[Please label written comments or e-mailed comments about this section with the subject: TECHNICAL SECURITY SERVICES]
The proposed requirements and implementation features for technical security services are presented at § 142.308(c). We would require each of these services to be implemented and documented. The documentation would be made available to those individuals responsible for implementing the services and would be reviewed and updated periodically. The following matrix depicts the requirements and implementation features for the Technical Security Services category. Following the matrix is a discussion of each of the requirements under that category.
TECHNICAL SECURITY SERVICES TO GUARD DATA INTEGRITY, CONFIDENTIALITY, AND AVAILABILITY |
|
|
REQUIREMENT: |
IMPLEMENTATION: |
|
Access control (The following implementation feature must be implemented: Procedure for emergency access. In addition, at least one of the following three implementation features must be implemented: Context-based access, Role-based access, User-based access. The use of Encryption is optional). |
Context-based access. |
|
Audit controls |
|
|
Authorization control (At least one of the listed implementation features must be implemented). |
Role-based access. |
|
Data Authentication |
|
|
Entity authentication (The following implementation features must be implemented: Automatic logoff, Unique user identification. In addition, at least one of the other listed implementation features must be implemented). |
Automatic logoff. |
There would be a requirement for access control which would restrict access to resources and allow access only by privileged entities. It would be important to limit access to health information to those employees who have a business need to access it. Types of access control include, among others, mandatory access control, discretionary access control, time-of-day, classification, and subject-object separation. The following implementation feature would be used:
In addition, at least one of the following three implementation features would be used:
The use of the encryption implementation feature would be optional.
Each organization would be required to put in place audit control mechanisms to record and examine system activity. They would be important so that the organization can identify suspect data access activities, assess its security program, and respond to potential weaknesses.
There would be a requirement to put in place a mechanism for obtaining consent for the use and disclosure of health information. These controls would be necessary to ensure that health information is used only by properly authorized individuals. Either of the following implementation features may be used:
Each organization would be required to be able to provide corroboration that data in its possession has not been altered or destroyed in an unauthorized manner. Examples of how data corroboration may be assured include the use of a check sum, double keying, a message authentication code, or digital signature.
Each organization would be required to implement entity authentication, which is the corroboration that an entity is who it claims to be. Authentication would be important to prevent the improper identification of an entity who is accessing secure data. The following implementation features would be used:
In addition, at least one of the following implementation features would be used: