There are multiple reasons which led to breach of information & security at EHR.

In
order to prevent these kinds of challenges faced by EHR; very strict organizational
policies and procedures needs to be put in place to not only comply with
regulations/industry standards but also follow ethical rules. Given my past
experience in implementing various health care systems; I will be using a simple 3
section template to define each policy details. (Objective, coverage, and policy
details)
A) Policy Statements
1. User Account Management & System Access Policy
i. Objective - This policy addresses standards for granting access to
any EHR system user. It will also define policy for accessing EHR
data/critical information remotely. All of these policies/rules are built
to comply with regulations/industry standards & eliminate stealing
of critical individual privacy data by letting it go into wrong hands.
ii. Coverage It will cover all direct employees/subcontractors/vendors of EHR accessing the system to execute their
daily work & every device used to connect the healthcare network.
This policy also covers remote access to EHR system for any
purpose. It includes all third parties helping EHR like software
vendors, temporary employees, and regulatory organizations and
so on.
iii. Details Each and every user account access will be requested
through a centralized application access request system. Minimum
access will be granted to perform the required job for the user in
context following the role based access system. The application
request must be submitted by users immediate manager with
details of mapping the application roles to the duties of the user.
Any admin access rights or admin accounts must be approved by
application configuration management board. Each user account
must have one or more application requests to ensure that account
activation is following the defined process. Every new user must go
through on boarding process to get trained on required system per
role. Remote access to the EHR system will be granted to certain
critical roles such as emergency doctors, nurses and physicians
with additional hardware/software tokens to connect. Remote
access must be approved by application configuration management
board. Remote access user must ensure that they are only using
approved devices to remotely connect to the healthcare network.
Remote user must follow intellectual property compliance
procedures which are applicable on premise at healthcare center.
Remote user will be penalized if they are sharing any data directly
or indirectly when they operating remotely as per the confidential
policies of healthcare provider. In order to avoid any cyber-attacks;
remote connections are only allowed through secure virtual private

network. Each and every system transaction will be logged into the
system identified by unique user id assigned to every user. Healthcare provider approved devices must be used to access EHR
remotely. These devices must be used strictly to only execute work
related activities. It must not be used for personal work. Any such
violation will lead to terminating remote access and
decommissioning of the devices in use. Any remote access for
admin accounts will be controlled very tightly and any such access
will be given on as needed basis for temporary duration of
maximum of 4 weeks. Any access changes such as escalation from
standard user to admin user will be done via centralized application
access request process. In order to avoid any security threats; user
authentication must be executed using enterprise directory
services where all user information is stored enterprise wide. One of
the common services used now days is LDAP (Lightweight Directory
Access Protocol).
2. System Deployment Policy
i. Objective - This policy defines standard operating procedure for
EHR system testing, deployment and production support. These
procedures are defined to make sure any new application modules
and services are hardened as required, and all test data and fake
accounts are removed before releasing to production. It also defines
the process to copy the production data into production support for
test and debug purpose to make sure all user passwords are
changed to common password.
ii. Coverage This policy covers all web-top applications or win-top
applications that deployed at health-care provider. This policy
includes all web applications, database connectors, desktop
software, and server application services.
iii. Details Any default/fake user accounts such as creator and Test
Everything will be removed or deactivated before releasing the
application into production. All default passwords will be changed to
comply with password rules defined by health-care provider. All
applications related to EHR must implement web based single sign
on that connect to existing enterprise identification &
authentication services. All file data stores must be implemented
using secured encryption. Only role based user will have access to
retrieve such documents from file store using secure HTTP
connection. Any automatic fix pack or service pack utilities will be
disabled. Any such changes will be approved through application
change management board and it must be deployed during regular
maintenance hours. Only required server ports will be opened and
rest will be disabled. All sorts of debugging and logging information

