1 IM-93-1 ADP System Security Requirements and Review Process - Federal Guidelines
2 U.S. Department of Health and Human Services Administration for Children and Families Washington, D.C Information Memorandum #: OISM-IM-93-1 Date: October 1, 1992 TO: Subject: State Public Assistance, Child Support Enforcement and Medicaid Agencies and other interested parties. ADP System Security Requirements and Review Process - Federal Guidelines Related References: Purpose: In order to assist States in meeting the security requirements of 45 CFR Part 95, DHHS is attaching a guidance document which provides a description of what we consider appropriate for a State to address in its written security summary of findings and determination of compliance with Part 95 requirements. This information is intended as guidance and is not to be used as an outline or checklist. Each State's security program is unique, possessing features necessitated by singular data processing environments. Background: State public assistance agencies are responsible for the security of all developmental or operational Federally funded automatic data processing (ADP) systems. These systems are subject to the provisions of 45 CFR Part 95, Subpart F. On February 7, 1990, the Department of Health and Human Services (DHHS) published final rules at 45 CFR Part 95, Subpart F and the Department of Agriculture, Food and Nutrition Service (FNS), published final rules at 7 CFR Part 277 in the Federal Register. See 55 FR These regulations became effective on May 8, 1990, and included new provisions for establishing minimum standard requirements for the security of systems used to administer programs covered under these rules. State Responsibility to Establish ADP Security Program Under 45 CFR each State is responsible for the security of all ADP projects under development and all operational systems used by State and local governments to administer programs covered under 45 CFR Part 95, Subpart F. This regulation requires that State agencies shall (1) determine the appropriate ADP security requirements based on recognized industry standards or standards governing security of Federal ADP systems and information
3 processing; (2) implement appropriate security requirements; (3) establish asecurity plan and, as appropriate, policies and procedures to address the areas of ADP security at (f)(2)(ii); (4) establish and maintain a program for conducting periodic risk analyses; and (5) conduct a biennial ADP system security review of installations involved in the administration of DHHS programs which, at a minimum, includes an evaluation of physical and data security operating procedures, and personnel practices. This requirement applies to all ADP systems used by State and local governments to administer programs covered under 45 CFR Part 95, Subpart F. On January 10, 1991, the former Family Support Administration (FSA) and the Food and Nutrition Service (FNS) jointly issued Action Transmittal FSA-AT That Action Transmittal established that biennial reviews for existing systems must be completed and reported to DHHS and FNS by October 1, 1992 and every two years thereafter. State Responsibility to Conduct Biennial ADP System Security Review The biennial reviews for existing systems must be completed and reported to DHHS and FNS by October 1, 1992 and every two years thereafter. For new ADP applications, reviews must be conducted upon implementation and every two years thereafter. After completing the required biennial ADP system security review, Heads of State agencies must provide a written summary of findings and a determination of compliance with the Part 95 ADP security requirements. In their reports to DHHS and FNS, States must include written summaries of their ADP security programs and action plans with the scheduled dates of milestones which, when the appropriate safeguards are properly implemented, will protect against identified threats. States also must certify compliance of their ADP Security Program in the following areas: A. Physical security of ADP resources; B. Equipment security to protect equipment from theft and unauthorized use; C. Software and data security; D. Telecommunications security; E. Personnel security; F. Contingency plans to meet critical processing needs in the event of short or long-term interruption of service; G. Emergency preparedness; and H. Designation of an Agency ADP Security Manager. Funding for ADP security will generally be available at the regular administrative cost for operating State and local systems to administer programs covered under 45 CFR Part 95, Subpart F. As an exception,
