200 likes | 317 Views
Internal Medicine Associates. Security Awareness Training. Presented by Chris Lundy Information Systems Manager, Internal Medicine Associates HIPAA Security Officer. Health Insurance Portability & Accountability Act of 1996
E N D
Security Awareness Training • Presented by Chris Lundy • Information Systems Manager, Internal Medicine Associates • HIPAA Security Officer
Health Insurance Portability & Accountability Act of 1996 HIPAA helps you understand your responsibilities based on your job responsibilities Procedures to Guard Data Integrity, Confidentiality, and Availability Such as: Administrative Procedures Physical Safeguards Technical Security Services Mechanisms Electronic Signature HIPAA
Personnel Security Assure supervision of maintenance personnel as set forth by security protocol Maintain a record of all access authorizations Personnel security policy/procedure reviewed at corporate compliance meeting System users trained in security and ways to identify breaches Administrative Procedures
Security Configuration Management Documentation Hardware/Software installation Maintenance review Testing for security Inventory of all hardware/software Virus checking Procedures outlined Policies enforced Administrative Procedures, cont.
Security Incident/ ManagementReporting Report procedures Incident reported to management Report written with witnesses involved and then forwarded to security personnel Response procedures Response will be documented and accurate the first time Risk analysis A periodic assessment will be taken after an initial analysis Risk management All identifiable risks will be documented and due diligence planning will be instituted Administrative Procedures, cont.
Termination Procedures In the Event of Termination: Combination locks changed Removal from access lists Removal of user account(s) Turn in keys, token or cards that allow access Administrative Procedures
Training Training is provided for all personnel(incl.mgmt) Periodic security reminders will be issued in our newsletter Users will receive training concerning virus protection Users will receive training concerning monitoring success/failure and how to report discrepancies User education in password mgmt Administrative Procedures, cont.
Assigned Security Responsibility Responsibility will be assigned as follows: Federal Regulations Security Officer-HIPAA Management Supervisors Users Patients-Patients will be trained by correspondence, leaflets, etc. Physical Safeguards
Media Controls Assigned access to media Accountability-tracking is done on media Data backup is done by Information Systems and is not to be backed up on floppy, cd or any other type of media Data storage is done offsite at data center Information Systems is responsible for disposal of media and no user will destroy media Physical Safeguards
Physical Access Controls Disaster Recovery In the event of a disaster all access will be secured if possible All liabilities are documented Emergency Mode Operation There are drills performed on a random basis to test the physical control in the event of an emergency Physical Safeguards
Physical Access Controls Equipment Control All equipment is asset tagged, documented and tested to meet security requirements Check in/out procedures are in place and no protected health information (PHI) is allowed to leave the premises without written authorization Facility Security Plan All physical security is documented and floor plans are mapped out Physical Safeguards
Physical Access Controls Pre-registered Access Authorizations All authorizations will be pre-registered and access cards, identifiers, and escort will be arranged All maintenance on the facility should be reported and documented All access is on a need to know basis Example, the Director of Business Office doesn’t need to know the security access of the nursing staff Information Systems will not volunteer access specifications Any changes will be sent via appropriate documentation Physical Safeguards
Physical Access Controls Testing and Revision All procedures and policies will be tested periodically Upon completion, the needed changes will be documented and due diligence will be initiated to correct any breaches or gaps in security It is everyone’s responsibility to protect the facility and work with their management team to assess and correct any lapses Physical Safeguards
Policies Procedures Policies & Procedures are written for: Workstation Use Secure Workstation Location These are discussed in corporate compliance training Training sessions on Physical Safeguards will be conducted one (1) time per year or as needed Physical Safeguards
Access Control Context-based access Based on a transaction, date, time, etc. Role-based access RBAC used for mapping specific functions in an organization User-based access Based on the identity of the person involved (not used at IMA) Encryption Transforming confidential plaintext into ciphertext to protect it This feature is automatic on most systems Technical Security Services
Audit Controls Authorization Control Data Authentication Audits are done by Information Systems and outside services These are closely protected audits and safeguarded by contracts In the event of an audit, your department will be notified and you will comply with said audit Role-based authorization Based on specific software, hardware and procedures but, is regulated by Information Systems Technical Security Services
Entity Authentication Automatic logoff is in place on all systems Passwords are required on all operating systems and systems accessed via the network Unique user identification is used to protect you and your workmates Technical Security Services
Communications Network Control All communications have access controls All network devices have access controls, anti-hack devices and alarms Audit trails are generated on virtually every device on the network or communicating with the network Certain data sets are encrypted and this is documented Tokens are passed between systems to assure genuine identity Event alarms report problems or hacks Integrity devices alert us to hardware or software problems and IDS reports continually on unauthorized access Transaction logs are generated to assure message authentication and accurate access control verification Technical Security Mechanisms