Security Strategy White Paper
This white paper references Health Insurance Portability and Accounting Act () Security strategies that QSI clients may pursue to help conform their use of the system to meet the Security Provisions of the legislation[1]. Covered entities under must comply with the requirements by April 20,2005[2]. Software and hardware alone can not make you compliant, but QSI’s products can be used to facilitate your compliance efforts.
The layout of this document is to first state the requirements, and then for those aspects of the Security requirements that specifically apply to the QSI Practice Management system, to offer various QSI techniques or methodologies that apply. If you’re already familiar with the requirements and want to proceed directly to the QSI recommendations, click here.
The key will be in policy development, procedural checklists, and documentation, Documentation, DOCUMENTATION.
The requirements are:
Health Care organizations must protect the integrity, confidentiality, and availability of electronic protected health information (ePHI).
The Security Rule allows organizations to determine their own specific implementations of security controls, based upon a risk assessment, and considering such factors as cost, size, complexity, technical infrastructure, etc.
1) Start with a full risk assessment of an organization's security (Risk Analysis).
2) Countermeasures to identified risks must be implemented proportional to the risks.
3) Risk Management must be continually maintained to ensure that those countermeasures meet the new or increase risks present as time goes by.
4) Documentation must be present and kept current for the risk analysis, reasoning for countermeasure selection, and risk management.
Administrative Safeguards
Security Management Process: 164.308(a)(1): risk analysis (Required), risk management (R), sanction policy (R), and information system activity review (R)
Assigned Security Responsibility: (164.308(a)(2): (R) Security Officer or Official
Workforce Security: 164.308(a)(3): authorization and/or supervision (Addressible), workforce clearance procedure, and termination procedures (A)
Information Access Management: 164.308(a)(4): isolating health care clearinghouse functions (R), access authorization (A), and access establishment and modification (A)
Security Awareness and Training: 106.308(a)(5): security reminders (A), protection from malicious software (A), log-in monitoring (A), and password management (A)
Security Incident Procedures: 106.308(a)(6): response and reporting (R)
Contingency Plan: 106.308(a)(7): data backup plan , disaster recovery plan, emergency mode operation plan, testing and revision procedures, and applications and data criticality analysis
Evaluation: 106.308(a)(8): Periodic technical and non-technical evaluations of the security environment and processes to ensure that security compliance is met regardless of operational or environmental variations
Business Associate Contract and Other Arrangement: 164.308(b)(1): written contractor other arrangement
Physical Safeguards
Facility Access Controls: 164.310(a)(1): contingency operations, facility security plan, access control and validation procedures, and maintenance records
Workstation Use and Workstation Security: 164.310(B): implement procedures and policies that specify the proper functions and their manner to be performed on the workstation, as well as the physical attributes of the surroundings or the workstation or class of workstations per their access to ePHI
Device and Media Controls: 164.310(d)(1): disposal, media re-use, accountability, and data backup and storage
Technical Safeguards
Access Control: 164.312(a)(1): unique user identification, emergency access procedure, automatic log-off, and encryption and decryption
Audit Controls: 164.312(b): establish audits that record and examine accesses of ePHI and the systems that store ePHI
Integrity: 164.312(c)(1): mechanism to authenticate electronic protected health information
Person or Entity Authentication: 164.312(d) Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed
Transmission Security: 164.312(e)(1): integrity controls and encryption
Breakdown of Requirements with QSI’s Recommendations as Appropriate with the Practice Management System
Assigned Security Responsibility
One and only one official must be “designated as having the overall final responsibility for the security of the entity’s electronic protected health information”.[3]
QSI recommends that the security officer be trained in the security aspects of the QSI system. QSI offers various training alternatives, including on-site and remote classes. Please contact QSI via ,HELP for more information.
Business Associate Contract and Other Arrangement 164.308(b)(1)
QSI believes that our existing agreements and contracts with our clients and vendors meet the criteria required of the security legislation.
Workforce Security: authorization and/or supervision, workforce clearance procedure, and termination procedures
System access is controlled by the program, “U.UU”. Only one client account ID is allowed access to this program. Program access is controlled by “,Q.SIGN”.
QSI recommends, in addition to whatever workstation-specific or network-specific security our client’s implement, that they also take the following steps specific to QSI.
· Clients set up all users with user and, if desired, role access to the system in U.UU.
· All accounts become inactive every sixty(60) days, with a warning to the users to change their passwords five (5) days prior to account inactivation.
· Passwords should be required to be six (6) characters long or longer[4].
· There is also Employee Numbers/Password logic that can be implemented in addition to Account ID/Passwords. This provides another layer of security and reporting for certain QSI programs.
· A member of the Security IT department, the Security Officer, or the QSI system Manager should maintain the system access files, spot-check or analyze system access audits (U.ACCT and Q.AUDIT), and maintain required records or documents.