4 however, the statutes authorizing enhanced funding, sections 454(16)(c) and 402(a)(30) of the Social Security Act, specifically reference security as a requirement of the State. For example, these requirements are addressed within the review and approval of a FAMIS APD and enhanced funding will be provided for those automated procedures related to the security of this system. Information Sources Additional information on computer systems security can be obtained from sources such as the Computer Security Institute, Datapro Research Corporation, and the Information Systems Officers Association. Additionally, the National Institute of Standards and Technology (NIST) "Publications List 91" list may prove helpful. A copy of this list is attached to FSA-AT-91-2 dated January 10, It provides instructions for ordering specific publications from the U.S. Government Printing Office and the National Technical Information Service. Instructions: DHHS has already received some submissions and requests for clarification from States. It is the intent of this Information Memorandum to respond to requests from States for technical assistance in order to meet ADP systems security requirements. We have attached a guidance document that you may find useful when conducting reviews and preparing written summaries. As this is the first time that State and local government entities have reported biennial reviews in accordance with this new regulation, we anticipate that the reports to HHS will be varied and informative. HHS welcomes any and all comments from State and local governments concerning this Information Memorandum and its attachment. Mail Plans To: Mr. Mark E. Ragan, Director Office of State Systems Administration for Children and Families, DHHS Washington, D.C Telephone Inquiries To: Administration for Children and Families (202) Assistant Secretary for Children and Families Attachment
5 I. Objective of ADP Biennial Security Requirements Under 45 CFR each State is responsible for the security of all ADP projects under development and all operational systems involved in the administration of DHHS programs. This regulation requires that State agencies shall (1) determine the appropriate ADP security requirements based on recognized industry standards or standards governing security of Federal ADP systems and information processing; (2) implement appropriate security requirements; (3) establish a security plan and, as appropriate, policies and procedures to address the areas of ADP security specified at (f)(2)(ii); (4) establish and maintain a program for conducting periodic risk analyses; and (5) conduct a biennial ADP system security review of installations involved in the administration of DHHS programs which, at a minimum, includes an evaluation of physical and data security operating procedures, and personnel practices. These requirements apply to all ADP systems used by State and local governments to administer programs covered under 45 CFR part 95, subpart F. State agencies are to complete the required biennial ADP System Security Review before October 1, 1992 for existing systems. Heads of State agencies are required to provide DHHS the following information no later than October 1, 1992: (1) a summary of the State's findings during the biennial review; (2) a determination of compliance with the State's ADP security requirements; (3) a description of the State's ADP security program; (4) an action plan with scheduled due dates of milestones which when completed will correct any security weaknesses; and (5) certification of State compliance with those areas cited in (f)(2)(ii). Certification of compliance must be made by the head of the State agency. II. Summary of State's findings during the biennial review A Summary of Findings during the biennial review gives the types and levels of protection necessary for equipment, data, information, applications, and facilities to meet the requirements of the State's ADP systems security policy. These are the minimum requirements necessary for the State to maintain an acceptable level of security. States usually include a summary list of vulnerabilities. The following areas of vulnerability may be addressed: -- Opportunity for entering erroneous or falsified input data -- Opportunity for unauthorized access -- Ineffective administrative controls -- Ineffective application program controls and back-up capability Such summaries usually discuss all instances where a biennial review shows noncompliance with security requirements. These State findings are used to determine compliance with the State's ADP systems security requirements.
