Start the Security Walkthrough

Transcription

1 Start the Security Walkthrough This guide will help you complete your HIPAA security risk analysis and can additionally be used for periodic review. It is based on the methodology used in PrivaPlan Stat guiding users through the assessment and gap analysis tasks in ten steps, with the second step focused on creating an inventory of all protected health information ( PHI ). This particular guide looks at electronic PHI (ephi). The inventory is completed by conducting a walk around or walkthrough of your organization. During the walk around you should try to look for trouble ; that is, look for areas where ephi exists and where it may not be adequately safeguarded. This includes administrative issues, such as employee use of passwords, physical issues, such as adequate protection against theft, and technical issues, such as the use of antivirus software. This guide is meant to provide a basic foundation in your review and does not cover every area where a safeguard may be needed (such as workforce security like background or clearance procedures and termination procedures, or security incident response and reporting). Please refer back to the PrivaGuides Implementing the Security Rule and Risk Analysis for more information and guidance on HIPAA security compliance. It is also important to remember that not all of these questions may apply to you, depending on your type or size of organization. Start the walkthrough and take notes pertaining to the following. Remember you can use the ephi Use and Disclosure Inventory form for documentation PrivaPlan Associates, Inc. Patent Pending. All Rights Reserved, 1

2 1 Walk in the Front Door How is the front door locked? Who has keys? Has the lock and keys been the same for some time? When an employee is terminated are the keys returned? Is the lock periodically re-keyed? Apply these questions to other doors with outside access In you answers You must determine what is a reasonable and appropriate security measure for your organization. For example, if your office consists of only three staff members, it is likely that these same people will all have keys to the office. On the other hand, a large organization may only distribute keys to those who absolutely need them. You should also consider annually changing the locks, or at the very least keeping strict control over who has the keys (and make sure employees return them when they are terminated). Some offices use Do not duplicate keys that restrict duplication. Locks should be reasonably strong and secure for example deadbolts may be better than simple door handle locks. Is there an alarm? o If there is an alarm, are the codes changed after employee termination? Or otherwise periodically? o Does the alarm system protect windows and other doors? o Have you recently checked these? o Have there been any changes to the facility since the alarm was put in? o Was the alarm system configured to alarm new doors or windows if these were added or changed? In your answer: Again, think about what would be a reasonable way to keep the security of your office intact. This will depend on location, size of your organization, other security measures in the building, etc. If you do have an alarm system, you should routinely change the code to prevent terminated employees from accessing the office. If there is no alarm system, are door and window locks sufficiently strong to deter unauthorized access? Is the facility in an area of high risk (for example near a pharmacy) for crime or break-in? Has there ever been a break-in? o If so, was there any remedial action taken afterwards? Please describe. In your answer: After answering these questions, you may realize that you are not doing enough to secure the office from break-ins. If this is the case, you must come up with a remediation plan that is reasonable for your organization. HIPAA contains the concept of 2007 PrivaPlan Associates, Inc. Patent Pending. All Rights Reserved, 2

3 security incident response and reporting. Simply stated, this means you should evaluate security incidents and respond to them accordingly. A break-in certainly can be considered a security incident. Is the area visitors enter separated from where ephi is? (For example a waiting room or visitor area.) In your answer: It is very important to make certain that you minimize the possibility of visitors (or patients) viewing any form of PHI, including electronic, during their visit to your location. This may mean positioning monitors away from sight, physical separations such as a desk or wall, and electronic measures such as screen savers etc. Are patients required to sign in? Are visitors required to sign in? Are visitors (non-patients) required to identify themselves? Are badges used for temporary visitor identification? In your answer: Badges are not a requirement of HIPAA. However, depending on the size of your organization, you may deem this an appropriate way to monitor any and all visitors. In a smaller office, it may be sufficient to have a staff member keep an eye on any visitors, including repair personnel or vendors, while they are in your office. Do employees wear any kind of identification tags or badges to authenticate them as authorized personnel? In your answer: Remember, this is not a HIPAA requirement! Again, larger organizations (like hospitals) may already have staff ID badges. A smaller organization may not need this kind of authentication. As your organization grows, however, current employees may not recognize new staff; identification badges or similar can authenticate the new employee and help you differentiate between staff and authorized visitors and persons who should not be present PrivaPlan Associates, Inc. Patent Pending. All Rights Reserved, 3

