Matching BlackBerry Features to HIPAA Security Requirements

Transcription

1 Matching BlackBerry Features to HIPAA Security Requirements Author: Michael A. Eck The Segal Company Sponsored By: Research In Motion

2 Forward About this Guide This guide is sponsored by Research In Motion (RIM ) and was developed by The Segal Company with editorial input and technical review from RIM. About the Author The Segal Company is an independent, privately held, employeeowned consulting firm that provides a variety of consultancy services to public, private and non-profit organizations throughout the United States and Canada. Founded over 70 years ago, The Segal Company's consulting philosophy and overall approach is highlighted by our commitment to our clients. We operate within specialized practice areas, two of which have been called upon for the development of this white paper: Compliance and our Automation & Technology practices. Michael A. Eck is a Vice President in Segal s New York offices and responsible for the firm s Automation and Technology practice. He regularly assesses and advises clients on information security and privacy concerns relating to HIPAA and other best practices for the management and security of information assets. BlackBerry and HIPAA 2

3 Table of Contents Forward...2 About this Guide...2 About the Author...2 Introduction...4 Section 1: BlackBerry in a HIPAA Security Environment...5 The HIPAA Security Rule...5 BlackBerry IT Policies...6 HIPAA Security Standards...7 Deploying BlackBerry in a HIPAA Security Environment...10 Technical Safeguards...11 Administrative Safeguards...15 Physical Safeguards...19 Additional Valuable Security Management Features...21 Section 2: Background on HIPAA Administrative Simplification Provisions...23 What is HIPAA?...23 Who Must Comply?...25 HIPAA Compliance Deadlines...26 What are the Penalties for Non-compliance?...26 Appendix I: Password Management Close-up...28 Appendix II: Communication Types...30 Resources...32 End Notes...33 BlackBerry and HIPAA 3

4 Introduction The Health Insurance Portability and Accountability Act (HIPAA) of 1996 led to promulgation of a broad and comprehensive set of regulations requiring healthcare organizations to address privacy and security concerns related to healthcare data. These rules and their updates have extended beyond traditional paper-based information to include data stored and transmitted electronically. The HIPAA Security Rule focuses exclusively on protecting the confidentiality, integrity, and availability of electronic protected health information (ephi). HIPAA s Security Rule mandates technical, administrative, and physical safeguards and further details the security protocols to be implemented by organizations for the protection of electronic data. Although the Security Rule provides covered entities with implementation specifications describing how the standards are to be implemented, HIPAA is designed to be technology-neutral. Individual organizations must determine which technology solutions are consistent with and facilitate the organization s need to comply with all of the HIPAA requirements. Information security management is a constant and on-going process, and the tools and techniques used to manage security and threats will continue to evolve. HIPAA compliance is also an ongoing and all inclusive program that requires a complete complement of technical, administrative and physical safeguards, all which must be unique to an organization s environment. This document focuses on how to apply the tools, functionality and resources that are available through the BlackBerry Enterprise Solution to help support the HIPAA security requirements and combat the ever-growing number of security challenges in healthcare information technology. This guide is designed to help identify and illustrate the HIPAA security requirements, provide alternatives to help meet the requirements, as well as provide education and supporting information to help an IT professional design and implement a HIPAA supportive security architecture. BlackBerry and HIPAA 4

5 Section 1: BlackBerry in a HIPAA Security Environment The HIPAA Security Rule Section , the statement of the general Security Rule, requires covered entities to: Ensure the confidentiality, integrity, and availability of all electronic protected health information (ephi) the covered entity creates, receives, maintains, or transmits; Protect against any reasonably anticipated threats or hazards to the security or integrity of such information; Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule; and Ensure compliance by its workforce. The Security Rule focuses on safeguarding the confidentiality, integrity, and availability of all electronic protected health information (ephi) that a covered entity (or its business associates) creates, receives, maintains, or transmits. The Security Rule details essential standards and describes addressable and required implementation specifications. The rule stipulates that entities must protect ephi against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures, and must ensure compliance by their workforce. Required safeguards include implementing appropriate policies and procedures, safeguarding physical access to ephi, and ensuring that technical security measures are in place to protect networks, computers and electronic devices. The Security Rule is scalable and technology neutral it describes a set of standards and specifications for protecting ephi but does not specify technological product solutions. Covered entities and their business associates are allowed to implement technological solutions appropriate to their operations and environment. CMS Guidance on Remote Access & Portable Devices The U.S. Department of Health and Human Services (HHS) has not amended the Security Rule to address the growing use of wireless devices, but the Centers for Medicare and Medicaid Services (CMS) released some guidance for covered entities that permit the use of portable electronic devices that store ephi or that allow remote access to ephi via electronic devices such as laptop computers, PDAs and smartphones. In this guidance, CMS cautions covered entities to permit use of these devices only where there is a clear business need and the entity has taken great rigor to ensure that appropriate policies and procedures are in place and staff are adequately trained. CMS also discusses some of the risk BlackBerry and HIPAA 5