6 III. Determination of Compliance with the State's ADP security requirements A Determination of Compliance with the State's ADP security requirements uses the Summary of Findings to develop the protective measures and controls that are needed to meet the security requirements for the State. These are usually called security safeguards and may include but are not necessarily limited to: hardware and software security features, operating procedures, accountability procedures, access and distribution controls, management constraints, personnel security, and physical structures, areas, and devices. A Determination of Compliance usually addresses all areas where a Summary review shows non-compliance with security requirements. IV. Description of State's ADP security program This provides an overview of the security of all ADP projects under development and operational systems involved in the administration of DHHS programs. It usually identifies the process used to determine the appropriate ADP security requirements, citing recognized industry standards or standards governing security of Federal ADP systems and information processing, used as a basis for this determination. It describes an overall security program which assures a level of security that is commensurate with the risk and magnitude of the harm that could result from the loss, misuse, disclosure, or modification of the information contained in the system(s). Accordingly: (1) each operational system involved in the administration of DHHS programs must have the appropriate technical, personnel, administrative, environmental, and telecommunications safeguards; (2) each system's security should be cost-effective; and (3) each system, which supports critical functions, would have to have a contingency or disaster recovery plan to provide continuity of operations. The State's description summarizes ADP security requirements and how they are met. Some typical areas may be: A. Physical security of ADP resources Physical security safeguards apply in administrative, physical, and technical areas which involve the administration of DHHS programs. They can be achieved through the use of locks, guards, administrative controls, and measures to protect against damage from intentional acts, accidents, fires, and environmental hazards such as floods, hurricanes, and earthquakes. Minimum security safeguards reflecting minimum security requirements are usually planned and/or implemented based on the results of a risk analysis. There are various components of State facilities which may require protection. For example: -- Computer room
7 -- Data control and conversation area -- Programmer's area -- Terminal/remote job entry (RJE) room -- Communications equipment area -- Data file storage area -- Forms storage area -- Supplies storage area -- Maintenance/workshop area -- Support equipment area (including cooling towers and water supply) -- Telephone closet -- Power supply area (including transformer vaults and power panels) -- General office area (where sensitive data is handled) 1. Access Control Physical and administrative controls to prevent unauthorized entry into operations, data storage, library, and other support areas are access controls. The following areas are examples of access control: -- Physical controls -- Administrative controls -- Protection of sensitive materials -- Fire safety 2. Operating Systems Control These are the operating system features that guarantee systems integrity and prevent unauthorized use of sensitive system interfaces. They may include operating system control of access to data files and software programs stored in the facility, recording and displaying non-routine activity that may indicate a security violation, safeguards to protect operational status and subsequent re-start integrity during and after shutdown. B. Equipment security to protect equipment from theft and unauthorized use These are the physical protection concerns the State addresses in order to prevent or minimize equipment loss or damage due to theft, sabotage, civil disturbance, natural disaster or other threats. Critical areas, such as cost of replacement, security precautions in place (e.g., locked area, patrolled by guard), fire protection, theft, vandalism, and other types of potential damage or loss are usually discussed here.
8 C. Software and data security These types of control processes ensure that appropriate administrative, physical, and technical safeguards are incorporated into all applications and significant modifications. D. Telecommunications security This is how the State provides effective and appropriate protection for the DHHS program data when they are transmitted by data communications equipment. Typical areas of telecommunications security are: 1. The State's process for establishing and implementing required and appropriate procedures, controls, and security safeguards for the data communications network. 2. An overview of its contingency plan for use in the event of major disruptions to the communication of highly sensitive data or highly critical data communications capabilities is helpful. E. Personnel security Personnel security policies are usually in place which cover all individuals participating in system design, operation, and maintenance, or having access to data from systems involved in the administration of DHHS programs. One important aspect of personnel security is the State's security awareness and training activity. F. Contingency plan to meet critical processing needs in the event of short or longterm interruption of service. Every facility and outlying office/remote site (including Wide Area Networks and Local Area Networks) which process applications that are critical to the performance of the State's mission in support of DHHS programs should have a contingency plan. Contingency planning usually includes: -- Identification of critical applications -- Maximum permissible outage (i.e., disruption of service, use, or access) for each application -- Regular backup of critical applications, data, operating software, and databases -- Alternate operating procedures, as appropriate -- Regular contingency plan testing -- Update of the contingency plan based on test results
9 G. Emergency preparedness. This is advance planning which clearly identifies circumstances that require an emergency response, who to contact, where to contact them, and when they should be contacted. The goal of emergency preparedness is to minimize or prevent interference with systems involved in the administration of DHHS programs. Requirements for different facilities will vary, and may be addressed by identifying, in general terms, what is being protected and what emergency situation it is being protected from. H. Designation of an Agency ADP Security Manager. This identifies the State ADP Security Manager and usually includes major duties/responsibilities. I. Periodic Risk Analyses Each State is required to develop a comprehensive risk management program. The State risk management program may be summarized as it pertains to the administration of DHHS programs. Risk management programs usually entail many risk analyses and may provide for additional reviews which are required whenever a system, facility, or network undergoes a significant modification. V. Action plan with scheduled dates of milestones which when completed will correct any security weaknesses This is a schedule for implementing selected safeguards, giving key milestone dates, when available. Such schedules usually describe the State's plan for monitoring the scheduled implementation of safeguards, and the process used to review and approve all implementation plans for accuracy and adequacy. VI. Certify State compliance with (f)(2) Heads of State agencies must determine that the security program is in compliance with the security requirements identified as a result of implementing this regulation. Such determination must include written certification of compliance with those areas cited in (f)(2).
