Hipaa checklist - information security

S.no Standard Clause
1 Security Management Process 164.308(a)(1)
5 Assigned Security Responsibility 164.308(a)(2)
6 Workforce security 164.308(a)(3)(i)

13 Information Access management 164.308(a)(4)(i)
18 Security Awareness & Training 164.308(a)(5)(i)

29 Security Incident procedures 164.308(a)(6)(i)
33 Contigency Plan 164.308(a)(7)(i)

45 Evaluations 164.308(a)(8)
46 Evaluations 164.308(a)(8)
47
Business Associates contracts and
other arrangements 164.308(b)(1)
48
Business Associates contracts and
other arrangements 164.308(b)(1)
49 Facility Access control 164.310(a)(1)

56 Workstation Use 164.310(b)
59 Device and Media control 164.310(d)(1)
63 Access control 164.312(a)(1)

72 Audit controls 164.312(b)
75 Integrity 164.312©(1)
76 Person or entity authentication 164.312(d)

77 Transmission Security 164.312€(1)
81
Business Associate contracts and
other arrangements 164.314 (a)(1)
82
83
84
Requirements for Group Health
plans 164.314 (b)(1)
85 Policy & Procedures 164.316 (a)
86 Policy & Procedures 164.316 (a)
87 Documentation 164.316 (b)(1)

Specifications
Risk Analysis
Risk Management
Sanction Policy
Information Systems activity
review
Authorization and/or Supervision
Workforce clerance procedures
Workforce clerance procedures
Termination Procedures

Isolating healthcare clearinghouse
function
Access Authorization
Access establishment and
modification
modification
modification
Security Reminders
Security Reminders
Security Reminders
Protection from malicious software
Log-in monitoring
Log-in monitoring

Password Management
Password Management
Password Management
Response & Reporting
Data Backup plan
Data Backup plan
Data Backup plan
Data Backup plan
Data Backup plan

Data Backup plan
Disaster Recovery plan
Emergency mode operation plan
Emergency mode operation plan
Testing and Revision Procedure
Applications and data criticality
analysis
Applications and data criticality
analysis
Written contract or other
arrangement
Written contract or other
arrangement
Contigency Operations
Facility Security plan

Facility Security plan
Access control and validation
procedures
Maintenance records
Maintenance records
Maintenance records
No Implementation Specification
Disposal
Media Re-use
Accountability
Data backup and storage
Unique User Identification

Emergency access procedures
Automatic logoff
Automatic logoff
Encryption and Decryption
Mechanism to Authenticate EPHI

Integrity Controls
Integrity Controls
Encryption
Encryption
Business associate contracts
Other Arrangement
Other Arrangement
Plan Documents
Plan Documents
Time Limit
Availability

Questions
Is a risk anlaysis process used to ensure cost-effective
security measures are used to mitigate expected losses ?
If yes, is the Risk Anlaysis process documented ?
Are secuirty measures implemented to reduce risks and vulnerabilities
to an appropriate level to the organization.
Do documented policies and procedures exist regarding disciplinary
actions (stipulations for misuse or misconduct) ? Have they been
communicated to the employees?
Are audit logs reviewed ? If yes, how often ? Is there a responsible entity? If the
effort documented ? Is audit logging for communication enabled.
Has the Security responsibilities for the organization been issued to
an individual or group ? If yes, is it documented ?
Are procedures in place to ensure personnel performing technical
system maintenance activities are supervised by authorized/knowledgeable
individuals, and that operational personnel are appropriately authorized to access
systems ? Are these
procedures documented ?
Are personnel procedures established and maintained ? Are these
procedures documented ?
Does the organization follow personnel clerance procedures to verify
access privileges before admissions? Are these procedures documented ?
Are access lists up-dated in a timely manner when employee accesses
change? If yes, are they documented and updated consistently ?
Does the organization follow termination procedures that include checklist for
collecting access-providing materials? If yes,are these
procedures followed consistently? Are these termination procedures
documented ?
Does the organization follow procedures for changing combination
and locking mechanism ? Are these procedures documented ?
Does the organization have documented termination checklists which
include procedures for removing user accounts in a timely manner.