4 2 Continue Walking Through the Office. Identify computer workstations. o Are they reasonably secure from accidental or deliberate viewing by patients or visitors? o Are they reasonably secured from theft? In your answer: You should consider each and every computer workstation. It may not always be practical to position a workstation so it is unable to be viewed by a patient or visitor. However, you can train and remind staff to monitor patients or visitors and request they not linger or deliberately look at workstation display screens. Do users need to log on with a unique user ID? Do users also need a password to log on? In your answer: It is very important to ensure that every computer application you use to store ephi is secured with unique logins and passwords for each employee. It is also important to be able to restrict access to specific areas of ephi depending on the employee s position. Again, this will be largely determined by the size of your organization. What is the policy regarding: a) use of strong passwords (for example, more characters and/or including a number or symbol) b) changing passwords c) monitoring log-on attempts, especially those that fail or are during unusual times, d) disabling log-ons after a certain number of failed attempts. In your answer: These are all appropriate and important measures to ensure the Security of your ephi. This often can be accomplished by configuring your system. Windows allows security (Click on the Control Panel from the Start menu, open Administrative Tools then Local Security Policy and view settings, or open the Event viewer). Your computer support can help with this. Often vendors of applications (practice management software, electronic medical records, and claims processing software) can advise you on configurations. They generally should also provide access management (passwords) and audit controls from within their software. Do you use any other kind of access control such as tokens or fingerprint mouse controls? In your answer: This is not a HIPAA requirement. However, depending on the size of your organization and the sensitivity level of the ephi you have access to, this may be an appropriate measure for your organization. Some organizations are moving to use of these technical options to reduce the need for staff to maintain complex passwords or continually change them. Are users given permission only to the ephi they need and given the appropriate level of access? o By operating system (such as Windows access) 2007 PrivaPlan Associates, Inc. Patent Pending. All Rights Reserved, 4

5 o By application software (such as your billing software) In your answer: Depending on your size it may be reasonable to restrict access. For example, the front desk may not require access to the medical contents of an electronic medical or health record. Good software can restrict access by contents as well as restrict permission to read only, read/write and delete abilities. Workstations and servers can be configured to prevent users from connecting devices without authorization, making backups, and so forth. Do workstations have time-outs after a period of inactivity? o Is this simply a screen saver or does it actually log off the user? o What are the time outs in place at each workstation? In your answer: As mentioned above, this is a good way to minimize the risk of accidental (or deliberate) viewing of ephi. We suggest implementing not just a screensaver, but one that requires the person to login again or enter a password. These measures are built in to most Windows versions and must simply be activated to use. Are there any laptop computers or PDAs in use? In your answer: Don t forget any laptops or personal data assistants that the staff, such as physicians, may use. If they can use these devices to access ephi, then you must also ensure the security of the device. Are these laptops also secured by password and other access protection? Are they kept secure while not in the physical presence of the user? (For example are desktop lock/cables used for laptops?) What software applications run on the workstations? Do these applications create, maintain, store or transmit ephi? If so, which are the most critical? In your answer: This step is called a criticality analysis. You should think about what software you absolutely must have access to. For example, if an earthquake caused the power to go out, you could probably do without having access to your billing software for 24 hours; however, you may need access to the patient scheduling database immediately in order to call patients to tell them not to come in. Identify if there are any back up tapes, CD ROMs, Zip disks, memory sticks and so forth either near workstations or in other areas. Are these reasonably secure from theft? o Determine if they are used for backup and if their data is encrypted or otherwise protected, for example by password. In your answer: If the data on your backup media is not secure, you are at very high risk of a breach of your security of ephi. You may need to ask your software vendor whether or not the data back-up media are secure for example, if it was stolen, would the person have access to your ephi? 2007 PrivaPlan Associates, Inc. Patent Pending. All Rights Reserved, 5