10 Definition of DHHS Security Terms access control The process of limiting access to the resources of a system only to authorized programs, processes, or other systems (in a network). Synonymous with controlled access and limited access. (See page 7.) action plan A written plan of activities which a State will initiate to correct security weaknesses identified during its biennial review. (See pages 2, 5 and 10.) ADP security ADP or computer security refers to the combination of physical, administrative, and technical measures applied to protect automated information system assets from loss, destruction, misuse, alteration, or unauthorized disclosure or access. (See pages 1, 2 and 5.) ADP security manager The person responsible to the State agency head for ensuring that security is provided for and implemented throughout the life cycle of an automated information system from the beginning of the concept development plan through its design, development, operation, maintenance, and secure disposal. (See pages 3 and 10.) ADP security program The laws, rules, procedures and practices that regulate how ADP systems are managed and protected in order to meet a State's security requirements. (See pages 1, 2, 5 and 6.) These definitions are drawn from official documents of the United States Government departments and agencies. The intent of these definitions is to clarify ADP security terms which arise during a State's biennial security review.
11 Definition of DHHS Security Terms biennial ADP system security review A thorough examination of a State's ADP systems conducted every 2-years for the purpose of determining a State's compliance with ADP security requirements. (See pages 2 and 5.) certification of compliance The comprehensive evaluation of the technical and nontechnical security features of an automated information system and other safeguards, made in support of the biennial review process, that establishes the extent to which a particular design and implementation meet a specified set of security requirements. (See pages 5 and 10.) computer system Any equipment or interconnected system or subsystems of equipment used in automatic acquisition, storage manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information; and includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources. (See page 3.) contingency plan A plan for emergency response, backup operations, and post-disaster recovery maintained by an activity as a part of its security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation, after a reasonable period of time. (See pages 3 and 9.) contingency planning Contingency planning refers to the development, testing, and maintenance of plans for emergency response, backup operations, and disaster recovery at an automated information system facility where data and information are processed. The purpose of contingency planning is to maximize data availability. (See page 9.) data availability The state when data are in the place needed by the user, at the time the user needs them, and in the form needed by the user. (See page 13.)
12 Definition of DHHS Security Terms data file A data file is a compilation of DHHS program related information which shares specified descriptive characteristics. A data file is created, collected, processed, transmitted, disseminated, used, stored, and disposed of by application systems. The protection of DHHS program data files is the cornerstone of the DHHS ADP security requirements. (See pages 7 and 8.) data security The protection of data from unauthorized (accidental or intentional) modification, destruction, or disclosure. Also known as data integrity. (See pages 2, 3, 5 and 8.) determination of compliance milestone The result of evaluating a State's findings to determine that its security standards governing DHHS information systems are adequate and whether the security program meets minimal security requirements. (See pages 2, 3, 5 and 6.) A planned event at a point in time. (See pages 2, 5 and 10.) personnel security Personnel security refers to a program that determines the sensitivity of positions and screens individuals who participate in the design, operation, or maintenance of automated information systems or who have access to such systems. (See pages 3, 6 and 9.) physical security Physical security refers to the combination of devices that bar, detect, monitor, restrict, or otherwise control access to sensitive areas. Physical security also refers to the measures to protect a facility that houses automated information system assets and its contents from damage by accident, malicious intent, fire, loss of utilities, environmental hazards, and unauthorized access. (See pages 2 and 7.)