If the organization includes a healthcare clearinghouse, what policies
and procedures are in place to isolate the clearinghouse electronic
protected healthcare information from the rest of the organization ?
Are the rules established to determine the initial level of access an
individual may have ? Are these rules documented ?
Does the organization follow procedures for governing access to information on a
need to know basis ? If yes, who is responsible for
maintaining documentation of these procedures ?
Does the organization have different level of access to health information/data ?
Are these rules established for granting access and authorization? If yes, are these
rules documented ?
Are these rules established for the modication of individual access? If
yes, are these rules documented ?
Are Periodic security reminders issued to all employees? If yes, are these reminders
documented and do you feel that it is effective?
Is formal information Security awareness training conducted for all
employees, agents and contractors? Yes, how often it is performed and is periodic
re-attendance required ? Is the security awareness training program documented ?
Does the organization conduct customized training conducted to all
employees, agents, and contractors? Yes, how often it is performed and is periodic
attendance required? Is the security awareness training
awareness documented ?
If security awareness training is conducted does it includes (at a minimum): (A) Virus
protection, (B) importance of monitoring login Success/failure, and ©Password
management? Are these minimal requirements for Security Awareness training
documented ?
Are procedures in place to make sure virus checking software is installed
and running on all computer system within the organization ?
Do these procedures include the requirements that virus definitions
be consistently updated ?If yes, what procedures do you use to update
them and how often ?
Are procedures implemented that provide for monitoring of failed log-in
attempts in an organizations server ?
What procedures are in place to ensure failed log-in attemtps are
reported to the proper authority ?

What password guidelines exist and what procedures are followed to ensure the
user makes a good selection ?
Do users sign a security statement when issued a password ?
What password guidelines are in place to protect integrity of
administrator type account ?
Is there a formal process in place to allow the reporting the security breaches? If
yes, to whom are these breaches reported to and are these
process documented ?
Are formal procedures follwoed for responding to incidents? If yes, which
entity is reposible and are handled in a timely manner? Are these procedures
documented ?
Are procedures followed for mitigating incidents that may occur ? Do the
procedures also identify a team assigned to handle these incidents ?
At the conclusion of an incident, are procedures followed to document
the outcome of the incident investigation? Are the results maintained in
an historical file for subsequent review ?
Has a data backup plan been implemented and followed within your
organization? If yes, is the data backup plan documented?
Does the Data backup plan contain procedures for testing and revision? If
so, are these procedures documented ?
Does the organization follow data backup plan procedures that allow for
an exact copy of information to be retrieved? If yes, are data backup plan policies
and procedures formally documented?
What type of backup does the Data backup plan call for? Full or incremental ?
Where is backup media stored ? For how long ?

What phsyical protection mechanism exist for local and remote copies of
backups? What handling instructions are in place ?
Has a disaster recovery plan been developed? If yes, is the disaster recovery plan
documented ?
Has an emergency mode operation plan been tested to determine continual
operations ?If yes, is the emergency mode operations plan and
procedures fully documented?
Does the emergency mode operation plan and disaster recovery plan
address physical access to appropriate personnel ? Is the emergency Mode
operations plan and procedures formally documented ?
Is the disaster recovery plan periodically tested to insure adequacy ? If yes,is the
testing documented ? What types of testing documented ? What types of testing
are accomplished ?
Have critical systems been identified within your organization and documented
within the contigency plan ?
What other types of mechanism are in place to allow for mission for critical hosts or
systems to properly shutdown.
Has internal or external entity performed an assessment on any network
or individual systems within the network to determine if they meet a pre
specified set of security standards ? If yes, has the assessment(s) been documented
?
Does the organization maintain a history of technical evaluations for
computer systems and network(s)
Has an inventory of all electronic data exchanges with third parties, vendors or
business partners taken place ? If yes, has a business associate agreement been
executed ? Is the inventory and agreement documented ?
Are you aware of any trusted internal or external business connections, or
any third party connections or accesses? What are they ?
Have procedures been implemented that provide for facility access and other
business functions during contigency operations ?
Does the organization have a facility security plan ? Is the facility Security plan
formally documented?