6 Are workstations configured to store information on a central server that is reliably backed up? If not, are local workstations that contain ephi backed up? o How often? o By who? In your answer: This question is part of your criticality analysis. If your computer were to suddenly fail, would you lose all of your data? Regular back-ups are an important part of maintaining the integrity of your data and also limit the risks of data loss should any emergency or natural disaster occur. Often server data is backed up, while workstation level data is not! Is there a specific location where backup tapes (or other backup media) are securely stored in the office? Is this location secure from theft as well as environmental hazards such as flooding or from fire? In your answer: You may determine that a simple fix, such as a locked cabinet, is sufficient to ensure the safety of your backup tapes. Or, you may consider something like a fireproof safe that is more likely to withstand natural disasters and theft. Are backup tapes (or other backup media) ever taken offsite? o If so by who? o How often? In your answer: A backup kept in the office is of no use if the office is destroyed! You may deem it necessary to make duplicate backup tapes, and to take one copy off-site should a disaster make the office inaccessible. If you do, you should remember that the security of these tapes should be ensured off-site as well. Are backup tapes ever discarded or thrown away? o If so, is the ephi properly erased prior to discarding? Or are they appropriately shredded or otherwise destroyed? In your answer: Backup media contains ephi. Unless it is destroyed or erased, this data can fall into the wrong hands. You may need to use a commercial software product to sanitize the backup media or simply destroy it. Are backup tapes (or other backup media) every verified to ensure they contain the data? o By who? o How often? Are backup tapes (or other backup media) ever restored to ensure that they actually can be accessed by the software? In your answer: This question leads to your contingency and emergency plan. HIPAA requires that you have a plan of action should an emergency ever take place. As such, it is a good idea to routinely test your emergency mode operations by testing the reliability of your data backup. Backup media, like tapes, have a life cycle ; that is, they wear out and need to be replaced. Changes in your computer system may accidentally disable your backup or not backup newer critical files. Routine review is one way to safeguard against these and similar problems PrivaPlan Associates, Inc. Patent Pending. All Rights Reserved, 6

7 Is there another location that can be used to access ephi in the event this location is unavailable (a hot site that has a similar computer system and the software applications that you currently use)? o If so, where is it located? o How can it be accessed during an emergency? In your answer: As part of your emergency plan, you should determine whether or not you will need access to your ephi should you be unable to gain access to the office. For example, if the only ephi you maintain is patient billing information, you may be able to go without access to this information for up to a week. However, if you maintain electronic patient records, you will need to have access to them no matter what. It is a good idea to designate another location either at home or a neighboring office where you can recover your data should an emergency make your office inaccessible. As part of your emergency plan, you may need to load your software onto the off-site computer. You may need to ask your software vendor for help with your emergency plan. They may even be able to provide an alternate location. Does a trusted person maintain a list of all user IDs and passwords, and is this kept in a secure location that can be accessed during an emergency? In your answer: Keeping a list of user IDs and passwords is important not only in the event of an emergency, but also in the case of a key staff member (like the computer administrator) leaving unexpectedly due to illness or termination. Is there a computer server or central unit? o If so evaluate its location: Is the location secure and separately locked or restricted from the rest of the office? o Is the location adequately protected from heat and cold? o Is the location reasonably protected from flooding and environmental hazards? In your answer: Think about ways to minimize the risk of losing data or access to your ephi. Computer servers are becoming smaller and smaller, making it easier for a thief to remove one! Is there surge protection in place for the workstations and the server/central unit? Does the surge protection include uninterruptible power supply or backup in the event of a power loss? Is your facility prone to power losses like brownouts? Is your facility prone to lightning strikes? Is it prone to power surges? In your answer: Depending on the likelihood of specific natural disasters in your area, you will have to think about ways to deal with these disasters should they occur and how to minimize the risk of these disasters compromising your ephi. Are computers ever discarded, or given away? o If so, is the ephi properly erased prior to this? Or are they appropriately shredded or otherwise destroyed? In your answer: Workstations, laptops, servers and PDAs all may contain ephi. Unless it is destroyed or erased, this data can fall into the wrong hands. You may need to use a 2007 PrivaPlan Associates, Inc. Patent Pending. All Rights Reserved, 7

8 commercial software product to sanitize or erase the data or ensure that all hard disks have been reformatted (remember simply recycling a file does not destroy it). What software applications run on the server/central unit? o Do these create, maintain, store or transmit ephi? o If so, which are the most critical? In your answer: Again, this is part of your criticality analysis and contingency planning. Does the software application audit all access and activities? o Is an easy-to-use log available of access by user ID, time and day? o Does the log display what part of the application was accessed and what was done? In your answer: If the software creates, maintains, stores, or transmits ephi, an audit trail is usually needed. The level of detail of the audit will depend on what is appropriate for your organization. Remember, even billing systems contain enough information for identity theft! Good software applications should allow you to know when a user accessed the system, who it was, and what they did (read, write, delete and even in some cases copy).your IT professional may be able to help you create a policy about how to use the audit--for example, routine review after terminating an employee or after a security incident. What kind of data communication exists with other entities? In your answer: Don t forget about electronic communications with other entities! For example, data backups from your software vendor, electronic billing, , etc. Do you have a dial-up modem in place? o Is the dial in number to your computer known to only authorized persons? In your answer: Even though the chances for hackers to gain access to your system via a dial-up connection is less likely, it is still important to think about ways to ensure the security of your system. Dial-up modems can be turned off (or unplugged) when not in use or needed. Is a high speed (always on) connection in place? o Is it used for Internet access as well as point to point access to a specific entity (such as a clearinghouse or your software vendor)? o What kind of protection is in place to ensure only authorized access to your computer? In your answer: If you have a high speed connection, it is imperative that you have a firewall or some other safeguard in place to ensure the security of your connection. You may need both a hardware firewall (usually built-in to your router) and a software firewall PrivaPlan Associates, Inc. Patent Pending. All Rights Reserved, 8

