HIPAA Privacy and Security Risk Assessment and Action Planning

Transcription

1 HIPAA Privacy and Security Risk Assessment and Action Planning Practice Name: Participants: Date: MU Stage: EHR Vendor: Access Control Unique ID and PW for Users (TVS016) Role Based Access (TVS023) Account Lockout Password History Password Change Password Length and Complexity Emergency Access (TVS015, TVS026) Audit Logs (TVS014, TVS017, TVS019) Each user is assigned a unique name and/or number and password in order to access the EHR? Access to the EHR is configured based on the user s role within the Practice and privileges restricted to those roles? Applications accessing PHI are set to lock out user after multiple failed login attempts? EHR restricts use of previously used passwords,how often can a PW be reused? The EHR password is set to expire on a regular basis, i.e. after 90 days? Do applications accessing e-phi require a long, complex password eg >8 characters and containing >3 occurences of: Upper Case, Lower Case, Numbers, Special Characters -? Are procedures in place for obtaining e-phi remotely or in an emergency through a secure link? Audit logs are maintained for e-phi programs and they are reviewed regularly. w set to times, N/ A w set to times, N/ A w set to months, N/ A Should be months N/ A w set to Sys/Net Logs Audit: Should be set to times Should be set to times Should be set to months Should be set to Aplctn Logs Audit: HIPAA Privacy and Security Assessment v.pp.jun Page 1

2 e-phi Hosting Infrastructure Cloud, Hosted Server, or Locally Hosted Responsibility for techinical aspects of practice operations are outsoursed to vendors deemed knowledgeable and reliable in providing technology services. ephi is hosted by Cloud / ISP ISP/ Cloud Name: ephi is hosted Locally Firewall Review (TVS0019) Wireless Security Antivirus Protections (TVS018) OS Updates Servers and Clients (TVS024) The firewall has appropriate configuration and security - Access Cntl Lists, VPN s, Certs, updated maint, encrypted admin access, etc Wireless has been configured and tested for appropriate security using WEP / WPA encryption and other protections. Systems containing e-phi have antivirus software that is updated daily? All workstations and servers are regularly updated with the latest security patches, hotfixes, and service packs, i.e. Updated every 30 days or when updates are released? Tech Support Provided By: Maintained by Professional ISP / HOST Vendor Maintained by Local Professional : Server Anti-Virus: Client Anti-Virus: Yes, Hosting Protection Supplied by ISP/ASP ISP/ASP/ Name: ephi is hosted Locally Tech Support Provided By: HIPAA Privacy and Security Assessment v.pp.jun Page 2

3 e-phi Hosting Infrastructure Encryption of Host Systems - Server e-phi is fully encrypted? Y N - Practice relies on hosting vendor to fully protect e-phi according to FedRegs. Y N Encryption of Client Computers Encryption of Data Transmission Backups (TVS026) - Is there PHI on portable computers? Y N - Are host credentials save on them? Y N - Is there full-disk encryption in place? Y N - Is Encryption used with all permitted portable data storage? Y N e-phi transmits encrypted? Y N w e-phi is encrypted? Y N e-phi Data transfers? Y N other way that e-phi is communicated over non-secure transmission paths. Backups of e-phi data files are performed nightly and taken offsite each week? - e-phi backups are fully encrypted? Y N - Practice relies on hosting vendor to fully protect e-phi according to FedRegs. Y N Local Backup Freq: Offsite Freq: Offsite Storage Location: HIPAA Privacy and Security Assessment v.pp.jun Page 3

4 Environmental/ & Disaster Plan Emergency power EHR technology is secured by anti-theft mechanisms EHR host is in environmentally secure location Offices have access to short-term emergency power to facilitate an orderly shutdown of systems and operations. Computers with access to EHR are protected from access or theft by physical location or anti-theft controls such as locked doors, cable locks, or other devices. The EHR system is positioned to minimize potential damage from environmental hazards such as flooding, fire, tornadoes, earthquake,... Practice Relies on Professional Hosting Vendor Local office power backup in place. Mins See Facility Walkthru Summary EHR protected by Fire detection and suppression The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source. Disaster Recovery - Plan (TVS026) Disaster Recovery Testing (TVS026) A Disaster Recovery Plan to rapidly restore normal operations in the event of a catestrophic interuption has been devised and documented and personnel are trained to carry out the plan. Practice s Disaster Recovery plan has been tested to assure successful restoration and integrity of data and proper practice ops and tested on a quarterly basis? HIPAA Privacy and Security Assessment v.pp.jun Page 4

5 Administrative Security Officer Privacy and Security The key role of Security Officer is assigned, properly prepared, and their role is clearly communicated to the rest of the Practice.. Practice has documented its Privacy and Security policies and procedures including the items addressed in this checklist. Privacy and Security Policy in place: Y N Data Breach User Training on Delivery and Removal of PHI Records Practice executes BAAs Public and Patient Areas Protected Appropriately Visitors are authorized, recorded and escorted. Documention of policies and procedures to report and follow up on any suspected or confirmed data security breach. Practice requires employees learn the practice s Privacy and Security policies and procedures to follow in the event of a suspected Data Breach. Practice authorizes, monitors, and logs requests for and delivery of PHI entering and exiting the practice. Practice executes an appropriate Business Associate Agreements with each party that has access to its e-phi. Access to public and patient areas of the office are controlled in accordance with identified risk. (receptionist monitors waiting room, patients are escorted to exam rooms, use of after-hours locks or alarms, etc ) Physical access to non-patient areas is limited to authorized visitors who are verified with respect to identity and authorization. Y N Visitors are recorded (Including name, company, signature, times of entry & departure, and purpose of visit. Y N HIPAA Privacy and Security Assessment v.pp.jun Page 5

6 Administrative Access Security - Keys etc Inventory of Assets Access to systems with e-phi is restricted and monitored Communication Infrastructure is protected Monitors and Printer outputs are not visible Digital Output devices are protected Keys, access fobs, entry combinations, and all other passwords are assigned and/or physically secured and changes logged. Password/Key/Fob asgnmts tracked: Y N Key change on EE Termination Y As Needed N Practice maintains an inventory of physical and license assets and their disposition is tracked in case of emergency. Physical access to systems (e.g. servers) containing PHI is restricted and monitored. Physical access to critical infrastructure is restricted and monitored. (e.g. wiring cabinet is locked, cables are protected by conduit, no access to cables, routers, or switches in publicly accessible areas) Computer monitors and printerrs are protected from visibility by unauthorized individuals (e.g. by situating in such a way that they are not visible or security filters on screens) Access to devices such as digital printers and fax machines is restricted and monitored. Devices are powered off (or memory is cleared by some other means) when not in use. HIPAA Privacy and Security Assessment v.pp.jun Page 6