Has the organization implemented procedures within the facility to sign in
visitors and provide escorts, if appropriate ? Are these formally documented
procedures for visitor escort and sign in ?
What procedures are in place to ensure that maintenance personnel have proper
access and authorization ? Are these procedures documented ?
Does the organization retain facility maintenance records ? Is there formal
documentation for this procedure ?
Does the organization retain facility maintenance records ? Is there formal
documentation for this procedure ?
Does the organization maintain a access authorization records? If so, how long are
these records retained ? Are these authorization documented ?
Does the organization follow procedures for defined acceptable workstation
use ? Are documented procedures which outline proper fucntions ?
Has the organization implemented physical safeguards to eliminate or
minimize unauthorized access/viewing of health information on
workstations ?
Does the organization implement console locking features ?
Does the organization follow procedures for the final disposition of electronic data
(including PHI) and the hardware that it resides on ? Are these procedures
documented ?
Have procedures been developed for removing electronic protected health
information from media before it is scheduled for re-use?
Does the organization follow procedures for taking hardware and software
into or out of a facility ? Are these procedures documented ? Who is
accountable for the movement of media ?
Does the organization follow data storage procedures for electronic retention of
individual health care information ? Are these formally documented policies and
procedures ?
Are unique user id(s) in place/use (network and application) ? If yes, for
which systems and are they governed by writtent security procedures ?
Are they any shared ID's or non-unique ID's in use ?

Do all end users of network resources have a unique user ID ?
Is an emergency access procedures documented and followed ?
Are controls in place and configured to allow for automatic logoffs (network
and application ) ?
Are controls in place to ensure that data has not been altered or destroyed
during transmission ?
Is encryption currently in use with any access control solutions that are in place? If
yes how ?
Are access control or encryption technologies used to secure transmission
of sensitive information ? If yes, what and for which systems ?
Are encryption technologies used to secure data at rest ? If yes, for which
systems ?
Are networked systems configured to allow event reporting ? If yes, which
types of systems ?
Are auditing capabilities enabled for file/record accesses modifications or
deletions ? If yes, for which systems and what activites are audited ?
Are software or hardware solutions in place that will provide notifications
of abnormal conditions that may occur networked systems ?
What process exist to determine who will have the authority to change or
manipulate health information ? Is this process documented ?
How is the signature on the document/data verified as trust-worthy? IS online or
offline validation as well as entity or non-entity certificate used ?

What policies, procedures, and technical mechanisms are in place to protect
health information as it is transmitted across internal and external networks? Are
these policies, procedures and technical mechanisms documented ?
What technical and administrative processes, and mechanisms are in place to
ensure secure storage of health information ? Are these processes documented ?
Is the message encrypted,or signed ? What practice are in place for the storage
private (secret) keys ?
What crytpographic methods and parameters are used to ensure the integrity of the
message during transmission unaltered?
Are business associate contracts in place between the organization and any
business associate that might common in contact with the organization electronic
protected health information ?
Are both the organization and the business associate a government agency ?
If yes, does a memorandum of understanding exist between the organization and
the business associate that requires the business associate implement reasonable
and appropriate administrative, physical and technical safeguards to protect ephi ?
IS the business associate required by law to perform a function or activity
on behalf of the organization? If yes, describe what steps the organization
completed in order to ensure the business associate complied with the
provisions of the HIPAA security rule
Does the organization have a group health plan ? If yes, do the plan documents
require the plan sponsor reasonably and appropriately safeguard EPHI ?
Does the organization have a group health plan ? If yes, do the plan documents
require the plan sponsor reasonably and appropriately safeguard EPHI?
Does the organization have a process for developing, approving, and publishing
formal security policies ?
Are documented related to EPHI maintained for the time period prescribed
by this rule ?
Is this documentation available to those persons responsible for implementing the
various procedures required by HIPAA rule ?

