Workstation Security by keara

VIEWS: 22 PAGES: 7

									                                            University of Colorado Denver
                                  Facility for Advanced Spatial Technology




Subject: HIPAA Security Policies & Procedures                                                    Policy # PS-1.1
Title: Workstation Security                                                                      Page 1 of 7


Effective Date of This Revision:               June 3, 2010

                HIPAA Security Officer                        Responsible Department:
                Sue Hawkins                                   Facility for Advanced Spatial Technology
Contact:
                1200 Larimer Street NC 5032
                303-556-4172

HIPAA REGULATORY INFORMATION: Workstation Security Standard

                      Administrative Safeguard                Type:        Standard
Category:             Physical Safeguard                                   Implementation Specification
                      Technical Safeguard                                      Required      Addressable

                      Officers               Staff/ Faculty      Student clinicians        Volunteers
Applies to:
                      Other agents           Visitors            Contractors




BACKGROUND:
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires that access to
Protected Health Information (PHI) shall be managed to guard the integrity, confidentiality, and availability
of electronic PHI (ePHI) data. According to the law, all FAST officers, employees and agents of units
within a FAST Entity must preserve the integrity and the confidentiality of individually identifiable health
information (IIHI) pertaining to each patient or client.


The Workstation Security Standard of the rule requires formal, documented policies and
procedures that address how a covered entity addresses the safeguarding of ePHI in workstation
use, security, and environment [45 C.F.R. 164.310].


        SECURITY REGULATION STANDARD LANGUAGE:
        “Implement physical safeguards for all workstations that access electronic protected health
        information, to restrict access to authorized users.”




 HIPAA Requirement     Workstation Security Standard
 HIPAA Reference:      45 C.F.R. 164.310 (c)
 Reviewed by:          Sue Hawkins
 Approved by:          Sue Hawkins
 Effective Date        6/3/2010
 Supersedes Policy:    N/A
                                           University of Colorado Denver
                                 Facility for Advanced Spatial Technology




Subject: HIPAA Security Policies & Procedures                                                Policy # PS-1.1
Title: Workstation Security                                                                  Page 2 of 7




PURPOSE:

Workstation Security Rule requires FAST to implement physical safeguards for all workstations whose
users access ePHI and to restrict workstation access to authorized users, defined in Access Authorization
(AS-1.1)
Each Unit of FAST health care component (HCC), which handles ePHI, shall have facility security policies
and procedures in place, to ensure availability, confidentiality, and integrity of ePHI; while limiting the
minimum necessary privileges for a person or software application to perform their duties.
Each Unit of FAST health care component (HCC), which handles ePHI, will need to consider what
constitutes an appropriate solution for workstation security based on its Risk Analysis policy (AS-6.1) and
Risk Management (AS-7.1) results.


ACTION:
The physical and logical attributes of a workstation may provide an intruder the opportunity to gain access
to both media, such as disks or printouts, and information displayed on screens, violating FAST„s
Confidentiality Agreement.
Once an intruder gains access to a workstation with ePHI, there is a risk that the ePHI may be modified,
deleted, or stolen, or a virus or some other malicious code could be introduced into the system. Which are
infractions of the FASTs policies for integrity (TS-7.1), protection from malicious software (AS-24.1), and
facility access control (PS-3.1).
Further, if workstations are left unsecured, there is a risk of physical theft of system hardware, software,
or ePHI stored on other media.
To prevent such violations the following steps will be implemented

     Identify all methods of physical & remote access to workstations: document the different ways
      workstations are accessed by workforce and non-workforce members

     Analyze the risk associated with each type of access: determine which type of access holds the
      greatest threat to security.

     Identify/ employ physical, technical & administrative safeguards: document the options for
      deploying physical safeguards that will minimize the risk to security of electronic health
      information.



 HIPAA Requirement    Workstation Security Standard
 HIPAA Reference:     45 C.F.R. 164.310 (c)
 Reviewed by:         Sue Hawkins
 Approved by:         Sue Hawkins
 Effective Date       6/3/2010
 Supersedes Policy:   N/A
                                           University of Colorado Denver
                                 Facility for Advanced Spatial Technology




Subject: HIPAA Security Policies & Procedures                                             Policy # PS-1.1
Title: Workstation Security                                                               Page 3 of 7


Each Unit of FAST health care component (HCC)) will strive to place workstations accessing ePHI in
physically secure locations that minimize the risk of physical access by unauthorized persons.

