EMR

2 posts

Utilize Systems Monitoring To Meet HIPAA Requirements

nurse computerAll systems monitoring should be configured to facilitate HIPPA compliance. However, the first step dictates that one deploys systems monitoring to all devices resident on the health care providers’ network. This often forgotten area of technology management needs illuminating to help bring some order and methodology to deploying activities that keep your medical enterprise fully HIPAA compliant.

HIPAA Security Rules specifically outline US national security standards to protect health data created, received, maintained or transmitted electronically, also known as electronic protected health information (ePHI). The HIPAA Security Rules are divided into 3 distinct categories and below is a summary of each.

  • Administrative Safeguards. This section of the HIPAA security requirements is focused upon establishing a risk analysis process, with periodic reviews, assigning security management responsibilities, formulating security policies and procedures and establishing appropriate workforce security training.
  • Physical Safeguards. This section of the HIPAA security requirements is focused upon securely controlling physical access: to data processing facilities, workstations and devices as well as physical media which contains PHI (personal health information).
  • Technical Safeguards. This section of the HIPAA security requirements is focused upon establishing specific technical security controls which aim to protect PHI via the following key aspects: data access control, data & access auditing, integrity and transmission security.

Below is a detailed description of each HIPAA related configuration item and the required guidance towards a HIPAA compliant configuration. As per the HIPAA requirements, for items listed as Addressable the entity must perform one of the 3 options: 1) Implement the required control as stated 2) Implement an alternative control which meets the intent of the original control 3) If implementing either, they must document the technical and or business constraint which prevents them from doing so. For items listed as “Required” the entity is required to implement this control as stated.

164.308(a)(3)(ii)(C) – Terminating Access

Addressable

Have you implemented procedures for terminating access to EPHI when an employee leaves your organization or as required by paragraph (a)(3)(ii)(B) of this section?

» Recommendation: Utilize the systems monitoring dashboard to remotely remove terminated employees from all in-scope EPHI related systems.

164.308(a)(5)(ii)(A) – Security Reminders

Addressable

Do you provide periodic information security reminders?

» Recommendation: Utilize systems monitoring to push periodic reminders to the in-scope workstations.

164.308(a)(5)(ii)(B) – Malicious Software

Addressable

Do you have policies and procedures for guarding against, detecting, and reporting malicious software?

» Recommendation: systems monitoring provides managed antivirus services that guard, detect and report against malicious software.

164.308(a)(5)(ii)(C) – Monitoring Login’s

Addressable

Do you have procedures for monitoring login attempts and reporting discrepancies?

» Recommendation: Utilizing the systems monitoring dashboard, develop procedures to periodically review audit logs and login attempts.

164.308(a)(5)(ii)(D) – Password Management

Addressable

Do you have procedures for creating, changing, and safeguarding passwords?

» Recommendation: Via the centralized management capabilities of the systems monitoring dashboard, develop procedures to create, change and safeguard passwords.

164.312(a)(2)(i) – User Identity

Required

Have you assigned a unique name and/or number for identifying and tracking user identity?

» Recommendation: systems monitoring requires each user ID to be unique and tracks activity according to such. Further, ensure there are no shared user accounts within the client environments you manage.

164.312(a)(2)(iii) – Inactive Sessions

Addressable

Have you implemented procedures that terminate an electronic session after a predetermined time of inactivity?

» Recommendation: systems monitoring automatically times out inactive user sessions.

164.312(a)(2)(iv) – Encrypting EPHI Data

Addressable

Have you implemented a mechanism to encrypt and decrypt EPHI?

» Recommendation: systems monitoring mail automatically and transparently encrypts all mail archives with secure AES 256bit encryption, thereby protecting any EPHI information potentially contained within the archive.

164.312(b)(2) – Audit Reporting

Required

Have you implemented Audit Controls, hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use EPHI?

» Recommendation: User audit reports are dynamically generated by default and can be accessed at any time via the systems monitoring dashboard. Develop procedures to periodically review and investigate any discrepancies.

164.312(d) – Authentication to EPHI Data

Required

Have you implemented Person or Entity Authentication procedures to verify that a person or entity seeking access EPHI is the one claimed?

» Recommendation: Consult with your client and determine the appropriate level of security. Upon such, implement strong password authentication & for further security, configure the systems monitoring dashboard to validate source IP addresses.

164.312(e)(2)(ii) – Encrypt EPHI Data in Transit

Addressable

Have you implemented a mechanism to encrypt EPHI whenever deemed appropriate?

» Recommendation: Configure systems monitoring mail to only transmit email traffic via IMAPS (IMAP over SSL) as this will securely encrypt and protect EPHI transmitted via email over the Internet.

How to Ensure EMR Can Co-Exist in Your Doctors Office or Clinic

APC has an interesting white paper about deploying EMR. You can download it here. (requires new account setup) Of course their take is from a power perspective.

The key things you want to be sure of when you consider where to actually put your equipment should include the following:

• Ability to provide enough cooling for the hardware as the hardware needs it
• Ability to simply and easily add new hardware. Storage, for example, is going to grow each and every day – just look at your paper files
• Ability to provide dependable power to the hardware that is protected so that it is not interrupted and can expand when you add new hardware
• Ability to see and manage of potential problems from power, cooling, or security
• Simplifies the set-up and use of new hardware by simplifying cabling.

I see these as the top five reasons to think real seriously about a HIPAA compliant virtual hosted environment for your new EMR deployment. Keep the hardware out of your clinic and save a ton of money and headache.