Are the policies and procedures reviewed on a periodic basis to ensure adequacy
and timeliness ?

Example
For example, does the organization use a process to determine
cost effective security control measures in a relation to the loss
that would occur if these measures were not in place .
Each organization must accept a certain level of risk and must be able to determine and document that
appropriate level.
These would be a displinary actions for misuse or misaapropriation of health
information (e.g verbal warning, notice disciplinary action placed in personnel
files, removal of system privileges, termination of employment, and contract
penalties).
Organizations will be required to provide and maintain ongoing analysis/reviews of the records of system
activity (logins, file access, security incidents) to help identify security violations. This will include
operating systems, applications and networked systems.
Organization will be required to assign security resposibility to a particular or
individual or group. They will be responsible to ensuring security measures to
protect data and ensure individuals act accordingly in the protection of data.
This is important in providing an organizational focus towards security and
ability to pinpoint responsibility.
Example, Maintenance personnel are directly monitored by escorts near health
information. Operational personnel should also have the appropriate access to
data or systems.
Organization will be required to have formal documented policies and procedures for validating the
access privileges of an entity before granting those privileges.
Despite the nature of access lists, employees must be removed upon termination or modified to reflect
when a job function or role changes.
Termination procedures will be required to be documented are implemented.
These are important to prevent the possibility of unauthorized access to secure data by those who are no
longer authorized to access data (e.g voluntary or
inoluntary exit). Organizations will need to collect keys, tokens, and identification cards.
Documented procedures for changing of combinations and locking mechanism,
on a defined time schedule, and when personnel no longer have a need to
know.
Organization will be responsible for removing user accounts from computer
systems (emails), in a timely manner.

Organizations are required to implement policies and procedures to protect
against unauthorized or inadvertent disclosure of electronic protected healthcare information from the
larger organization.
Organization will be required to track the establishment of initial access through documentation efforts.
For example documentation on why individual will require access.
Organization will be required to support a users given access level information.
A user should have access only to the data needed to perform a particular function.
Organization will be required to maintain policies and procedures for identified
access levels of access to a terminal transaction, program, process or X of that user?
Organization will be required to track the modification of an individual access. For
example, procedures for why access for an existing individual may change.
It's purpose is to refresh knowledge of policies and procedures and to keep all
employees alert to the latest types of security threats (occuring incidents or CERT
alerts).
The information Security awareness training should include at a minimum: virus protection, password use
and protection.
Information Security training should address issues that are directly related to the
employee duties (e.g appropriate handling indivdual health information and
unattended workstation procedures)
Employees must understand virus protection efforts, why login are monitored,
and how to effectively manage their passwords.
Virus protection will be required on computer system(s), that can detect virus
programs that attach to other files or program to replicate, a code fragment that
reproduce by attaching itself to another program, or an embedded code that can
copy or insert itself into one or more programs.
Accurate virus protection relies on the update of definition on a timely manner.
Procedures must be implemented to provide methods of monitoring attempts
access to servers containing sensitive informations.
procedures requiring the monitoring of failed lon-in attempts must contain
instructions on reporting discrepancies.