9 If you have a high speed connection, do you have a router? o Does the router have the password enabled to ensure that only authorized users can configure its settings? o Does the password get verified in the case of power failures? o Is the router configured to restrict access from the outside by verifying remote user IP addresses, or MAC addresses? o Does it act in any other way as a hardware firewall? o Does it monitor and record access? o Can it provide an audit of these? o Does your organization use any other restrictions such as a Virtual Private Network for access? In your answer: You may need to seek the help of your IT professional or internet connection provider to answer these questions. Routers can be configured with a password but often this is overlooked. Even when configured, the password may be reset when there is a power outage or you reset the router. Most commercially available routers have factory-set passwords that are known by hackers. Routers can vary in levels of sophistication. They can authenticate remote users by the actual physical unit the user employs, or by an electronically assigned address. They can be set to dynamically assign an address to your network workstations and server so these cannot be easily seen by a hacker. They can be set up to log all access attempts and even report suspicious use. Does your organization use wireless access internally for communication between workstations, laptops and so forth with the server or central unit? In your answer: Keep in mind that although wireless internet access is convenient, it can make your organization at high risk for hackers. Does the wireless access extend to areas beyond your office where the public could obtain a signal? If so, is the wireless access configured to provide encryption? Is this encryption reasonably strong to protect ephi? (For example use of dynamically changing encryption keys?) Is the wireless access configured to restrict remote access such as by IP address or MAC address? In your answer: You may need to ask your networking professional for help in answering these questions about your wireless internet access. It is possible for a hacker to listen in to wireless communications and with sophisticated software break the encryption of your wireless device! If you use wireless for sensitive ephi like medical records, you may want to ensure higher level encryption that is harder to break. Is a software firewall in place? o Is it configured for automatic updates and does it protect all workstations as well as the server/central unit? Does the practice maintain up-to-date software to protect against any kind of malware (viruses, Trojans, worms, spyware, phishing)? o Does this software remain updated automatically? 2007 PrivaPlan Associates, Inc. Patent Pending. All Rights Reserved, 9

10 o Are all workstations as well as the server/central unit protected? o Are routine scans done of ephi to ensure it is not infected or corrupted? In your answer: It is extremely important to ensure that your firewall and virus protection is up-to-date, as new viruses etc. are made each day. Without these updates, you are only protected against old threats! Threats can include viruses which can damage the integrity of your data as well as spyware that can be malicious enough to log all your keystrokes (and figure out likely passwords)! Most antivirus software can be configured to routinely scan your files and even scan outgoing messages. This is a good way to periodically review the integrity of ephi. Does your organization restrict spam? Does your organization use encryption to send any with ephi? In your answer: Many viruses are contained in spam ( advertisements). Using a spam filter is a good way to minimize this risk. Many providers automatically provide spam filters. Additionally, if you transmit any ephi via , you must ensure the security of this data via some type of encryption. You may need to speak to an IT professional to determine what the best solution is for you. Is there a back or side door(s) that are used for employee or other access? o If so, are they kept locked from the outside during business hours? If they are not kept locked from the outside, are they monitored or positioned such that someone is always nearby to determine unauthorized access during business hours? In your answer: Don t forget to secure all means of access to your office! The back door left open and not monitored can provide easy access for a thief! Does the staff appear to understand and follow security policies and procedures? o If you have noted any vulnerabilities, are they because staff has not followed your policies? o Is the staff adequately trained? o Are they periodically reminded of security policies? In your answer: HIPAA requires security training just like the privacy rule. It may also be appropriate to periodically remind staff of security threats (for example in response to a security incident) to help them remain aware and attentive to following your security procedures PrivaPlan Associates, Inc. Patent Pending. All Rights Reserved, 10