13 Definition of DHHS Security Terms requirement risk A prerequisite needed to achieve an objective or goal. (See pages 1, 2, 3, 5, 6, 7, 9 and 10.) The probability that a particular threat will exploit a particular vulnerability of the system. (See pages 6 and 10.) risk analysis The process of identifying security risks, determining their magnitude, and identifying areas needing safeguards based on State security objectives. Risk analysis is a part of risk management. Synonymous with risk assessment. (See page 7.) risk management safeguard Risk management is a process for minimizing losses through the periodic assessment of potential hazards and the systematic application of corrective measures. (See page 10.) A protection which is proportional to the amount of loss and probability of loss. Safeguards should not be used if no threat exists. (See pages 2, 6, 7, 8 and 10.) security requirement The types and levels of protection necessary for equipment, data, information, applications, and facilities to meet security policy. (See pages 1, 2, 5, 6, 7 and 10.) software security standard General purpose (executive, utility or software development tools) and applications programs or routines that protect data handled by a system. (See page 6.) A recognized level of security based on similar applications applied to systems used in industry or the Federal Government. (See page 1, 5, 6, and 13.)
14 Definition of DHHS Security Terms telecommunications security threat Measures taken to deny unauthorized persons information from telecommunications programs, and to ensure the authenticity of such telecommunications. Communications security includes cryptosecurity, transmission security, emission security, and physical security of communications security material and information. (See pages 3 and 8.) Any circumstance or event with the potential to cause harm to a system in the form of destruction, disclosure, modification of data, and/or denial of service. (See pages 2, 8 and 14.) vulnerability A weakness in system security procedures, system design, implementation, internal controls, etc., that could be exploited to violate system security policy. (See pages 5 and 14.)
HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better
UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC FSIS DIRECTIVE 1306.2 9/28/11 INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION (C&A) I. PURPOSE This directive
CTR System Report - 2008 FISMA February 27, 2009 TABLE of CONTENTS BACKGROUND AND OBJECTIVES... 5 BACKGROUND... 5 OBJECTIVES... 6 Classes and Families of Security Controls... 6 Control Classes... 7 Control
U.S. Department of Agriculture Office of Inspector General Southeast Region Audit Report Management and Security of Office of Budget and Program Analysis Information Technology Resources Report No. 39099-1-AT
Providers Business Name: Providers Business Address: City, State, Zip Acronyms NIST FIPS PHI EPHI BA CE EHR HHS IS National Institute of Standards and Technology Federal Information Process Standards Protected
Guidance on Risk Analysis Requirements under the HIPAA Security Rule Introduction The Office for Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule.
FIPS PUB 200 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION Minimum Security Requirements for Federal Information and Information Systems Computer Security Division Information Technology Laboratory
Legislative Language SEC. 1. COORDINATION OF FEDERAL INFORMATION SECURITY POLICY. (a) IN GENERAL. Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting
SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION Please Note: 1. THIS IS NOT A ONE-SIZE-FITS-ALL OR A FILL-IN-THE BLANK COMPLIANCE PROGRAM.
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
PART 2006 - MANAGEMENT Subpart Z - Information Systems Security TABLE OF CONTENTS Sec. 2006.1251 Purpose. 2006.1252 Policy. 2006.1253 Definitions. 2006.1254 Authority. (a) National. (b) Departmental. 2006.1255
TABLE OF CONTENTS General Topics Purpose and Authorities Roles and Responsibilities Policy and Program Waiver Process Contact Abbreviated Sections/Questions 7.1 What is the purpose of this chapter? 7.2
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
Health Insurance Portability and Accountability Act State HIPAA Security Policy State of Connecticut Release 2.0 November 30 th, 2004 Table of Contents Executive Summary... 1 Policy Definitions... 3 1.
Department of Commerce $ National Oceanic & Atmospheric Administration $ National Weather Service NATIONAL WEATHER SERVICE POLICY DIRECTIVE 80-3 October 28, 2009 Science and Technology SYSTEMS ENGINEERING
MCOLES Information and Tracking Network Security Policy Version 2.0 Adopted: September 11, 2003 Effective: September 11, 2003 Amended: September 12, 2007 1.0 POLICY STATEMENT The Michigan Commission on
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
HIPAA: In Plain English Material derived from a presentation by Kris K. Hughes, Esq. Posted with permission from the author. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub.