6 management strategies that covered entities should consider adopting when these devices are used, including requiring encryption for stored ephi and ephi being transmitted over the Internet, as well as enforcing session termination. Communication Types & Messaging Mobility has emerged as a key requirement for healthcare practitioners. Consider the need for a doctor to use a smartphone to receive a message about a patient including attached medical records, or a clinician uses an application on their smartphone for remote access to their practice management system. ephi can exist in several forms, mediums and transports. Very frequently, smartphones are at the intersection ephi and mobility. In particular, ephi is often rendered in the form of messages or data in a mobile environment. There are several different messaging types including, , SMS, MMS, BlackBerry PIN and BlackBerry Messenger. ephi can also be accessed and viewed through applications that are developed for smartphone use. Tools to manage and control both messaging and data, must be robust enough to effectively manage the security of ephi. For further information on these types of messaging and applications, see Appendix II Communication Types. BlackBerry IT Policies BlackBerry IT Policies are the mechanisms that administrators use to set the rules on how the BlackBerry Enterprise Server and smartphones will operate. IT policies can be applied at an individual user level or applied to a group of like users. These policies override the security settings that users define on their BlackBerry smartphones. For example, an administrator can configure whether or not a password is required for a BlackBerry smartphone, the length of time that a password can exist before it becomes invalid, and the length and composition of the password (as well as many other options). An administrator can also use IT policies to specify encryption key details. The BlackBerry Enterprise Solution gives administrators tight control over many aspects of the solution. With over 400 published IT policies, administrators can use these policies to enforce specific capabilities. BlackBerry and HIPAA 6

7 With the BlackBerry Enterprise Solution, IT policies are oneway, server-initiated, outbound communications. This ensures that administrators can control each BlackBerry smartphone reliably, with complete confidence that the device is appropriately configured. Users cannot intervene or prevent a policy from being applied once the administrator has initiated it. As well, IT policies carry unique digital signatures to ensure that only the designated BlackBerry Enterprise Server can send updates to a BlackBerry smartphone. Through the use of specific IT policies, the BlackBerry Enterprise Server and associated smartphones can be configured to meet many of the best practice security and HIPAA requirements. HIPAA IT Policy Group One size does not always fit all, nor should it need to. In healthcare organizations not all members of the workforce need access to ephi. For example, employees in the finance or purchasing departments, some IT functions and also many members of the senior management team do not need access to ephi to fulfill their job functions. Based upon a formalized and documented risk assessment, the level of security and protection applied to devices will likely be different depending upon whether that user is or is not allowed to view, use, or manage ephi. Organizations should consider the use of different IT policy groups for different segments of their workforce population. This allows administrators to tailor security settings based upon each employee s or group s role within the organization. HIPAA Security Standards Security standards are divided into categories of administrative, physical and technical safeguards. Administrative safeguards: Documented, formal practices to manage the selection and implementation of security measures that protect information and guide the conduct of personnel in relation to the protection of information. Physical safeguards: Practices to manage the protection of physical computer systems and related buildings and equipment from fire and other natural and environmental hazards, as well as from intrusion. BlackBerry and HIPAA 7