Guidelines would be (minimum length, minimum time, maximum time, prevention of re-use, force of
change for default and initial passwords, maximum number of change times). It is a good pratice to run
password crackers and verification tools to ensure that users have selected solid passwords.
This statement should explain appropriate use and selection along with change
management procedures for the password.
Guidelines and restrictions should be placed on the use of administrator, root &
default accounts. Minimal numbers to employees should be allowed access to
these types of acounts, different levels of access should be used, and tracking
should be enforced for the use of these types of accounts.
These procedures will allow employees to effectively report security incidents or
breaches. The organization's will be required to document these procedures, and
the employees should be aware of the policies and procedures and willing to use them
The organization will be required to document reporting review, and response
policies and procedures in relation to security violations and should handle security violations promplty.
Procedures should be developed and implemented that provide guidance on selected type of incident and
how to mitigate them.
Incident reporting should include documenting the results of the incident investigations. These results
should be reviewed and maintained to assist in future investigations.
For example, a formally documented and routinely updated plan to create and maintain, for a specific
period of time, retrievable exact copies of information for the organization.
For example, formally documented and regularly maintained testing and revision
procedures.
Organization must be able to retrieve an exact copy of data while maintaining
accountability and access control integrity.
Incremental and fullbackup should be specified within the databackup plan, each
serves a different purpose and these time frames should be planned appropriately.
Backup tapes should be stored offsite or in a safe. (e.g Medium types may be tape
, cd, diskettes).

Data backup should not be left in an insecure environment as it contains sensitive
network and system data.
Most specifically, the Disaster recovery plan should address IT and information
security breaches and allow for the restoration of data loss to the entity in the event of fire, vandalism,
natrual disaster or system failure ?
For example, formally documented plans and processes to enable the continuing
operation of the organization in the short term (48 hours or less). This may be result of fire, vandilism,
minor natural disaster or system failure).
For example, formally documented plans and processes to enable the continuing
operation of the organization in the short term (48 hours or less).
Regularly maintained, formally documented plans and processes to enable the
continuing operation of the organization in the short term (48 hours or less)
Crtical systems include those systems that provide services that if lost could result in significant backlog
and monetary loss.
A proper shutdown will allow current sessions, applications and transcations to close before the system
powers off.
Such as a technical member of your internal audit team or IT team responsible for
evaluation, and testing . Technical evaluations include vendor certification or
applications prior to go-live. External entities include any accrediting agency
completing annual external penetrations, and/or infrastrcuture integrity testing
to ensure they meet industry best practices for information security.
The information maintained should support certification of the computer systems
or network designs as having implemented appropriate security.
If the data is processed through a third party, the parties must enter into a Business associate agreement.
This contract states the agreement to exchange data electronically and assurance of data transmission
integrity and storage. Third parties are vendors, business partners, or internal entities that have access to
your computer systems and infrastrucuture. These third parties will require business associate
agreements. For example, a provider may contract with a clearinghouse to transmit claims.
Third parties are vendors, business partners, or internal entities that have access to your computer
systems and infrastrucuture. These third parties types of accesses are considered less-trusted and will
require a business associate agreement.
These procedures would assist the organization in recovering the business functions after a crisis. This is
completely separate from recovering the data and involves planning for office space, communications,
equipment needs etc.
Facility Security is a group of plans that encompass all aspects of the identified
facility (e.g Cameras, perimeter protection)

Organization will be required to have formally documented procedures governing
the reception and hosting of visitors. For example: vendors, maintenance personnel.
The organization will be required to maintain ongoing documentation for granting
access to individuals working on near health information.
Organization will be required to have documentation of repairs and modification to
the physical components of a facility (e.g walls, doors, lights and rocks).
Organization will be required to have documentation of repairs and modification to hardware /software
and computer systems. Note: a helpdesk tracking system
may be used to record maintenance records.
The organization will be required to retain ongoing documentation of levels of access granted to user,
program, procedures, assessing health information.
Each organization will be required to have guidelines delineating the proper function to be performed,
and the manner in which the functions are performed.
Each organization will be required to put in place physical safeguards for workstations that will prevent
public areas from accidentally dispensing patient identifiable health information from workstation. For
example, privacy screens, monitor postions,cubicle walls or locked rooms.
Different systems will allow for the use of different types of mechanism to be used to lock workstations.
(e.g Monitor, NLM,Screen savers with passwords)
Organization will be required to document policies and procedures for the disposition`of electronic data
and the hardware on which it resides. (e.g wiping hard drives, or other method of destruction.
These procedures would inlude some form of sanitization process for the media
and a form of written verification tha the media has been cleansed prior to re-use.
Organization will be required to govern the receipt, movement, and removal of hardware /software and
in and out of the facility. This includes the marking, handling, and disposal of hardware and storage
media. This will impact your offsite backup procedures.
Organizations will be required to document electronic data retention policies and
procedures. This is to include length of time, storage, receipt and format.
Unique user ids are a combination name/number assigned to identify and track
individuals.
High profile shared accounts could be a lan admin ID or business unit that is highly
impacted by login/logout inefficiencies (nurses)

