Minimum Security Standards for Systems with HIPAA Data

MINIMUM STANDARDS

Note that the implementation specifications provided in the Security and Privacy rules may be addressable or required Some standards do not have any implementation specifications. These standards are just the minimum for HIPAA compliance. In some cases, additional controls may be necessary to comply with university policy. All devices must also meet the Minimum Security Standards for Systems.

 

ADMINISTRATIVE SAFEGUARDS

Security Management
Standard: Security Management {{§164.308 (a)(1)}}
Implement policies and procedures to prevent, detect, contain, and correct security violations.
Security Management
Implementation Specification
Type
Reference
Risk analysis: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held. {{UNTHSC note: This assessment is required annually. }}
Required
§164.308 (a)(1)(ii)(A)
Risk management: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
These measures must, at a minimum:
  • protect against any reasonably anticipated threat or hazard to the security or integrity of such information,
  • ensure compliance by employees, and
  • protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under Subpart E of the HIPAA Privacy Rule.
Required
§164.308 (a)(1)(ii)(B)
Sanction policy: Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures.
Required
§164.308 (a)(1)(ii)(C)
Information system activity review: Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
Required
§164.308 (a)(1)(ii)(D)
Assign Security Responsibility
Standard: Assign Security Responsibility {{§164.308 (a)(2)}}
Identify the security official who is responsible for the development and implementation of required policies and procedures.
Implementation Specification
Type
Reference
N/A
Workforce Security
Standard: Workforce Security {{§164.308 (a)(3)}}
Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under §164.308 (a)(4), and to prevent those workforce members who do not have access under §164.308 (a)(4) of the HIPAA Security Rule from obtaining access to electronic protected health information.
Workforce Security
Implementation Specification
Type
Reference
Authorization and/or supervision: Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.
Addressable
§164.308 (a)(3)(ii)(A)
Workforce clearance procedure: Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.
Addressable
§164.308 (a)(3)(ii)(B)
Termination procedures: Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in §164.308 (a)(3)(ii)(B).
Addressable
§164.308 (a)(3)(ii)(C)
Information Access Management
Standard: Information Access Management {{§164.308 (a)(4)}}
Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of Subpart E of the HIPAA Privacy Rule.
Information Access Management
Implementation Specification
Type
Reference
Access authorization: Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism.
Addressable
§164.308 (a)(4)(ii)(B)
Access establishment and modification: Implement policies and procedures that, based upon access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.
Addressable
§164.308 (a)(4)(ii)(C)
Security Awareness and Training
Standard: Security Awareness and Training {{§164.308 (a)(5)}}
Implement a security awareness and training program for all members of its workforce (including management).
Security Awareness and Training
Implementation Specification
Type
Reference
Implement a security awareness and training program that, at a minimum, covers:
  • procedures for creating, changing and safeguarding passwords;
  • periodic security updates;
  • procedures for protecting against, detecting, and reporting malicious software; and
  • procedures for monitoring login attempts and reporting discrepancies.
Addressable
§164.308 (a)(5)(ii)(A-D)
Security Incident Procedures
Standard: Security Incident Procedures {{§164.308 (a)(6)}}
Implement policies and procedures to address security incidents.
Security Incident Procedures
Implementation Specification
Type
Reference
Response and Reporting: Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes. {{UNTHSC note: All incidents must be reported immediately to the Information Security Office (informationsecurity@unthsc.edu).}}
Required
§164.308 (a)(6)(ii)(A)
Contingency Plan
Standard: Contingency Plan {{§164.308 (a)(7)}}
Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.
Contingency Plan
Implementation Specification
Type
Reference
Data backup plan: Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.
Required
§164.308 (a)(7)(ii)(A)
Disaster recovery plan: Establish (and implement as needed) procedures to restore any loss of data.
Required
§164.308 (a)(7)(ii)(B)
Emergency mode operation plan: Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.
Required
§164.308 (a)(7)(ii)(C)
Testing and revision procedures: Implement procedures for periodic testing and revision of contingency plans.
Addressable
§164.308 (a)(7)(ii)(D)
Applications and data criticality analysis: Assess the relative criticality of specific applications and data in support of other contingency plan components.
Addressable
§164.308 (a)(7)(ii)(E)
Evaluation
Standard: Evaluation {{§164.308 (a)(8)}}
Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which the security policies and procedures meet the requirements of §164.308 (a).
Evaluation
Implementation Specification
Type
Reference
N/A
Business Associate Contracts and Other Arrangements
Standard: Business Associate Contracts and Other Arrangements {{§164.308 (b)(1)}}
A covered entity, in accordance with §164.306, may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with §164.314 (a) that the business associate will appropriately safeguard the information.
Business Associate Contracts and Other Arrangements
Implementation Specification
Type
Reference
Written contract or other arrangement: Document the satisfactory assurances required through a written contract or other arrangement with the business associate that meets the applicable requirements of §164.314 (a).
Required
§164.308 (b)(4)