8 Technical safeguards: Processes that are put in place to protect and to control information access and data that is stored and transmitted over a communications network. BlackBerry smartphones and BlackBerry Enterprise Server can assist organizations not only with the technical safeguards, but also with their administrative and physical safeguard responsibilities under the HIPAA regulations. The following chart summarizes the HIPAA specifications that the BlackBerry Enterprise Solution can support to complement a full security environment. Each set of safeguards is comprised of a number of standards, which generally consist of several implementation specifications that are either required (R) or addressable (A). An implementation specification is a detailed instruction for implementing a particular HIPAA Security Rule standard. While required specifications are mandatory as the name suggests, addressable specifications must also be implemented if reasonable and appropriate under the circumstances. Addressable specifications are not optional. If the entity chooses not to implement an addressable specification based on its risk assessment, it must document the rationale supporting that determination and, if reasonable and appropriate, implement an equivalent alternative measure. BlackBerry and HIPAA 8

9 HIPAA SECURITY STANDARDS & IMPLEMENTATION SPECIFICATIONS (Abbreviated) Technical Safeguards Access Controls (R) - Unique User Identification (R) - Emergency Access Procedure (R) - Automatic Logoff (A) - Encryption & Decryption (A) Audit Controls (R) Integrity (R) - Mechanism to Authenticate ephi (A) Person or Entity Authentication (R) Transmission Security (R) - Integrity Controls (A) - Encryption (A) Physical Safeguards Workstation Use (R) Device and Media Controls (R) - Disposal (R) - Media Re-Use (R) - Accountability (A) Administrative Safeguards Security Management Process (R) - Risk Management (R) - Information System Activity Review (R) Workforce Security (R) - Workforce Clearance Procedure (A) - Termination Procedures (A) Information Access Management (R) - Access Authorization (A) - Access Establishment & Modification (A) Security Awareness & Training (R) - Protection from Malicious Code (A) - Log-in Monitoring (A) - Password Management (A) Contingency Plan (R) - Emergency Mode Operation Plan (R) (R) Required (A) Addressable BlackBerry and HIPAA 9

10 Deploying BlackBerry in a HIPAA Security Environment The following pages in this section contain standards and implementation specifications of the HIPAA Security Rule where the BlackBerry Enterprise Solution can help achieve HIPAA security requirements. We identify the standard and related implementation specifications, the specific HIPAA Security Rule language, whether the implementation specification is required (as is) or addressable by an organization, and a brief real life discussion of the requirement. With each of these specifications we suggest BlackBerry IT policies or tools that can help an organization realize an enhanced security position. The following guidelines are developed from our experience with practiced industry standards, real-life application and from regulatory guidance. While many may view the BlackBerry Enterprise Solution as having the capability to assist only with the technical safeguards established by the HIPAA Security Rule, the technology and tools can also assist with both the administrative and physical safeguards, as outlined in the following pages. HIPAA security compliance is not achieved with a single piece of hardware, software, or process. All IT technologies and processes must be working in unison to create an entire secure environment. Each security practice must be considered within an entity s own technology environment and only after having completed a full risk assessment. The following is not a complete list of the HIPAA Security Rule standards and implementation specifications. For a complete list, view BlackBerry and The Health Insurance Portability and Accountability Act White Paper. BlackBerry and HIPAA 10

11 Technical Safeguards In general, these are the processes used to protect data and to control access to ephi. They include authentication controls to verify sign-ons and transmission security (such as data encryption) to protect integrity and confidentiality of data. Standard: Access Control (R) (a)(1) Implement policies and procedures for electronic information systems that maintain ephi to allow access only to those persons or software programs that have been granted access rights Implementation Specification Unique User Identification (R): Assign a unique name and/or number for identifying and tracking user identity entity. BlackBerry Tools and Functionality Each BlackBerry smartphone is identified with an 8 digit PIN that uniquely identifies the smartphone to the BlackBerry Enterprise Server. During the activation process, the user is associated to their unique address and the administrator establishes a temporary activation password that is given to the user. Once administration is complete, the user activates their smartphone by entering their address and the temporary activation password on the smartphone. This process ensures the unique identification of the end user. Users cannot change their PIN numbers on their smartphones. Organization policies and procedures should also be established that require written authorization and approval to activate user smartphones. In some technical environments where a lightweight directory access protocol (LDAP) is used. LDAP is integrated with the user administration and messaging platform, so the selection of the user s address is further automated. The BlackBerry Enterprise Service Policy can create allowed lists that control which BlackBerry smartphones can connect to the BlackBerry Enterprise Server down to the individual device level by the PIN. Ranges of PINs can also be used to eliminate the need for individual PIN identification. To keep from overriding centralized IT policies, users should not be authorized or enabled to override the Enterprise Service Policy. Emergency Access Procedure (R): Establish (and implement as needed) procedures for obtaining necessary ephi during an emergency. Emergency access procedures are necessary when normal procedures for system access, particularly via a desktop or laptop computer inside an office or healthcare facility may not be feasible (i.e., floods, power failures, earthquakes). BlackBerry Enterprise Solution combined with the power of mobile computing enable users to maintain connection with the applications and messaging infrastructures that provide the information and data needed to perform their jobs. BlackBerry Enterprise Server integrates with the enterprise messaging and collaboration systems to provide mobile users with highly secure access to , calendar, voice, instant messaging, browser, enterprise applications, and personal information management tools. In addition to mobile computing, the BlackBerry Enterprise Solution architecture provides for a high availability infrastructure. The BlackBerry Enterprise Server high availability solution is based on a component level architecture which includes a primary server and a standby server. Either server is capable of running the mobile solution without the other. BlackBerry and HIPAA 11

