Procedure Title: TennDent HIPAA Security Awareness and Training

Transcription

1 Procedure Title: TennDent HIPAA Security Awareness and Training Number: TD-QMP-P-7011 Subject: Security Awareness and Training Primary Department: TennDent Effective Date of Procedure: 9/23/2011 Secondary Department: HIPAA Security Prior Procedure or Cross Reference(s): 10/1/2010 Date Procedure Last Reviewed: 9/23/2011 Date Procedure Last Revised: 9/23/2011 Review Frequency: Annually Next Scheduled Review: 7/1/2012 Approvals: TennDent Quality Monitoring Improvement Committee Approval: On File Date: 9/23/2011 Scope: The procedures outlined in this document are designed to educate all TennDent staff on the internal policies and legislation relating to the HIPAA security rule. Purpose: The procedures listed in this document will educate TennDent staff on the various components of the HIPAA Security rule. Procedure: Responsible Party Action Periodic Security Updates All TennDent staff (internal and external) shall receive periodic security updates as changes in internal policies or as legislation requires. All staff shall receive initial training on the HIPAA Security Rule. All new employees shall receive initial HIPAA training as well as Security Awareness training. All policies and procedures established to comply with the HIPAA Security Rule will be posted on TennDent of Tennessee s intranet and shall be Procedure: HIPAA Security Awareness and Training 1

2 TennDent Staff viewable by all internal and external staff. Warnings of Threats or Security Incidents All TennDent staff (internal and external) shall be notified by the IS Department of any potential threats (worms, viruses, etc.). The IS Department shall also alert all staff of any current internet schemes as they are identified such as social engineering, fishing or any means of obtaining unauthorized access to systems or data. General alerts shall be dispatched via , while subscriber or group specific alerts will be dispersed through the Customer Service Toolkit. Any staff member that observes any unauthorized attempts to access systems or data is to notify the Security Officer immediately. Virus Detection Software When a new system is introduced to the network, McAfee Anti-Virus is installed as a "default" application. The client is configured to update every day. Monthly system checks ensure that each client has the most current virus detection software. The mail server currently scans all incoming s utilizing Groupshield which is also reviewed periodically for any updates. Log In Monitoring and Review The IS Department will periodically conduct random system audits. The system audit shall log any suspicious activity such as invalid login attempts, logins at odd hours, and access to system objects. Detailed procedures for this process are documented in the Audit Control and Review Plan. Creating, Changing, and Safeguarding Passwords Requirements for ALL Users: Passwords should never be words found in a dictionary. Passwords should never be derivatives of User ID s or full name. Passwords should never be spouse, children or pet s name or date of birth. Passwords should never be car tag, phone number or social security number. Passwords should never be common character sequences like abc123. Passwords should never be written down, never taped to the monitor or saved in a location that is not secure. Passwords should never be company, organization, department or profession names or abbreviations. You are strictly prohibited from giving your password to anyone unless requested to do so directly by an Officer, manager or DDPT s Network Administrator. Users shall not attempt to learn another person s password/pass phrase and/or access another person s account using their password/pass phrase. Procedure: HIPAA Security Awareness and Training 2

3 Requirements for Network Administrators: Each Network User will have their own User ID and Password. Network User Passwords shall expire in 90 days and the user will be required to create a new password. An exception to this rule requires Form Request Special Security signed by a Senior VP of DDPT. Network User Passwords will be required to be 8 characters long. Network User Accounts will be locked out after 5 invalid logon attempts. Network User Accounts will remain locked out until an administrator resets them. Network User Passwords will be required to be unique from the last 10 passwords. Network User Passwords will have a minimum age of one (1) day. Administrator will daily check event logs for invalid logon attempts. Administrator will daily check event logs for successful logins during unscheduled working hours. All workstations will be secured with a password/pass phrase-protected screen saver, with the automatic activation feature set to 10 minutes or less, or by manually locking the workstation when the workstation will be unattended. Human Resources TennDent Management Staff Requirements for Support Systems (Website, Electronic Billing, etc.): Each Group accessing PHI will have their own User ID and Password. Group Passwords will be required to be 8 characters long. Support Systems personnel will daily check event logs for invalid logon attempts. Support Systems personnel will daily check event logs for successful logins during unscheduled working hours. Requirements for Files that contain PHI: Each File containing PHI that will be transferred, transmitted or mailed to anyone outside of the building should be password protected or encrypted. The only exception to this rule will be transfers made through secure point to point connections via VPN, HTTPS, SFTP and SHTML. Passwords for these files must pass the Requirements for ALL Users section contained in this document. Passwords for these files must not be transferred, transmitted or mailed with the same files that they are used to protect. HIPAA Training Documentation All HIPAA Training shall be documented in a log which will specify the type of training, the date, and the names of all participants. Upon completion of training all participants shall sign an Acknowledgement of HIPAA Security Training. Training Issues for HIPAA Security Rule Security Management Policy Procedure: HIPAA Security Awareness and Training 3

4 HAG (HIPAA Assessment Group) Risk Analysis Identification and inventory of EPHI repositories Periodic review and assignment of risk level Information Access Management o Each supervisor or manager is responsible for authorizing access to systems and networks containing EPHI for his or her subordinates. Workforce members are not permitted to authorize their own access to EPHI or be granted authorization from another supervisor. o Each supervisor or manager is responsible for ensuring that the access to EPHI granted to each of his or her subordinates is the minimum necessary access required for each such subordinate's job role and responsibilities. Each supervisor or manager is responsible for periodically reviewing the access to EPHI granted to each of his or her subordinates and for modifying such access if appropriate /Human Resources Security Awareness and Training Identification and protection against malicious code or software Notification of new and potential threats (worms, viruses, denial of service attacks) HIPAA Security Officer HAG Committee Password Management Acknowledgement of HIPAA Security Training Incident Response and Reporting Security Incident and Reporting Form Data Backup and Contingency Plan Disaster Recovery Plan Awareness Emergency Mode of Operation Awareness Periodic Evaluation of Security Policies and Procedures Periodic Evaluation by the Security Officer Annual Evaluation by the HAG Committee Immediate Evaluations Based on Occurrence Changes in regulations affecting the security or privacy of PHI Changes in technology, environmental or business processes that may affect the security or privacy of PHI A serious breech or violation occurs Procedure: HIPAA Security Awareness and Training 4

5 Annual Evaluation of TENNDENT Procedures Internal Audit of Security Policies and Procedures /HIPAA Security Officer Security Verification and Validation Physical Walk Through Employee Interviews Facility Access Controls Facility Security Plan Workforce Access Controls Visitor Access Controls Workstation Acceptable Use Monitoring of Workstation Use Removal of Workforce Member Privileges System Security Workstation Security Portable Device Security Devise and Media Control Devise Control Storage Media Control and Destruction Data Backup How to store data to ensure proper backup Requesting a file restore EPHI Integrity Transmission Integrity and Authentication System Integrity Data at Rest Integrity EPHI Transmission Security EPHI Transmissions to Non-TENNDENT Entities EPHI Transmissions using Electronic Removable Media EPHI Transmissions using or Messaging Systems EPHI Transmissions using Wireless LANs and Devices Computer Use Policy Rights and Sensibilities of Others Legal Implications of Computer Use Respect of TENNDENT s Mission in the Community Harm of the Integrity of TENNDENT s Computer Systems and Networks Procedure: HIPAA Security Awareness and Training 5

6 Electronic Information Accessibility and Usage TENNDENT s Policy Uses of Internet and using TENNDENT s equipment or facilities that are not allowed User s Responsibilities Related Policies and Procedures: Procedure: HIPAA Security Awareness and Training 6