDelivery Methods (Cont’d)Deliver training information to staffin the easiest and most cost-efficientmanner.Consider using a variety of mediaand avenues according to what isappropriate for the organizationbased on workforce size, location,level of education, etc.Is there in-house training staff?What is the security trainingbudget?4.Implementing the TrainingSchedule and conduct the trainingoutlined in the strategy and plan.Implement any reasonable technique to disseminate the securitymessage in an organization, including newsletters, screensavers, videotapes, e-mail messages, teleconferencing sessions, staff meetings, andcomputer-based training.Have all employees received adequate training to fulfill their securityresponsibilities?What methods are available or already in use to make employeesaware of security (e.g., posters orbooklets, Web tutorials, Web sites)?5.Monitor and Evaluate Training PlanKeep the security awareness andtraining program fresh and current.Conduct training whenever changesoccur in the technology and practices as appropriate.Monitor the training program implementation to be sure all employeesparticipate.Implement corrective actions whenproblems arise.Are employee training and professional development programs documented and monitored (e.g., responsibility review)?Is there annual security refreshertraining?How are new employees trained onsecurity?6.Supplemental ReferencesNDSU HIPAA Privacy Policies andProceduresNDUS 1901.2NDSU 158NDSU 710Any other applicable NDSU personnel policies16

NDSU HIPAA Security Procedures Resource ManualSeptember 20102.6 Security Incident Procedures (§ 164.308(a)(6))HIPAA Standard: Implement policies and procedures to address security incidents.Key ActivitiesDescriptionQuestions1.Determine Goals of Incident ResponseGain an understanding as to whatconstitutes a true security incident something identified as a securitybreach or an attempted “hack” - inthe organization’s environment.Determine how the organizationwill respond to a security breach.Establish a reporting mechanismand a process to coordinate responses to the security incident.Provide direct technical assistance,advise vendors to address productrelated problems and provide liaisons to legal and criminal investigative groups as needed.Has the HIPA

NDSU HIPAA Security Procedures Resource Manual September 2010 1.2.4 HIPAA Security Standards and Implementation Specifications Table 1. HIPAA Security Standards and Implementation Specifications1 1 Adapted from 68 Federal Register 8380, February 20, 2003 (Appendix A to Subpart C or Part 164—Security Standards: Matrix