12 Implementation Specification Automatic Logoff (A): Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. BlackBerry Tools and Functionality Automatic logoff configurations provide protection from unauthorized access for critical assets that contain ephi. Automatic logoff features assure that unattended smartphones cannot be accessed by unauthorized personnel that might have physical access to the smartphone. Security timeout intervals can be set (in minutes) after which a BlackBerry smartphone locks and prompts a user to type a password regardless of whether the BlackBerry smartphone was active during that interval. In addition, administrators can specify the number of minutes of inactivity before the security timeout occurs on a BlackBerry smartphone and users must type the password to unlock the BlackBerry smartphone. Best practices suggest to set this threshold between 15 and 30 minutes. Reference: See Password Management Close-up in the Appendix of this document Encryption and Decryption (A): Implement a mechanism to encrypt and decrypt ephi. ephi that is stored on information systems can be at a risk of theft or breach through unauthorized channels or server mis-configuration. Encryption of ephi during storage will greatly lower the risk of breach of confidentiality should a security incident occur. BlackBerry Enterprise Server is designed to be able to encrypt all data that is stored on the BlackBerry smartphone and the BlackBerry Enterprise Server with symmetric key cryptography using the AES 256-bit encryption algorithm. The BlackBerry Enterprise Server administrator enables protected storage of data on the BlackBerry smartphone. The administrator can set the cryptography strength that a BlackBerry smartphone uses to encrypt content that it receives. Settings are Strong (160-bit ECC), Stronger (283-bit ECC), and Strongest (571-bit ECC). Standard: Audit Controls (R) (b) Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ephi Implementation Specification BlackBerry Tools and Functionality Audit measures are crucial for verifying that security controls are functioning properly. Through the use of the BlackBerry Monitoring Service, the BlackBerry Enterprise Server and smartphones can be monitored through a variety of reports. Effective and efficient ways of monitoring these devices and infrastructure are available through the use of thresholds. Threshold Analysis Tool can analyze existing usage data to establish appropriate thresholds based upon past activity and experience. As an example on the BlackBerry Enterprise Server, variables such as these can be monitored: CPU usage, memory usage, high availability information. On the BlackBerry smartphone messaging statistics, smartphone diagnostics, battery level, and network coverage can be monitored. These monitoring capabilities can alert administrators when unusual threshold activities are approached. BlackBerry and HIPAA 12