Information Access Management: isolating health care clearinghouse functions, access authorization, and access establishment and modification
QSI recommends
· Q.SIGN be set globally to limit access to the programs on the system to No Access. Then, the client should grant access by role and by user as appropriate to the user’s function(s) on the system.
· Access to Q.SIGN should be kept strictly limited.
Security Awareness and Training: security reminders, protection from malicious software, log-in monitoring, and password management
QSI recommends, as mentioned in Workforce Security, passwords should be set to a minimum of six characters (set by QSI). QSI also recommends that passwords are stored encrypted (enter a ,HELP), and that the client creates a strong password policy such that passwords have the following characteristics:
· Contain both upper and lower case characters (e.g., a-z, A-Z)
· Have digits and punctuation characters as well as letters e.g., 0-9, !@#$%^&*()_+|~-=\`{}[]:";'<>?,./)
· Are at least six alphanumeric characters long.
· Are not a word in any language, slang, dialect, jargon, etc.
· Are not based on personal information, names of family, etc.
· Passwords should never be written down or stored on-line. Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation.
NOTE: Do not use either of these examples as passwords!
Security Incident Procedures: response and reporting
QSI recommends
· A patient form be set up that pertains to security breaches or incidents. Program RPG1 can be used for reporting.
· A QSI Editor book can also be used for general security incident reporting. The program Q.SIGN should be used to limit access to the book.
Contingency Plan: data backup plan, disaster recovery plan, emergency mode operation plan, testing and revision procedures, and applications and data criticality analysis
QSI recommends
· Its clients have a minimum of one monthly backup tape, and a backup tape for each day of the week that it operates. Clients working six-day work weeks would have a minimum of seven tapes.
· The System Manager or the operator with the delegated duty should check main system printer backup printout daily OR the BX.CK program daily to ensure the viability of the backup.
· Off-site storage should be used for backup media. The only backup media that is on-site should be that required for near-term operations (that night’s backup requirements and a blank spare).
Evaluation: Periodic technical and non-technical evaluations of the security environment and processes to ensure that security compliance is met regardless of operational or environmental variations
QSI recommends
· The System Manager or personnel delegated the task periodically review system audits. Programs that should be reviewed daily include ,47, U.ACCT, and Q.AUDIT.
· There should be a month’s worth of U.ACCT files (contact QSI by ,HELP).
· Security processes be standardized and then entered in the F1-Office Notes as appropriate to the topic. For example, a F1- Office Note could be set up explaining how you’ve set up and categorized your users and roles in the system. This prevents loss of knowledge due to staff turnover, in addition to standardizing your processes.
Physical Safeguards
Facility Access Controls: contingency operations, facility security plan, access control and validation procedures, and maintenance records
QSI recommends
· An optional Additional Password should be set for selected ports, such as the QSI Support port or ports provided to employees accessing the system by modem.
Device and Media Controls: disposal, media re-use, accountability, and data backup and storage
QSI recommends
· Backup media should be stored off-site, and all on-site tape storage should be in an appropriately protected and secured area.
Technical Safeguards
Access Control: unique user identification, emergency access procedure, automatic log-off, and encryption and decryption
QSI recommends
· Account Ids that are system utility Ids, such as those for the overnight processor, be set to Non-User status in U.UU, so that personnel are prevented from using them.
· System access passwords are stored encrypted (enter ,HELP)
· Keyboard inactivity timeouts are set to no more than fifteen minutes (enter ,HELP)
· For user-shared ports, especially those in areas visible to non-practice management personnel, the inactivity timeout byes off the port (set in X.PORT).
Audit Controls: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI
QSI recommends
· Any audits stored on QSI, such as editor books containing the accounting for disclosures per the Privacy legislation, should be protected with Q.SIGN security.
Integrity: mechanism to authenticate electronic protected health information
QSI recommends
· Employee Numbers and corresponding passwords be set up and maintained by our clients.
· Many reports and audits can be used to track employee activity. Those appropriate to your operations should be identified and policies regarding running those reports and review them should be detailed.
Person or Entity Authentication: Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed
QSI recommends
· Clients make it policy that no users share passwords with other users.
[1] Although there are many resources available, QSI has used for this document the, “Risk Analysis White Paper,” Working Draft Version 1.0 – July 2004 prepared by the SNIP Security and Privacy Workgroup, ã2004 Workgroup for Electronic Data Interchange.
[2] There is some confusion regarding the compliance date for the Security regulations. It is either 4/20/05 or 4/21/05. QSI will use the 4/20/05 deadline, as published on the website: http://www.cms.hhs.gov//2/general/deadlines.asp
[3] New York State Security Matrix, NYS Office for Technology, ©2003
[4] Clients can set inactivation in U.UU. QSI can set the minimum password length for the client, as well as the number of days warning for account inactivation