will be stored on centralized server. Any new enhancement or fixes

will follow process of mitigation of security threat through
requirements approval, technical design, development, testing
(Functional Test, Regression Test, Load Test, Performance Test,
Sanity Test, Security Test, System Integration Test, & User
Acceptance Test) and roll out to production. All environments such
as Sandbox, Testing, Development, Proof-of-Concept, Production
Support, or Production must follow above defined rules. Each and
every environment from Sandbox to Production must have defined
access matrix. The access matrix will define who has access to
each server from above listed environments & its approval will be
managed by IT change management board. All exchange of data
inside and outside local area network must be encrypted. Any EHR
system data that is downloaded to user desktop or internal/external
device must be encrypted. It must not be stored in the clear text
format.
3. System Auditing Policy
i. Objective The objective of this policy is to define regular
automated and manual EHR system audits. These standards are
developed to enforce pro-active measure to detect and prevent any
sort of unauthorized access to information and any resources of
EHR system. This pro-active measure will help to mitigate any
security threats and minimize critical data exposure.
ii. Coverage This policy covers all logical/physical tiers of EHR
system including but not limited to system, hardware, software,
server(s), file storage, database, search engine, and client apps.
This policy also covers all devices which are accessing the EHR data
remotely.
iii. Details Define periodic system audits ranging from quarterly,
monthly and weekly. User level audit must include Automatic
audit report verifying that password management parameters like
age and pattern are followed. (I.e. password changed every 90
days, password length is verified and so on.) Automatic system
audit report verifying all user accounts in the EHR system have one
or more application access request. All of these audit reports must
be available on demand as well as periodic. Any violation at the
user level audit must generate automatic notification to the IT
security team for immediate action to minimize the damage. Daily
review of terminated employee lists and deactivates accounts
within 24 hours of termination. Operating System Level Audit
must include - Access control verification must be done by
periodical penetration test & port scanning. Also execute periodical
run of intrusion prevention / detection tools & run of anti-virus

detection tools with continuous patch management. Make sure all

firewall access lists against current baseline approved by
configuration control team. Server Level Audit must include
Verify all servers (database, app server, web server, file server,
proxy server) must comply with hardening as per approved
configuration baseline. Make sure all required sensitive data
encryption for file storage is implemented. Verify all virtual machine
access in the data center and virtual machine access from Internet
must be managed by only approved open ports and defined
protocols. Verify access control to servers must be implemented
using firewalls with access controls, limited hardware access points.
Audit Logs All system generated audit logs must be stored in
centralized repository. No logs should be deleted or overwritten
unless they are older than 5 years. No one except the chief
information architect will have access to the super user in the
system which is generating all logging information. No modification
access will be granted to modify logging data/tables in the
database. Automatic notification will be sent to IT security team if
any user is accessing records beyond its daily limit. When a user
has failed to login after defined attempts; along with entry in audit
log automatic notification must be sent to IT security team. All of
the logs must be reviewed periodically ranging from daily to
quarterly to mitigate the information security breach and exposure
of sensitive data.

1. Justification
User Account Management & System Access Policy As per standards of NIST (National Institute of Standards and
Technology), MARS (Minimum Acceptable Risk Standards for Exchanges),
CMSRs (CMS Minimum Security Requirements), IRS (Internal Revenue
Department), ISO (International Organization for Standardization), and
PCI DSS (Payment Card Industry Data Security Standard) information
sharing must be enabled by role based system with default deny all
setting. Role based access (CMSRs 2013v2 AC-2, IRS Pub 1075 v2014
9.3.1.2, ISO 27799-2008 7.8.2.2, MARS-E v1 AC-2, NIST SP 800-53 R4
AC-2, PCI DSS v3 7.1.2 - HITRUST Common Security Framework V7,
2015, page 41) must be implemented and capable of mapping user to
one or more roles. Above standards also mandates required on boarding
training to make sure user is aware of how to use the system as well as
complied with confidentially policies of health-care provider. Above
mentioned standards will help to mitigate risk of information breach by

unauthorized users. As per the standards COBIT 4.1 DS5.3, CMSRs

2013v2 AC-2, HIPPA 164.308(a)(3)(ii)(B), 164.308(a)(4)(ii)(B),
164.312(d), IRS Pub 1075 v2014 9.3.7.4,MARS-E v1 IA-4 (HITRUST
Common Security Framework V7, 2015, page 36) user registration and
deregistration must be formally implemented to activate, modify,
disable and terminate any user accounts to eliminate any ways of
unauthorized data leaks. One of the key regulatory standards is to
control the user authentication for external connection i.e. remote
access. Standards 16 CFR Part 681 Appendix A III(b), CMSRs 2013v2
AC-18, HIPPA 164.310(b), MARS-E v1 AC-18, PCI DSS v3 12.3.9
(HITRUST Common Security Framework V7, 2015, page 61) suggest
appropriate technology to ensure successful identification and
authentication of remote user to avoid any unauthorized data exposure.
These regulations are must requirements for getting certified by various
regulatory agencies to approve the remote access usage. All mentioned
standards will prevent any undocumented accounts being active and
having all access to entire EHR system. It will also make sure that any
access changes to current user account will go through formal process
and will avoid any occurrence of promoting user access without any
approval. Remote access policy standards will ensure only as needed
approvals for remote access but also will eliminate the current issue of
user with escalated access retrieving data remotely.