 

PHYSICAL SAFEGUARDS

Facility Access Controls
Standard: Facility Access Controls {{§164.310 (a)}}
Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
Facility Access Controls
Implementation Specification
Type
Reference
Contingency operations: Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
Addressable
§164.310 (a)(2)(i)
Facility security plan: Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
Addressable
§164.310 (a)(2)(ii)
Access control and validation procedures: Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
Addressable
§164.310 (a)(2)(iii)
Maintenance records: Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).
Addressable
§164.310 (a)(2)(iv)
Workstation Use
Standard: Workstation Use {{§164.310 (b)}}
Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.
Workstation Use
Implementation Specification
Type
Reference
N/A
Workstation Security
Standard: Workstation Security {{§164.310 (c)}}
Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.
Workstation Security
Implementation Specification
Type
Reference
N/A
Device and Media Controls
Standard: Device and Media Controls {{§164.310 (d)}}
Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.
Device and Media Controls 
Implementation Specification
Type
Reference
Disposal: Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.
Required
§164.310 (d)(2)(i)
Media re-use: Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.
Required
§164.310 (d)(2)(ii)
Accountability: Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
Addressable
§164.310 (d)(2)(iii)
Data backup and storage: Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.
Addressable
§164.310 (d)(2)(iv)

 

 

TECHNICAL SAFEGUARDS

Access Control
Standard: Access Control {{§164.312 (a)}}
Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).
Access Control
Implementation Specification
Type
Reference
Unique user identification: Assign a unique name and/or number for identifying and tracking user identity.
Required
§164.312 (a)(2)(i)
Emergency access procedure: Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.
Required
§164.312 (a)(2)(ii)
Automatic logoff: Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
Addressable
§164.312 (a)(2)(iii)
Encryption and decryption: Implement a mechanism to encrypt and decrypt electronic protected health information. {{UNTHSC note: Only encryption methods/products listed at Approved Encryption Methods are compliant with policy. The use of any other encryption methods/products not listed is only permissible with an approved Security Exception Request. All devices used to store confidential (Category I) university data must be encrypted using an approved method.}}
Addressable
§164.312 (a)(2)(iv)
Audit Controls
Standard: Audit Controls {{§164.312 (b)}}
Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
Audit Controls
Implementation Specification
Type
Reference
N/A
Integrity
Standard: Integrity {{§164.312 (c)}}
Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
Integrity
Implementation Specification
Type
Reference
Mechanism to authenticate electronic protected health information: Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
Addressable
§164.312 (c)(2)
Person or Entity Authentication
Standard: Person or Entity Authentication {{§164.312 (d)}}
Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
Person or Entity Authentication
Implementation Specification
Type
Reference
N/A
Transmission Security
Standard: Transmission Security {{§164.312 (e)}}
Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
Transmission Security
Implementation Specification
Type
Reference
Integrity controls: Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.
Addressable
Encryption: Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. {{UNTHSC note: Section 10.2.2.1 of the UNT System Information Security Handbook mandates that all confidential (Category I) institutional data be encrypted in transmission over a network. Exceptions are only permissible with an approved Security Exception Request.}}
Required by
institutional policy

 

 