13 Standard: Integrity (R) (c)(1) Implement policies and procedures to protect ephi from improper alteration or destruction Implementation Specification Mechanism to Authenticate ephi (A): Implement electronic mechanisms to corroborate that ephi has not been altered or destroyed in an unauthorized manner. BlackBerry Tools and Functionality A mobile solution should authenticate traffic between devices and the server to ensure that only authenticated data is accepted. When using BlackBerry Enterprise Server, for example, all connections are authenticated and the data exchanged between the BlackBerry Enterprise Server and BlackBerry smartphone is encrypted to ensure that unauthorized third parties do not compromise the data. The BlackBerry Enterprise Solution uses symmetric key cryptography to help protect every message that the BlackBerry smartphone sends and to help prevent third parties from decrypting or altering the message data. The BlackBerry Enterprise Server or BlackBerry smartphone automatically reject a message that is not encrypted with keys that they recognize as valid. Standard: Person or Entity Authentication (R) (d) Implement procedures to verify that a person or entity seeking access to ephi is the one claimed Implementation Specification BlackBerry Tools and Functionality Access to critical information assets that contain ephi without unique user authentication can result in unauthorized, unaccountable, and/or unattributable access and risk of loss, damage or disclosure of protected health information. BlackBerry Enterprise Solution can enable up to three-factor authentication schema. In addition to the activation of the smartphone and user account, the establishment of a user account and the use of passwords support one-factor authentication. Using a smartcard with a BlackBerry smartphone can require users to prove their identities to their BlackBerry smartphone using two factors: what they have (the smart card) what they know (their smart card password). A third factor using bio-metrics is also available. Once authenticated, the person can be inserted into a particular IT policy group for individuals that have access to ephi. Reports can then be run to show user activity. BlackBerry and HIPAA 13

14 Standard: Transmission Security (R) (e)(1) Implement technical security measures to guard against unauthorized access to ephi that is being transmitted over an electronic communications network Implementation Specification Integrity Controls (A): Implement security measures to ensure that electronically transmitted ephi is not improperly modified without detection until disposed of. BlackBerry Tools and Functionality Integrity of ephi during transmission requires controls protecting the data from unauthorized access or modification during the transmission. Integrity enables a recipient or system to detect if a message has been tampered with in transit while authenticity allows the recipient to identify the sender and trust that the sender actually did send the message. The BlackBerry Enterprise Solution encryption mechanism provides integrity and authenticity because decrypted and decompressed messages must conform to a known message format in order to be accepted by the BlackBerry smartphone. Since the value of the encryption key is known only to the BlackBerry Enterprise Server and the BlackBerry smartphone, a recipient will know that a message that does not conform has been altered in transit. The BlackBerry smartphone automatically rejects messages that do not conform to the known message format upon decryption. Encryption (A): Implement a mechanism to encrypt ephi whenever deemed appropriate. Encryption is crucial to creating confidential messages. Encryption is the scrambling of data based on a secret key so that only the parties that know the secret key can decrypt the encrypted data. BlackBerry Enterprise Server is designed to encrypt data in transit at all points between the BlackBerry smartphone and the BlackBerry Enterprise Server with symmetric key cryptography using the AES 256-bit encryption algorithm. By default, The BlackBerry Enterprise Server does not encrypt a message when it forwards the message to a message recipient outside of the senders BlackBerry Enterprise Server environment. Organizations can extend the messaging security by installing additional secure messaging technology (S/MIME or PGP) on the BlackBerry smartphone. The Mobile Data Service (MDS) feature of the BlackBerry Enterprise Server acts as a secure gateway between the wireless network and corporate intranets and the Internet. Leveraging the AES or optionally Triple DES encryption transport, MDS also enables HTTPS connections to application servers. BlackBerry and HIPAA 14

15 Administrative Safeguards In general, this section of the HIPAA Security Rule describes administrative procedures that include formal practices governing the selection and implementation of security measures and the conduct of personnel. Standard: Security Management Process (R) (a)(1)(i) Implement policies and procedures to prevent, detect, contain, and correct security violations Implementation Specification Risk Management (R): Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. BlackBerry Tools and Functionality All relevant information technology and computing resources should be identified and diagrammed. Complete and current system documentation of all critical asset systems and associated infrastructure is critical to protecting those assets. The BlackBerry Administration Service (BAS) can provide a detailed hierarchy of all BlackBerry Enterprise Server components installed. Using the BlackBerry Enterprise Server Resource Kit, administrators can build reports to monitor and manage system as well as individual performance and usage. Information Systems Activity Review (R): Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. The value of audit logs is only realized if they are analyzed and reported on regularly. A lack of routine analysis and reporting could compromise critical assets by failing to detect unauthorized access in time to take appropriate incident response actions. All system logs should be audited on a regular basis (e.g., every week or at least monthly). Auditing can be enabled on the BlackBerry Enterprise Server for PIN and SMS messages as well as BlackBerry Messenger conversations, and applications. Using the BlackBerry Enterprise Server Resource Kit, administrators can report on user activity, check patterns of usage and provide statistics. Standard: Workforce Security (R) (a)(3)(i) Implement policies and procedures to ensure that all members of its workforce have appropriate access to ephi and to prevent those workforce members who do not have access from obtaining access to ephi Implementation Specification Workforce Clearance (A): Implement procedures to determine that the access of a workforce member to ephi is appropriate. BlackBerry Tools and Functionality All aspects of security depend in some measure on the trustworthiness of the personnel involved. Those with direct access to critical assets should be carefully screened to reduce the threat of nefarious behavior. BlackBerry Enterprise Server allows administration accounts to be set-up leveraging an organization s Active Directory credentials for authentication purposes, therefore eliminating the need to establish generic user accounts. This ability coupled with role-based administration features allow an organization to specify the actions that administrators can perform. The Active Directory functionality combined with an automated and robust process for adding, removing and identifying employees that should have access to ephi can extend the overall security framework and eliminate manual administration of accounts. BlackBerry and HIPAA 15