Each Unit of FAST health care component (HCC) will take reasonable and appropriate steps to prevent
unauthorized persons from viewing ePHI on workstations.

Each Unit of FAST health care component (HCC) will take reasonable and appropriate steps to require
workforce members to protect the physical security of portable workstations that store ePHI

Each Unit of FAST health care component (HCC) will require workforce members to attend training
covering how to protect and implement physical security of portable and fixed workstations that store
ePHI in accordance with FAST„s Security Awareness & Training policy (AS-16.1)

Each Unit of FAST health care component (HCC) will require workstations to be configured with non-
bypass enabled (i.e. Microsoft Windows 9x security vulnerability) password protected screen savers.

Each Unit of FAST health care component (HCC) will require two part unique authentication to logon to
workstations as defined in FAST„s Unique User Identification policy (TS-2.1) and Person or Entity
Authentication policy (TS-6.1)

Each Unit of FAST health care component (HCC) will require a timed automatic logoff function of it‟s
workstation as outlined in FAST„s Automatic Logoff policy (TS-4.1)

Portable and mobile systems have increased risk of unauthorized access due to theft or user
misplacement. Remote access to IIHI will be via a remote terminal connection, in conjunction with a VPN
tunnel and IPSEC encryption link to FAST local network.

If a workforce member requires offline access to ePHI, IIHI data will be encrypted and stored on a
medium that can be removed from the system when not in use.




 HIPAA Requirement    Workstation Security Standard
 HIPAA Reference:     45 C.F.R. 164.310 (c)
 Reviewed by:         Sue Hawkins
 Approved by:         Sue Hawkins
 Effective Date       6/3/2010
 Supersedes Policy:   N/A
                                           University of Colorado Denver
                                 Facility for Advanced Spatial Technology




Subject: HIPAA Security Policies & Procedures                                                  Policy # PS-1.1
Title: Workstation Security                                                                    Page 4 of 7


DEFINITIONS:
HIPAA: Health Insurance Portability and Accountability Act of 1996
Electronic Protected Health Information (ePHI): Electronic health information or health care payment
information, including demographic information collected from an individual, which identifies the individual
or can be used to identify the individual. ePHI does not include students records held by educational
institutions or employment records held by employers.

Individually Identifiable Health Information (IIHI): Information that is a subset of health information,
including demographic information collected from an individual, and:

     Is created or received by a health care provider, health plan, employer, or health care
      clearinghouse; and
     Relates to the past, present, or future physical or mental health or condition of an individual; the
      provision of health care to an individual; or the past, present, or future payment for the provision
      of health care to an individual; and
     That identifies the individual; or
     With respect to which there is a reasonable basis to believe the information can be used to
      identify the individual.
FAST Health Care Component (HCC): Those units of the "Cover Entity's Name" that have been
designated by the "Cover Entity's Name" as part of its health care component under HIPAA.
FAST Security Compliance Officer: the individual appointed by FAST to be the HIPAA Security Officer
under s. 164.306(2) of the HIPAA Security Rule.
Addressable: When a standard adopted under 45 CFR Part 164.312 includes addressable
implementation specifications, a unit within the FAST HCC must (i) assess whether each implementation
specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference
to the likely contribution to protecting the unit‟s electronic ePHI and (ii) as applicable to the unit: (A)
implement the implementation specification if reasonable and appropriate; or (B) if implementing the
implementation specification is not reasonable and appropriate: (1) document why it would not be
reasonable and appropriate to implement the implementation specification; and (2) implement an
equivalent alternative measure if reasonable and appropriate.
Access means the ability or the means necessary to read, write, modify, or communicate data/information
or otherwise use any system resource.

Physical safeguards are physical measures, policies, and procedures to protect a covered entity‟s
electronic information systems and related buildings and equipment, from natural and environmental


 HIPAA Requirement    Workstation Security Standard
 HIPAA Reference:     45 C.F.R. 164.310 (c)
 Reviewed by:         Sue Hawkins
 Approved by:         Sue Hawkins
 Effective Date       6/3/2010
 Supersedes Policy:   N/A
                                           University of Colorado Denver
                                 Facility for Advanced Spatial Technology




Subject: HIPAA Security Policies & Procedures                                              Policy # PS-1.1
Title: Workstation Security                                                                Page 5 of 7


hazards, and unauthorized intrusion.