Organization will be required to irrefutably identify authorized users and processes, and to deny access to
those unauthorized. An example best praticse woule be "no group User ID's are permitted. Entity
authentication can be done through name and password through the network or application and by IP
address, service or protocol at the firewall)
Emergency Access can include access to a system or appplication immediately for
a user without current access (normal changes bypassed). Also, short system outages requiring manual
procedures.
Application will be required to provide automatic user logoff
Organization will be required to provide corroboration that data in its possession
has not been altered or destroyed in an unauthorized manner. For example:
Check Sums, double keying, message authentication code, digital signature applied to files or data.
Encryption is optional within the proposed regulations for section 142.308 c in relation to access control
methods. Encryption with access control example are VPNs, SSL
SSh.
For example PKI, IPSEC, VPN, SMARTcard or SSL.
For example, database content, file contents, directory contents containing
sensitive data.
Different types of systems will allow for different types of logging to take place
(e.g syslog server, application event logs (IIS, exchange), specific service use (ftp, http), specific activities,
NT event logging, Firewall events or intrusion detection.
Audit will be required to record and examine system activity such as who has read,accessed, or changed a
file (e.g system actives could be audited for applications,operating systems or network devices.
Any software of hardware device that can sense an abnormal condition within the
system and provide a signal. The signal can be a contact, auto showdown or restart.For example intrusion
detection system, firewalls, NT event logging)
Changes to health information should be audited to ensure proper use and accesses
Online validation of offline validation. Online validation allow the user to ask the CA directly about a
certificates validity everytime is used. Offline validation gives a validity period a pair of dates defining the
valid range of the certificate. Entity certificates are known as identity certificates (charateristics), and non-
entity
certificates are known as credential certificates

Policies and procedures would ensure that security of health information as it is
transmitted from start, middle, to end point.
Storage of health information should be secure, and follow appropriate retention
guidelines.
Encrypted message is encrypted by the symmetric key and the public key encrypts
the symmetric key. Signed message is hashed and encrypted with the senders
private key. Signed and encrypted is signed by the senders private key, and the message is encrypted with
the senders public key.
For example, please describe the parameters used for signing a message (e.g hash algorithm(md5 or SHA1
and encrypting the message (DES, Diffie hellman, RSA, or elliptic curve)
These contracts should stipulate the business associate implement reasonable and
appropriate safeguards to protect this sensitive information.
The memorandum of understanding should detail the measures the business assocaite
has in place to provide reasonable and appropriate security protection for EPHI.
When the business associate is required by law to perform certain activities, the organization needs to
document its attempts to ensure the business associate has reasonable an appropriate security measures
to protect the organizations EPHI.
The plan documents must require the plan to sponsor to implement administrative,
physical and technical safeguards to protect EPHI.
The plan document must require the plan sponsor to implement administrative, physical and technical
safeguards to protect EPHI.
A formal Security policy process ensures the right people in the organization assist in the
development, approval, and dissemination of the organization's Security policies
The final HIPAA Security rule calls for documentation related to EPHI to be maintained to a period of six
years from the date of its creation or last was it used, whichever is later .
Either written and electronic forms of all documentation should be available to those persons
responsible for implementing the procedures described in the HIPAA security rule.

All policies and procedures should undergo a periodic review to ensure the organization remain
in its security posture in order to protect EPHI.

Hipaa checklist - information security

Hipaa checklist - information security

More Related Content

What's hot (20)

Viewers also liked (14)

Similar to Hipaa checklist - information security (20)

Recently uploaded (20)

Hipaa checklist - information security