16 Implementation Specification Termination Procedures (A): Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations that access to ephi is no longer appropriate. BlackBerry Tools and Functionality Immediate removal of access or clearance helps safeguard the integrity and proper use of ephi, even if the termination is voluntary. Immediate removal of access or clearance is critical when termination is involuntary or required for emergency purposes. The terminated workforce member may be disgruntled and may attempt to damage to the organization s systems. BlackBerry provides two sets of tools to assist in automating the user management process. The User Administration Tool (part of the BlackBerry Resource Kit and the Administration API) can be automatically called from a scripting language, such as PHP or Perl to automate user management tasks such as disabling redirection or account deletion. Additionally, the Administration API provides an interface for either.net or Java language programmers to write custom code to automate many tasks within the BlackBerry Administration Service, including user management. This could include an automatic remote wipe when circumstances require immediate or instant removal of data. Standard: Information Access Management (R) (a)(4)(i) Implement policies and procedures for authorizing access to ephi that are consistent with the entity s determinations under the HIPAA Privacy Rule (i.e., who may access which type(s) of ephi for what purposes) Implementation Specification Access Authorization (A): Implement policies and procedures for granting access to ephi, for example, through access to a workstation, transaction, program, process, or other mechanism. BlackBerry Tools and Functionality Restricted access helps safeguard the integrity and the proper use of ephi. Authorization procedures validate the minimum necessary information that staff members require to perform their job functions and support HIPAA minimum necessary requirements. BlackBerry Enterprise Server can control whether users or applications can initiate external connections (for example, to WAP, SMS, MMS or other public gateways) on the BlackBerry smartphone. Access Establishment and Modification (A): Implement policies and procedures that, based upon the entity's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process. Restricted access helps safeguard the integrity and the proper use of ephi. Access procedures implement the authorization decisions made and ensure that all system users access the minimum necessary ephi on a need-to-know basis. BlackBerry provides two sets of tools to assist in automating the user management process. The User Administration Tool (part of the BlackBerry Resource Kit and the Administration API) can be automatically called from a scripting language, such as PHP or Perl to automate user management tasks such as disabling redirection or account deletion. Additionally, the Administration API provides an interface for either.net or Java language programmers to write custom code to automate many tasks within the BlackBerry Administration Service, including user management. BlackBerry and HIPAA 16