California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...
7 Security Standards: Implementation for the Small Provider What is the Security Series? The security series of papers provides guidance from the Centers for Medicare & Medicaid Services (CMS) on the rule
A White Paper for Health Care Professionals Preparing for the HIPAA Security Rule Introduction The Health Insurance Portability and Accountability Act (HIPAA) comprises three sets of standards transactions
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the
HIPAA Audit Processes Erik Hafkey Rainer Waedlich 1 Policies for all HIPAA relevant Requirements and Regulations Checklist for an internal Audit Process Documentation of the compliance as Preparation for
WHITE PAPER HIPAA-Compliant Data Backup and Disaster Recovery DOCUMENT INFORMATION HIPAA-Compliant Data Backup and Disaster Recovery PRINTED March 2011 COPYRIGHT Copyright 2011 VaultLogix, LLC. All Rights
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
APPENDIX A Appendix A Learning Continuum A-1 Appendix A Learning Continuum A-2 APPENDIX A LEARNING CONTINUUM E D U C A T I O N Information Technology Security Specialists and Professionals Education and
HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
Brooklyn Community Services Policies and Compliance Guide relating to the HIPAA Security Rule June 2013 Table of Contents INTRODUCTION... 3 GUIDE TO BCS COMPLIANCE WITH THE HIPAA SECURITY REGULATION...
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS AT STATE MEDICAID AGENCIES Inquiries
U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal
Guidelines 1 on Information Technology Security Introduction The State Bank of Pakistan recognizes that financial industry is built around the sanctity of the financial transactions. Owing to the critical
UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C This Attachment addresses the Contractor s responsibility for safeguarding Compliant Data and Business Sensitive Information
Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology firstname.lastname@example.org Meaning Why is Security Audit Important Framework Audit Process Auditing Application Security
Chapter 4 Information Security Program Development Introduction Formal adherence to detailed security standards for electronic information processing systems is necessary for industry and government survival.
Sample CDC Certification and Accreditation Checklist For an Application That Is Considered a Moderate Threat Centers for Disease and Prevention National Center for Chronic Disease Prevention and Health
Meaningful Use and Core Requirement 15 How can I comply the lack of time and staff... www.compliancygroup.com 1 Meaningful Use and Core Requirement 15 Meaningful Use Protection of Protected Health Information
Nicole R. Galloway, CPA Missouri State Auditor ELEMENTARY AND SECONDARY EDUCATION Missouri Student Information System Data Governance October 2015 http://auditor.mo.gov Report No. 2015-093 Nicole R. Galloway,
ELECTRONIC HEALTHCARE NETWORK ACCREDITATION COMMISSION (EHNAC) Healthcare Management Service Organization Accreditation Program (MSOAP) For The HEALTHCARE INDUSTRY Version 1.0 Released: January 2011 Lee
UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC FSIS DIRECTIVE 1306.3 REVISION 1 12/13/12 CONFIGURATION MANAGEMENT (CM) OF SECURITY CONTROLS FOR INFORMATION SYSTEMS
HIPAA Compliance and the Protection of Patient Health Information WHITE PAPER By Swift Systems Inc. April 2015 Swift Systems Inc. 7340 Executive Way, Ste M Frederick MD 21704 1 Contents HIPAA Compliance
CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified
U.S. Department of Transportation Office of the Secretary of Transportation Office of Inspector General Memorandum ACTION: Report on Computer Security Controls of Financial Management System, FTA FE-2000-098
BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security
HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY School Board Policy 523.5 The School District of Black River Falls ( District ) is committed to compliance with the health information
H. R. 2458 48 (1) maximize the degree to which unclassified geographic information from various sources can be made electronically compatible and accessible; and (2) promote the development of interoperable
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES
B O N N E V I L L E P O W E R A D M I N I S T R A T I O N BPA Policy Table of Contents.1 Purpose & Background...2.2 Policy Owner... 2.3 Applicability... 2.4 Terms & Definitions... 2.5 Policy... 5.6 Policy
Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help
BY ORDER OF THE SECRETARY OF THE AIR FORCE AIR FORCE INSTRUCTION 33-204 21 September 2001 Communications and Information INFORMATION ASSURANCE (IA) AWARENESS PROGRAM COMPLIANCE WITH THIS PUBLICATION IS
HEALTH CARE ADVISORY March 2003 FINAL HIPAA SECURITY REGULATIONS RELEASED AT LAST On February 20, 2003, the Department of Health and Human Services (HHS) published the Final Security Rule under the Health
GAO United States General Accounting Office Report to the Secretary of the Interior July 2001 INFORMATION SECURITY Weak Controls Place Interior s Financial and Other Data at Risk GAO-01-615 United States
Department of Homeland Security Management Directive System MD Number: 4900 INDIVIDUAL USE AND OPERATION OF DHS INFORMATION SYSTEMS/ COMPUTERS 1. Purpose This directive establishes the Department of Homeland
OFHEO Director's Advisory Policy Guidance Issuance Date: December 19, 2001 Doc. #: PG-01-002 Subject: Safety and Soundness Standards for Information To: Chief Executive Officers of Fannie Mae and Freddie
Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major
PERFORMANCE AUDIT OF HUMAN RESOURCES MANAGEMENT NETWORK (HRMN) SELF-SERVICE DEPARTMENT OF CIVIL SERVICE July 2004 ...The auditor general shall conduct post audits of financial transactions and accounts
The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
Guide for the Role and Responsibilities of an Information Security Officer Within State Government Table of Contents Introduction 3 The ISO in State Government 4 Successful ISOs Necessary Skills and Abilities
Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Business Continuity Management Standard for IT Systems This standard is applicable to all VCU School of Medicine
Legislative Audit Division State of Montana November 2004 Report to the Legislature Information System Audit Criminal Justice Information Network (CJIN) Department of Justice This report contains the results
Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record Roberta Stempfley Acting Assistant Secretary for Cybersecurity and Communications
MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL The auditor general shall conduct post audits of financial transactions and accounts of the state and of all
WHITE PAPER HIPPA Compliance and Secure Online Data Backup and Disaster Recovery January 2006 HIPAA Compliance and the IT Portfolio Online Backup Service Introduction October 2004 In 1996, Congress passed
Department of Veterans Affairs VA Directive 6004 Washington, DC 20420 Transmittal Sheet September 28, 2009 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS 1. REASON FOR ISSUE: This Directive establishes
KirkpatrickPrice Assessment Guide Designed Exclusively for PRISM International Members KirkpatrickPrice. innovation. integrity. delivered. KirkpatrickPrice Assessment Guide 2 Document Purpose The Assessment
Department of the Interior Security Control Standard Physical and Environmental Protection April 2011 Version: 1.1 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior,
What is required of a compliant Risk Assessment? ACR 2 Solutions President Jack Kolk discusses the nine elements that the Office of Civil Rights requires Covered Entities perform when conducting a HIPAA
Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance
Electronic Medical Records: Legal and Ethical Implications for Patients Linda A. Simunek, RN, PhD, JD Executive Director, Doctoral Success Grant and Adjunct Professor in Law in Healthcare Education, Fischler
HIPAA Compliance Review Analysis and Summary of Results Centers for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) Reviews 2008 Table of Contents Introduction 1 Risk
INSPECTOR GENERAL STATEMENT ON THE FEDERAL COMMUNICATIONS COMMISSION S MAJOR MANAGEMENT CHALLENGES FISCAL YEAR 2005 05-AUD-04-08 November 15, 2005 Office of Inspector General ******* Federal Communications
HIPAA Security and HITECH Compliance Checklist A Compliance Self-Assessment Tool HIPAA SECURITY AND HITECH CHECKLIST The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires physicians
Information Security Awareness Training Gramm-Leach-Bliley Act (GLB Act) The GLB Act training packet is part of the Information Security Awareness Training that must be completed by employees. Please visit
Ohio Supercomputer Center IT Business Continuity Planning No: Effective: OSC-13 06/02/2009 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original