POLICIES AND PROCEDURES; DOCUMENTATION REQUIREMENTS

Policies and Procedures
Standard: Policies and Procedures {{§164.316 (a)}}
Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in §164.306 (b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.
Policies and Procedures
Implementation Specification
Type
Reference
N/A
Documentation
Standard: Documentation {{§164.316 (b)(1)}}
(i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and
(ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.
Documentation
Implementation Specification
Type
Reference
Time limit: Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later. {{UNTHSC note: Records should not be kept longer than is required. When no longer required, records must be destroyed or erased in a secure manner.}}
Required
§164.316 (b)(2)(i)
Availability: Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.
Required
§164.316 (b)(2)(ii)
Updates: Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.
Required
§164.316 (b)(2)(iii)

 

 

UNTHSC SPECIFIC POLICY REQUIREMENTS FOR CATEGORY I SYSTEMS

Backups
Standard: Backups 
Backups
Implementation Specification
Type
Reference
Backups must be verified at least monthly, either through automated verification, through customer restores, or through trial restores.
Required
MSS 4.1.2
Change Management
Standard: Change Management
Change Management
Implementation Specification
Type
Reference
There must be a change control process for systems configuration. This process must be documented.
Required
MSS 4.2.1
System changes should be evaluated prior to being applied in a production environment.
Required
MSS 4.2.2
Patches must be tested prior to installation in the production environment if a test environment is available.
Addressable
MSS 4.2.3
Computer Virus Prevention
Standard: Computer Virus Prevention 
Computer Virus Prevention
Implementation Specification
Type
Reference
Anti-virus software must be installed and enabled.
Required
MSS 4.3.1
Install and enable anti-spyware software. Installing and enabling anti-spyware software is required if the machine is used by administrators to browse Web sites not specifically related to the administration of the machine.
Addressable
MSS 4.3.2
Anti-virus and, if applicable, anti-spyware software should be configured to update signatures at least daily.
Required
MSS 4.3.3
Systems administrators should maintain and keep available a description of the standard configuration of anti-virus software.
Required
MSS 4.3.4
System Hardening
Standard: System Hardening 
System Hardening
Implementation Specification
Type
Reference
Systems must be set up in a protected network environment or by using a method that assures the system is not accessible via a potentially hostile network until it is secured.
Required
MSS 4.5.1
Operating system and application services security patches should be installed expediently and in a manner consistent with change management procedures.
Required
MSS 4.5.2
If automatic notification of new patches is available, that option should be enabled.
Required
MSS 4.5.3
Services, applications, and user accounts that are not being utilized should be disabled or uninstalled.
Required
MSS 4.5.4
Methods should be enabled to limit connections to services running on the host to only the authorized users of the service. Software firewalls, hardware firewalls, and service configuration are a few of the methods that may be employed.
Required
MSS 4.5.5
If the operating system supports it, integrity checking of critical operating system files should be enabled and tested. Third-party tools may also be used to implement this.
Required
MSS 4.5.8
Integrity checking of system accounts, group memberships, and their associated privileges should be enabled and tested.
Required
MSS 4.5.9
The required system warning banner complying with Section 12.2.7 of the UNT System Information Security Handbook should be installed.
Required
MSS 4.5.10
Whenever possible, all non-removable or (re-) writable media must be configured with file systems that support access control.
Required
MSS 4.5.11
Strong password requirements will be enabled. Passwords must comply with of the UNTHSC Information Security Policy
Required
MSS 4.5.13
Apply the principle of least privilege to user, administrator, and system accounts.
Required
MSS 4.5.14
Security Monitoring
Standard: Security Monitoring 
Security Monitoring
Implementation Specification
Type
Reference
If the operating system comes with a means to log activity, enabling and testing of those controls is required.
Required
MSS 4.6.1
Operating system and service log monitoring and analysis should be performed routinely. This process should be documented.
Required
MSS 4.6.2
The systems administrator must follow a documented backup strategy for security logs (for example, account management, access control, data integrity, etc.). Security logs should retain at least 14 days of relevant log information (data retention requirements for specific data should be considered).
Required
MSS 4.6.3
All administrator or root access must be logged.
Required
MSS 4.6.4

 

 

SECURITY REVIEW FOR NEW SOFTWARE AND APPLIANCES

Departments evaluating the implementation of new software or appliances involving HIPAA protected data should request a security review by sending a written description of the proposed implementation to the Information Security Office prior to selecting vendors or products.