Professional Documents
Culture Documents
In
order to prevent these kinds of challenges faced by EHR; very strict organizational
policies and procedures needs to be put in place to not only comply with
regulations/industry standards but also follow ethical rules. Given my past
experience in implementing various health care systems; I will be using a simple 3
section template to define each policy details. (Objective, coverage, and policy
details)
A) Policy Statements
1. User Account Management & System Access Policy
i. Objective - This policy addresses standards for granting access to
any EHR system user. It will also define policy for accessing EHR
data/critical information remotely. All of these policies/rules are built
to comply with regulations/industry standards & eliminate stealing
of critical individual privacy data by letting it go into wrong hands.
ii. Coverage It will cover all direct employees/subcontractors/vendors of EHR accessing the system to execute their
daily work & every device used to connect the healthcare network.
This policy also covers remote access to EHR system for any
purpose. It includes all third parties helping EHR like software
vendors, temporary employees, and regulatory organizations and
so on.
iii. Details Each and every user account access will be requested
through a centralized application access request system. Minimum
access will be granted to perform the required job for the user in
context following the role based access system. The application
request must be submitted by users immediate manager with
details of mapping the application roles to the duties of the user.
Any admin access rights or admin accounts must be approved by
application configuration management board. Each user account
must have one or more application requests to ensure that account
activation is following the defined process. Every new user must go
through on boarding process to get trained on required system per
role. Remote access to the EHR system will be granted to certain
critical roles such as emergency doctors, nurses and physicians
with additional hardware/software tokens to connect. Remote
access must be approved by application configuration management
board. Remote access user must ensure that they are only using
approved devices to remotely connect to the healthcare network.
Remote user must follow intellectual property compliance
procedures which are applicable on premise at healthcare center.
Remote user will be penalized if they are sharing any data directly
or indirectly when they operating remotely as per the confidential
policies of healthcare provider. In order to avoid any cyber-attacks;
remote connections are only allowed through secure virtual private
network. Each and every system transaction will be logged into the
system identified by unique user id assigned to every user. Healthcare provider approved devices must be used to access EHR
remotely. These devices must be used strictly to only execute work
related activities. It must not be used for personal work. Any such
violation will lead to terminating remote access and
decommissioning of the devices in use. Any remote access for
admin accounts will be controlled very tightly and any such access
will be given on as needed basis for temporary duration of
maximum of 4 weeks. Any access changes such as escalation from
standard user to admin user will be done via centralized application
access request process. In order to avoid any security threats; user
authentication must be executed using enterprise directory
services where all user information is stored enterprise wide. One of
the common services used now days is LDAP (Lightweight Directory
Access Protocol).
2. System Deployment Policy
i. Objective - This policy defines standard operating procedure for
EHR system testing, deployment and production support. These
procedures are defined to make sure any new application modules
and services are hardened as required, and all test data and fake
accounts are removed before releasing to production. It also defines
the process to copy the production data into production support for
test and debug purpose to make sure all user passwords are
changed to common password.
ii. Coverage This policy covers all web-top applications or win-top
applications that deployed at health-care provider. This policy
includes all web applications, database connectors, desktop
software, and server application services.
iii. Details Any default/fake user accounts such as creator and Test
Everything will be removed or deactivated before releasing the
application into production. All default passwords will be changed to
comply with password rules defined by health-care provider. All
applications related to EHR must implement web based single sign
on that connect to existing enterprise identification &
authentication services. All file data stores must be implemented
using secured encryption. Only role based user will have access to
retrieve such documents from file store using secure HTTP
connection. Any automatic fix pack or service pack utilities will be
disabled. Any such changes will be approved through application
change management board and it must be deployed during regular
maintenance hours. Only required server ports will be opened and
rest will be disabled. All sorts of debugging and logging information
1. Justification
User Account Management & System Access Policy As per standards of NIST (National Institute of Standards and
Technology), MARS (Minimum Acceptable Risk Standards for Exchanges),
CMSRs (CMS Minimum Security Requirements), IRS (Internal Revenue
Department), ISO (International Organization for Standardization), and
PCI DSS (Payment Card Industry Data Security Standard) information
sharing must be enabled by role based system with default deny all
setting. Role based access (CMSRs 2013v2 AC-2, IRS Pub 1075 v2014
9.3.1.2, ISO 27799-2008 7.8.2.2, MARS-E v1 AC-2, NIST SP 800-53 R4
AC-2, PCI DSS v3 7.1.2 - HITRUST Common Security Framework V7,
2015, page 41) must be implemented and capable of mapping user to
one or more roles. Above standards also mandates required on boarding
training to make sure user is aware of how to use the system as well as
complied with confidentially policies of health-care provider. Above
mentioned standards will help to mitigate risk of information breach by
System Deployment Policy Standards COBIT 4.1 DS5.3, CMSRs 2013v2 IA-5(HIGH),CSA IS-08,
HIPPA 164.312(a)(2)(i),HIPPA 164.312(a)(2)(ii), HIPPA 164.308(a)(4)
(i),IRS Pub 1075 v2014 9.3.7.6,NIST Cybersecurity Framework PR.AC-4
(HITRUST Common Security Framework V7, 2015, page 36) enforce the
importance of removing/deactivating default user accounts. This will
mitigate risk of having user accounts created during development stage
of EHR and released in production which caused unauthorized data
access of EHR data. User authentication management standards like 21
CFR Part 11.30, ISO/IEC 27002-2013 A.9.2.4, NIST SP 800-53 R4 IA-5,
and PCI DSS v3 8.2.1 (HITRUST Common Security Framework V7, 2015,
page 47) enforce rules to make sure all user identification and
authentication is executed in unique way to make sure only authorized
user is able to access the system. These standards ensure the
passwords are not easy to break; only valid users are allowed to access
the system, and no password information is stored in clear text format.
All of these rules will ensure that no password information is leaked
when production data is copied over to other server environments.
Information access restriction standards 164.312(a)(2)(iv), CMSRs
2013v2 AC-3, IRS Pub 1075 v2014 9.3.16.10, and NIST SP 800-53 R4 SC15 (HITRUST Common Security Framework V7, 2015, page 99) enforces
encryption of stored data on server as well as clients if it is downloaded
to client machines. This will close the gap of data leak/loss when any
remote access user either directly or in-directly downloaded data on
local device. Sensitive system isolation & physical entry control
standards CMSRs 2013v2 PE-2&8, CSA FS-04, HIPPA 164.310(a)(1),NIST
SP 800-53 R4 PE-8, PCI DSS v3 9.4.1 (HITRUST Common Security
Framework V7, 2015, page 258 & ) will make sure that only controlled
and restricted access is given to various physical server environments to
ensure that no third party contractors are able to breach any information
from EHR system.
System Auditing Policy Information system audit control standards CMSRs 2013v2 AU-1,
CMSRs 2013v2 PL-2, CSA-01, ISO 27799-2008 7.12.4, Cybersecurity
Framework PR.PT-1, and NIST SP 800-53 R4 PL-2 (HITRUST Common
Security Framework V7, 2015, page 233) enables pro-active framework
to identify any premature attempts of security threats or cyber-attacks
by monitoring audit logs periodically for login failure attempts and
making sure there is one to one or one to many relationship between
user accounts and its related approved requests. Monitoring standards
like CMSRs 2013v2 AU-8, CSA SA-14, HIPPA 164.308(a)(5)(ii)(C), NIST
Cybersecurity Framework DE.CM-3, NIST SP 800-53 R4 AR-4, MARS-E v1
AU-8, and PCI DSS v3 10.3.3. (HITRUST Common Security Framework
V7, 2015, page 378) defines guidelines to create secure audit record
each time when any type of user performs the operations within the
system. These logs are very crucial for auditing to tracking any noncompliant activities. These standards enforce a framework to not only
audit and monitor the user logs but also monitor the logs at operation
system level as well server level to make sure no security threats are
happening or about to start. This level of pro-active framework will
enable 24*7 live systems for EHR. This framework enables evidence of
misuse when requested by authorities. This will also help to support
after the fact investigations of security incidents at all levels.
References
HITRUST CSF Version 7 (2015 version 7)
https://hitrustalliance.net/hitrust-csf/
HIPPA Security Check List (n.d.)
http://www.ihs.gov/hipaa/documents/IHS_HIPAA_Security_Checklist.pdf
HIPAA Security Guidance (12/28/2006)
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/remoteuse.p
df
Framework for Improving Critical Infrastructure Cybersecurity (02/12/2014)
http://www.nist.gov/cyberframework/upload/cybersecurity-framework021214.pdf