|
Access and Storage Devices
Establish and implement policies and procedures for using and transporting secure access devices (smart card, key FOB, etc.) and external storage devices (diskettes, USB flash drives, CD-ROM, etc.).
Accountability
Maintain a record of the movements of hardware and electronic media and any persons responsible for transporting these devices.
Application and Data Criticality Analysis
Assess the relative criticality of specific applications and data in support of other contingency plan components.
Audit Controls and Logs
Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use protected electronic health information. Establish and implement policies and procedures that regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. Establish and implement policies and procedures for the backup, archiving, retention, and destruction of audit logs.
Automatic Logoff
Establish and implement policies and procedures that terminate any electronic session after a predetermined period of inactivity.
Browsers
Establish and implement policies and procedures regarding browser configuration for browser-based applications and Internet usage.
Certificates
Establish server and client digital certificate transportation, generation, and use policies.
Communications
Letterhead stationery, business cards, or dedicated phone lines are used among colleagues for professional purposes, and, in these cases, references to HIV/AIDS would not jeopardize the confidentiality of any case patient. In fact, such identification may be an important part of establishing credibility with providers who report cases. Addressing both purposes (protecting confidentiality and establishing credibility) will require careful organization and perhaps some duplication of communication mechanisms by surveillance units (e.g., one card and phone line for investigation activities and another set for providers) or the use of more generic terminology (e.g., 'Epidemiology Unit' instead of 'HIV/AIDS Surveillance Unit').
Contingency of Operations and Disaster Recovery
Establish and implement policies and procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
A contingency planning policy and operations policy should address all critical aspects of contingency planning. Storage of data for backup and disaster recovery purposes should have the same if not more stringent accessibility, accountability, and encryption security requirements as a production system.
Along with the above, the following rules should be followed. They may be included in the policy or listed separately:
- Maintain list of all users and applications with access to the data. The list should include (per user or application) the day of week and the hours of the day that access will be needed. Access should be limited to these days and hours. The list should also identify those with access to identifiers.
- Conduct a monthly audit reflecting all successful/unsuccessful access. The report should include day, time of day, and length of access. It should be verified against authorized users and access requirements.
- Define administrative privileges for IT personnel (should be very limited). IT personnel need to have program approval before accessing the data.
- Identify some form of double authentication process for accessing the data.
- Keep systems containing the data in a secured area that is clearly labeled for authorized personnel only.
- Implement column and/or row level encryption of data.
- Create a data backup plan that includes procedures to create and maintain exact copies of protected electronic health information.
- Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity (time-outs).
Emergency Access Procedures
Establish and implement policies and procedures for obtaining necessary protected electronic health information during an emergency.
Emergency Mode Operation
Establish and implement policies and procedures to enable continuation of critical business processes for protecting the security of protected electronic health information while operating in emergency mode.
Encryption and Decryption
Implement a mechanism to encrypt and decrypt protected electronic health information.
Integrity Controls
Implement security measures to ensure that electronically transmitted protected electronic health information is not improperly modified without detection until disposed of. Ensure that any agent, including a contractor or subcontractor to whom it provides such information, agrees to implement reasonable and appropriate safeguards to protect the information.
Internet Connectivity
If a modem (internal or external), DSL, or cable is used on a workstation to provide access to the Internet, ensure that passwords and logon data used to access the Internet are not stored on the workstation. Most communications software has the capacity to dial a service and connect a user and even to send a password down the line. To prevent this from happening, never program a password into the workstation.
Some modems have the capability to answer the telephone as well as to make calls. Make sure users know how to tell if their modem has been placed in answering mode and how to turn off that mode. External modems normally have an indicator light labeled AA that glows if Auto Answer mode is selected. Internal modems are harder to monitor, but small utility programs are available that can help. Callback modems actually call the user back at a prearranged number. External modems are recommended because the ease of turning them off offers programs the greatest degree of control.
CDC highly recommends that workstations holding confidential and sensitive data that are connected to the Internet should be disconnected from the Internet except when the Internet is being used for authorized activities.
If the line is for data only, make sure that the telephone number of the line does not appear in the telephone directory and is not displayed on the telephone itself or on the wall socket.
Intrusion Detection
Establish and implement policies and procedures regarding intrusion detection and penetration vulnerabilities.
Keyboard and Screen Locking
Establish and implement policies and procedures for screen saving and keyboard locking.
Logins and Monitoring
Establish and implement policies and procedures for workstation logins, and designate who can request and authorize changes to a login. Establish and implement policies and procedures for monitoring login attempts and reporting discrepancies.
Maintenance Records
Establish and implement policies and procedures to document repairs and modifications to the physical components of a facility that are related to security (for example, hardware, walls, doors, and locks).
Media Disposal and Re-use
Establish and implement policies and procedures to address the final disposition of protected electronic health information, and/or the hardware or electronic media on which it is stored. Establish and implement policies and procedures for removal of protected electronic health information from electronic media before the media are made available for re-use.
Networks, LANs, and WANs
Establish and implement policies and procedures governing all servers on the network. Establish and implement policies and procedures for the documentation of network configurations and architectures. Topics to include are
- Name and location of servers
- Netware protocols
- Users, groups, and roles that access data and physical server
- Authentication protocols
- e-mail hosting
- Remote access
- Web hosting
- Data located on each server
- Administrative safeguards
Computers used to maintain HIV/AIDS surveillance information with personal identifiers should not be connected to other computers or computer systems that are located outside of the secure area until and unless the connection is deemed secure by adding multiple layers of protective measures-including encryption software, restricted access rights, and physical protections for the LAN equipment and wiring-and justifying a public health need to maintain highly sensitive data on a system that has multiple users and multiple locations. This system should operate under a certified LAN administrator, who will attest to the system's effectiveness and assume responsibility for any breach of security directly resulting from the system's failure to protect sensitive data.
Internet access devices (e.g., modems and network interface cards) or cables should not be connected to any computer or computer system containing surveillance information and data unless authorized staff need Internet access as a means to enhance surveillance activities. If Internet connectivity is used for surveillance activities, specific rules of use should be provided in writing to authorized users, and they should sign a statement that they understand those rules.
Password Management
Establish and implement policies and procedures for creating, changing, and safeguarding passwords.
Patching and Service Packs
Establish and implement policies and procedures for security patching and service pack control.
Protection from Malicious Software
Establish and implement policies and procedures for guarding against, detecting, and reporting malicious software.
Risk Analysis
Establish and implement policies and procedures that require conducting a regular, accurate, and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of protected electronic health information held by the covered entity.
Routers and Firewalls
Establish and implement policies and procedures regarding router and firewall logs to capture packets that violate filter criteria. Establish and implement policies and procedures for firewall and router configuration.
Software Inventory, Releases, Licensing, and Upgrades
Establish and implement policies and procedures for the inventory of authorized software (including versions) that can be installed on development, training, testing, staging, and production servers and workstations.
Establish and implement policies and procedures for tracking and verifying software licenses.
Establish and implement policies and procedures for prerelease and testing of software. Establish a methodology to deploy new or upgraded software to all appropriate workstations and servers (configuration management). Establish a method for tracking the software loaded on every workstation and server.
Testing and Revision of Plans
Establish and implement policies and procedures for periodic testing and revision of contingency plans.
Transmission Security
Implement technical security measures to guard against unauthorized access to protected electronic health information that is being transmitted over an electronic communications network.
Workstation Use
Establish and implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access protected electronic health information. |