Security or Security measures encompass all of the administrative, physical, and technical safeguards in
an information system.

Workstation means an electronic computing device, for example, a laptop or desktop computer, or any
other device that performs similar functions, and electronic media stored in its immediate environment.
This latter statement extends the definition of workstation to a wider range of computer input and output
devices—unintelligent and intelligent computer terminals, personal digital assistants, other wireless
devices, diagnostic equipment, etc.




 HIPAA Requirement    Workstation Security Standard
 HIPAA Reference:     45 C.F.R. 164.310 (c)
 Reviewed by:         Sue Hawkins
 Approved by:         Sue Hawkins
 Effective Date       6/3/2010
 Supersedes Policy:   N/A
                                           University of Colorado Denver
                                 Facility for Advanced Spatial Technology




Subject: HIPAA Security Policies & Procedures                                     Policy # PS-1.1
Title: Workstation Security                                                       Page 6 of 7




Related Policies:
Access Authorization (AS-1.1)
FAST Confidentiality Agreement
Information Access Management Standard AS-3.1
Overview: Policies, Procedures, and Documentation (OR-1.1)
Risk Analysis (AS-6.1)
Access Establishment and Modification (AS-2.1)
Contingency Plan (AS-10.1)
Disaster Recovery Plan (AS-11.1)
Emergency Mode Operation Plan (AS-12.1)
Workstation Use (PS-2.1)
HIPAA Privacy Regulations covered component‟s Minimum Necessary Policy (PP-1.1)
Workforce Security (AS-15.1)
Facility Access Controls (PS-3.1)
Device and Media Controls (PS-4.1)
Access Controls (TS-5.1)
Person or Entity Authentication (TS-6.1)
Security Awareness Training (AS-16.1)


Reference:
Access Authorization (AS-1.1)
FAST Confidentiality Agreement
Information Access Management Standard (AS-3.1)
Overview: Policies, Procedures, and Documentation (OR-1.1)
Workstation Use (PS-2.1)
HIPAA Privacy Regulations covered component‟s Minimum Necessary Policy (PP-1.1)


 HIPAA Requirement    Workstation Security Standard
 HIPAA Reference:     45 C.F.R. 164.310 (c)
 Reviewed by:         Sue Hawkins
 Approved by:         Sue Hawkins
 Effective Date       6/3/2010
 Supersedes Policy:   N/A
                                           University of Colorado Denver
                                 Facility for Advanced Spatial Technology




Subject: HIPAA Security Policies & Procedures                                        Policy # PS-1.1
Title: Workstation Security                                                          Page 7 of 7


Workforce Security (AS-15.1)
Facility Access Controls (PS-3.1)
Risk Analysis (AS-6.1)
Information Access Management (AS-3.1)
Access Establishment and Modification (AS-2.1)
Contingency Plan (AS-10.1)
Policies, Procedures, and Documentation (OR-1.1)
Security Management Process (AS-14.1)
Disaster Recovery Plan (AS-11.1)
Emergency Mode Operation Plan (AS-12.1)
Evaluation (AS-13.1)
Workstation Security (PS-1.1)
HIPAA Privacy Regulations covered component‟s Minimum Necessary Policy (PP-1.1)
Access to Electronic Health Information Flow Sheet
HIPAA Final Security Rule, 45 CFR Parts 160, 162, and 164, Department of Health and Human Services,
http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/default.asp, February 20, 2003.

CMS, “CMS Information Systems Security Policy, Standards and Guidelines Handbook”, CMS, February
2002.


NIST SP 800-12, An Introduction to Computer Security and Chapters 10 and 14, October 1995.


NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology
Systems, September 1996.


NIST SP 800-66, An Introductory Resource Guide for Implementing the HIPAA Rule, DRAFT, May 2004.
International Standards Organization (ISO/IEC 17799:2000(E))




 HIPAA Requirement    Workstation Security Standard
 HIPAA Reference:     45 C.F.R. 164.310 (c)
 Reviewed by:         Sue Hawkins
 Approved by:         Sue Hawkins
 Effective Date       6/3/2010
 Supersedes Policy:   N/A

								
To top