System Deployment Policy Standards COBIT 4.1 DS5.3, CMSRs 2013v2 IA-5(HIGH),CSA IS-08,
HIPPA 164.312(a)(2)(i),HIPPA 164.312(a)(2)(ii), HIPPA 164.308(a)(4)
(i),IRS Pub 1075 v2014 9.3.7.6,NIST Cybersecurity Framework PR.AC-4
(HITRUST Common Security Framework V7, 2015, page 36) enforce the
importance of removing/deactivating default user accounts. This will
mitigate risk of having user accounts created during development stage
of EHR and released in production which caused unauthorized data
access of EHR data. User authentication management standards like 21
CFR Part 11.30, ISO/IEC 27002-2013 A.9.2.4, NIST SP 800-53 R4 IA-5,
and PCI DSS v3 8.2.1 (HITRUST Common Security Framework V7, 2015,
page 47) enforce rules to make sure all user identification and
authentication is executed in unique way to make sure only authorized
user is able to access the system. These standards ensure the
passwords are not easy to break; only valid users are allowed to access
the system, and no password information is stored in clear text format.
All of these rules will ensure that no password information is leaked
when production data is copied over to other server environments.
Information access restriction standards 164.312(a)(2)(iv), CMSRs

2013v2 AC-3, IRS Pub 1075 v2014 9.3.16.10, and NIST SP 800-53 R4 SC15 (HITRUST Common Security Framework V7, 2015, page 99) enforces
encryption of stored data on server as well as clients if it is downloaded
to client machines. This will close the gap of data leak/loss when any
remote access user either directly or in-directly downloaded data on
local device. Sensitive system isolation & physical entry control
standards CMSRs 2013v2 PE-2&8, CSA FS-04, HIPPA 164.310(a)(1),NIST
SP 800-53 R4 PE-8, PCI DSS v3 9.4.1 (HITRUST Common Security
Framework V7, 2015, page 258 & ) will make sure that only controlled
and restricted access is given to various physical server environments to
ensure that no third party contractors are able to breach any information
from EHR system.
System Auditing Policy Information system audit control standards CMSRs 2013v2 AU-1,
CMSRs 2013v2 PL-2, CSA-01, ISO 27799-2008 7.12.4, Cybersecurity
Framework PR.PT-1, and NIST SP 800-53 R4 PL-2 (HITRUST Common
Security Framework V7, 2015, page 233) enables pro-active framework
to identify any premature attempts of security threats or cyber-attacks
by monitoring audit logs periodically for login failure attempts and
making sure there is one to one or one to many relationship between
user accounts and its related approved requests. Monitoring standards
like CMSRs 2013v2 AU-8, CSA SA-14, HIPPA 164.308(a)(5)(ii)(C), NIST
Cybersecurity Framework DE.CM-3, NIST SP 800-53 R4 AR-4, MARS-E v1
AU-8, and PCI DSS v3 10.3.3. (HITRUST Common Security Framework
V7, 2015, page 378) defines guidelines to create secure audit record
each time when any type of user performs the operations within the
system. These logs are very crucial for auditing to tracking any noncompliant activities. These standards enforce a framework to not only
audit and monitor the user logs but also monitor the logs at operation
system level as well server level to make sure no security threats are
happening or about to start. This level of pro-active framework will
enable 24*7 live systems for EHR. This framework enables evidence of
misuse when requested by authorities. This will also help to support
after the fact investigations of security incidents at all levels.

References
HITRUST CSF Version 7 (2015 version 7)
https://hitrustalliance.net/hitrust-csf/
HIPPA Security Check List (n.d.)

http://www.ihs.gov/hipaa/documents/IHS_HIPAA_Security_Checklist.pdf
HIPAA Security Guidance (12/28/2006)
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/remoteuse.p
df
Framework for Improving Critical Infrastructure Cybersecurity (02/12/2014)
http://www.nist.gov/cyberframework/upload/cybersecurity-framework021214.pdf