17 Standard: Security Awareness and Training (R) (a)(5)(i) Implement a security awareness and training program for all members of the workforce highlighting protection from malicious software, log-in monitoring and password management Implementation Specification Protection from Malicious Code (A): Implement procedures for guarding against, detecting, and reporting malicious software. BlackBerry Tools and Functionality Virus control measures are critical for detecting viruses, worms, and malicious unauthorized software that may be introduced to critical servers through legitimate communications channels. The BlackBerry Enterprise Solution focuses on containing malicious programs. The BlackBerry Enterprise Server comes with over 25 Application Control IT policies that allow the administrator to limit the resources and user data available to a given application. For example, restrictions can be imposed on internal or external domains, the smartphone, Bluetooth, USB and user data such as and personal information management (PIM). Sensitive areas of the BlackBerry smartphone device options such as the cryptographic, phone, and PIM (personal information management) are protected by RIM signed code and can only be accessed by code that has been signed by the RIM code signing process. Additionally, lists can be maintained on the BlackBerry Enterprise Server to control which applications are or are not allowed to be installed on the BlackBerry smartphone. Log-in Monitoring (A): Implement procedures for monitoring log-in attempts and reporting discrepancies. Awareness of system misuse is important to ensuring the confidentiality, integrity, and availability of an organization s information and systems. In addition to the ability to monitor log-in activities, an administrator (if requested) can review reports that show what the user has been doing on their smartphone. Administrators can review this information through the BlackBerry Enterprise Server logs. BlackBerry Enterprise Server logs should be secured and only available to individuals who have been properly trained and educated on the use of ephi. Password Management (A): Implement procedures for creating, changing, and safeguarding passwords. Passwords remain the most convenient and cost-effective method of controlling access and maintaining accountability for information systems. Awareness of good password practices is important to ensuring the confidentiality, integrity and availability of information. The lack of a documented and widely disseminated policy for strong passwords can lead to potential exposure of critical assets. A password policy is the first step toward a sound password program. A password's strength is directly related to its construction. Adequate guidelines for password construction assure that each workforce member can create sufficiently strong passwords. Passwords should be changed regularly to mitigate the potential losses that may result from stolen or broken passwords. Reference: See Password Management Close-up in the Appendix of this document BlackBerry and HIPAA 17

18 Standard: Contingency Plan (R) (a)(7)(i) Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain ephi Implementation Specification Emergency Mode Operation Plan (R): Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of ephi while operating in emergency mode. BlackBerry Tools and Functionality Procedures need to describe which operations are basic and critical to ensure the security of ephi. For example, the only type of operations necessary in emergency mode for one organization might be to keep the networks running or making sure that encryption does not fail. For another organization, the only basic operation might be to collect all backup tapes and abandon the premises. BlackBerry high availability supports database mirroring which provides fault tolerance. In addition, high availability is configurable in a distributed environment. Automated methods are available to calculate the health scores of the BlackBerry Enterprise Server and automatically failover to standby instances. BlackBerry and HIPAA 18

19 Physical Safeguards This category focuses on the mechanisms required for the protection of physical computer systems, equipment and the buildings in which ephi is stored from threats such as fires, natural disasters, environmental hazards, and unauthorized intrusion. Also covered are physical access controls such as locks and sign-in procedures. Standard: Device and Media Controls (R) (d)(1) Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ephi into and out of a facility, and the movement of these items within the facility Implementation Specification Disposal (R): Implement policies and procedures to address the final disposition of ephi, and/or the hardware or electronic media on which it is stored. BlackBerry Tools and Functionality It is important to establish and follow proper sanitization procedures to avoid unauthorized disclosure of ephi. Organizations can erase and disable the smartphone, making the smartphone unavailable for use. By default, the BlackBerry smartphone continually runs a standard Java garbage collection process to reclaim BlackBerry smartphone memory that is no longer referenced. Secure garbage collection is another means to permanently remove any data that is no longer referenced. Secure garbage collection is automatically turned on when content protection is enabled or S/MIME or PGP Support Packages are installed. Media Re-Use (R): Implement procedures for removal of ephi from electronic media before the media are made available for reuse. It is important to develop procedures as to how the organization will re-use smartphones and any type of media containing ephi so that PHI is not accessed improperly. Organizations can erase and disable the smartphone, preparing it for the next user. Additionally, an administrator can remotely erase and disable the smartphone, making the smartphone unavailable for use. BlackBerry and HIPAA 19

20 Implementation Specification Accountability (A): Maintain a record of the movement of hardware and electronic media and any person responsible therefore. BlackBerry Tools and Functionality It is important to maintain a record of the actions of a person relative to the receipt and removal of hardware and/or software into and out of a facility that are traceable to that person. An inventory of all smartphones and their users is available through reporting tools. Standard: Workstation Use (R) (b) Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstations that can access ephi Implementation Specification BlackBerry Tools and Functionality All workstations/devices storing or transmitting ephi should be inventoried as to what type of ephi they can process and in which manner. An inventory of all smartphones and their users is available through reporting tools. BlackBerry and HIPAA 20